By Ronald Pacchian
Let’s say you are an information technology manager for a small NY company looking to setup a branch office in NJ with 10 people onsite, four of which will be telecommuting on a bi-weekly basis. Both the branch office and the telecommuters need to have access to the NY servers. The data stored on these servers is sensitive and must be kept secure. However, upper management doesn’t have much capital available to fund this project (big surprise). Your job is to accomplish all of the desired objectives and do it on a shoe string budget.
Today this once intimidating project can be performed by anyone with a minimum of network experience and modest financial resources. Thanks for this modern day simplicity can be accredited to products like the Multi-Tech Systems SOHO RouteFinder VPN Internet Security Appliance. The RouteFinder not only meets all the project objectives above, but with the product’s price dropped to $179, it won’t burst any IT budget.
The SOHO RouteFinder VPN Internet Security Appliance (Model RF550VPN) from Multi-Tech Systems is foremost an Internet router that connects to your Cable or DSL modem and provides up to 253 users with shared Internet access. A 50 MHz, 32-bit RISC processor, 16MB of RAM and 1MB of Flash ROM provide the RouteFinder with a solid hardware platform and a built-in firewall with VPN functionality round out the package. An integrated 10/100 4-port auto-sensing switch makes it easy to connect users or additional network equipment. The system is configured through a web-based management console from either a PC on the local LAN or from a remote workstation. The RouteFinder supports a variety of protocols including TCP/IP, RIP-1, RIP-2, Network Address Translation (NAT) and PPPoE.
As the name implies, this product has the ability to generate multiple Virtual Private Network (VPN) tunnels between offices or remote users. The advantage of a VPN is that it is far less expensive and could be implemented much quicker then dedicated site-to-site leased lines. Data transmitted over a VPN is protected by a number of security protocols including IPSec, 168-bit 3DES (Triple Digital Encryption Standard), Internet Key Exchange (IKE) and Stateful Packet Inspection (SPI).
One of the nicest features of this router is its fault tolerance capability. An onboard serial port allows you to configure an analog or ISDN modem to work as a backup in the event your primary internet connection goes down. This minimizes downtime and keeps your users productive.
Installation of our RF550VPN was extremely easy. My DSL modem uses a dynamically assigned IP Address, so I was up and running almost immediately upon connecting our line. If your ISP uses PPPoE or if you have a static IP address, then you’ll need to point your web-browser to the RouteFinder’s IP address, login and launch the Setup Wizard. The Wizard will guide you through the router’s configuration options. The menu interface is one of the best I’ve seen. It’s quick, attractive and most important, functional. Among other things, the RouteFinder configures virtual server settings (a.k.a. port forwarding), static and dynamic routes, LAN and WAN filtering, monitor system diagnostics and many more.
Once the RouterFinder has been configured, you’ll need to reconfigure your workstation with either a static IP address or rely on the routers DHCP abilities. DHCP is enabled by default so getting your workstations up and running should be a snap. One Thing I found particularly annoying is the fact that you need to associate a MAC address with every IP address you want to reserve. This means you could only reserve an address after you’ve assigned it to a PC or server.
In my firewall tests, the RouteFinder performed very well on the grc.com Shields Up test and appeared to be completely invisible to port scanners. An Intruder Detection Log also monitors and reports any IP address that attempts to probe the system. Unfortunately the system administrator is not automatically notified of unauthorized access attempts. The only way to monitor this information is to actually log into the router and take a look at the log. E-mail notification, like that in the similar NetGear FV318, really should have really been built in.
The RouteFinder can filter both LAN and WAN traffic. Access control settings can be applied to either individual systems or IP ranges. However, if you’re looking to filter content by category or keyword, you’ll be disappointed. The RF550VPN has no such ability, nor can it be configured to track WAN usage. Also, while I was able to change the password for the routers administration account, I couldn’t add any additional accounts to the system. At the very least I would have liked to have had the option to rename the current Admin account.
The most attractive feature of the Multi-Tech is its ability to create a Virtual Private Network (VPN) connection between two or more sites. VPNs can be implemented in both LAN-to-LAN and client-to-LAN configurations. The Multi-Tech can take advantage of two types of VPN protocols. It can either pass PPTP (Point-to-Point Tunneling Protocol) traffic or has built in support for IPSec. Like the NetGear FV318, the RouteFinder will pass PPTP traffic, but you’ll need to configure a Remote Access Server (RAS) to connect and authenticate users.
If a RAS server isn’t in your budget, configure the VPN using the more secure IPSec protocol. The router supports a variety of security protocols; including Internet Key Exchange (IKE), DES and 168-bit 3DES encryption. IKE is a protocol negotiation and key exchange protocol that is part of the IPSec protocol suite specified by the Internet Engineering Task Force (IETF). IKE allows VPNs to automatically negotiate IPSec Security Associations (SA) during the creation of a VPN tunnel. The Security Association between two systems is based on the SPI, and includes the Destination Address Range, IPSec Gateway Address, Encryption Method, Encryption Key, and Authentication Key.
For client-to-LAN connectivity, you’ll need to get hold of 3rd party VPN client software. Multi-Tech doesn’t bundle one with the router, but recommends the SSH Sentinel Pilot from SSH Communications Security. It can be downloaded free at www.ssh.com. Other clients like Nortel Contivity, Checkpoint, Axent or SafeNet should also work. The RF550VPN can support up to five simultaneous IPSec tunnels.
The documentation is better then most of the products we’ve looked at recently, but it could have done a slightly better job walking you through the VPN remote client setup. Missing information cost us time when trying to configure the SSH client software. The only other product with similar features at this price point that I’m aware of is the SnapGear Lite+, but that product was tougher to configure.
While the RouterFinder is far from perfect, it is an excellent value for the money. It’s easy to install, configure and administrator and most of the features can be setup by a person with a moderate amount of networking experience. Its no-nonsense design gives one the impression of a serious networking device; which is kind of refreshing when compared to the fancy designs of some of the other routers in this segment. And if you can’t afford to be offline, the automatic internet backup connection could be just the insurance you’re looking for. So if you’re in need of a high-tech router but can’t afford the high-tech price, then consider checking out the Multi-Tech RouteFinder VPN.
SOHO RouteFinder VPN Internet Security Appliance – $179
Pros: – Secure VPN capability; excellent feature per dollar ratio; quick and simple web-based management; automatic backup internet connectivity.
Cons: – DHCP Reservation requires a known MAC address; need for 3rd Party client software.