The 2910G supports several forms of VPN connections, including IPSec site-to-site tunnels with other VPN capable routers, IPSec client-to-site tunnels for remote user access, and PPTP client-to-site tunnels for even simple remote user access. As mentioned, Strowger's website has some useful screen shots on configuring VPNs on the 2910G. Draytek lists the 2910G as capable of supporting up to 32 VPN tunnels (16 dial-in and 16 dial-out).
I was able to set up 3DES IPSec site-to-site tunnels between the 2910G and both a Netgear UTM10 and SonicWall TZ100W. DES, 3DES, and AES 128,192, and 256 bit encryption are all supported. Figure 8 shows the VPN status screen with my two active tunnels.
Figure 8: VPN status
The 2910G comes with unlimited licenses for Draytek's IPSec SmartVPN Client software. The manual lists this client as compatible with Windows XP and 2000. I had no problem installing and configuring the Smart VPN Client on an XP Pro machine. Setting up the 2910G was a little more difficult, it took some poking around on the router before I figured out that Client VPN connections are configured in the Remote-Dial-in User menu. Once configured, the software connected as expected to the router, allowing me to access devices on the 2910G's LAN from a remote location.
I also tested client-to-site VPN with the 2910G using Microsoft's built in PPTP client on both XP and Windows 7. PPTP VPN set up is a breeze. There is no need to configure things like encryption type, Main or Aggressive mode, DH Group 1 or 2, pre-shared keys, or Perfect Forward Secrecy (PFS). All you need to do is create a user name and password in the router and set up the destination IP/URL on the Windows PC. Figure 9 shows the VPN status screen with a site-to-site tunnel and my PPTP tunnel.
Figure 9: IPsec and PPTP VPNs
I like that Draytek provides this PPTP VPN option. I'm not a big fan of IPSec VPN Clients as they can be a pain to configure and supporting end users can be challenging. SSL VPN Clients are a lot easier than IPSec and about as secure, but the 2910G doesn't support SSL VPNs. PPTP isn't as secure as SSL or IPSec, but it's better than nothing, and extremely simple!
To manage security on a network, a router must first control who has access. Simple authentication can be applied via the 2910G's Web Authentication menu. Enabling Web Authentication will force each end user (wired and wireless) to authenticate to the router with a valid user name and password before they are allowed to pass traffic through the router. For a small network, I found this feature to be a simple way to force end user authentication.
The 2910G's Stateful Packet Inspection (SPI) firewall supports the usual features such as port forwarding and DMZ configurations. For more detailed control over specific traffic flows through the 2910's firewall, you configure Call and Data Filter Sets. Call Filter Sets on the 2910G are used with dial-up Internet Services, such as ISDN connections. Data Filter Sets are used with always-on Internet Services, such as DSL or Cable connections.
Filter Sets are lists of rules specifying traffic flows permitted or denied through the router, based on traffic characteristics defined in various Objects, Groups, and Profiles. Twelve different Filter Sets can be created, each with up to seven Rules. Multiple Filter Sets can be daisy-chained together. (For those familiar with Cisco IOS, a Filter Set is akin to an Access Control List [ACL] and a Rule is akin to an individual line in an ACL.)
To apply Call and Data Filter Sets, you need to get comfortable with configuring Objects, Groups and Profiles. Objects are: IP addresses, ranges, or subnets; services defined by protocols or port ranges; and IM, P2P, or streaming applications. Groups are collections of IP or service Objects. Profiles are collections of IM, P2P, and streaming Objects.
Below are the defined IM, P2P and streaming applications for creating Call and Data Filter Sets.
- Instant Messenger (IM) Applications: MSN, Yahoo, AIM, ICQ, QQ, iChat, Jabber/GoogleTalk, GoogleChat, and AliWW.
- Web IM services: eMessenger, WebMSN, meebo, eBuddy, ILoveIM, ICQ Java, ICQ Flash, goowy, IMhaha, getMessenger, IMUnitive, Wablet, mabber, MSN2GO, KoolIM, MessengerFX, MessengerAdictos, and WebYahooIM.
- P2P protocols: SoulSeek, eDonkey, FastTrack, OpenFT, Gnutella, OpenNap, BitTorrent, and Winny.
- Streaming applications: MMS, RTSP, TVAnts, PPStream, PPlive, FeiDian, UUSee, NSPlayer, PCAST, TVKoo, SopCast, UDLiveX, TVUPlayer, MySee, Joost, and FlashVideo.
So, to block all of the above IM, P2P and streaming applications, I created three objects. One object included all the IM applications, the second object included all the P2P protocols, and the third object included all the streaming applications. I then created a Profile which included all three of these objects. This Profile was then selected as the first Rule of a Filter Set, and the Firewall was configured to use this Data Filter Set.
With the 2910G's firewall configured with the above rule, I tried launching the Yahoo Messenger client, but it kept failing to login, verifying the filter and my configuration was active.
In addition to the firewall controls above, the 2910G's firewall provides Denial of Service (DoS) protection. Any of the following traffic types can be selected for detection and blocking on the 2910G: SYN flooding; UDP flooding; ICMP flooding; Port Scans; IP Options; Land; Smurf; Traceroute; SYN fragments; Fraggle Attacks; TCP flag scans; Tear Drop; Ping of Death; ICMP fragment; and Unknown Protocols.
With DoS protection enabled on the router, I ran a port scan from outside the router on the WAN interface. Syslog messages, such as those below, were generated indicating the port scan was detected.
2010/01/04 20:50:02 -- DoS portscan 126.96.36.199,34488 -> 188.8.131.52,3918 PR 6(tcp) len 20 44 -S 858797236 0
2010/01/04 20:50:02 -- DoS portscan 184.108.40.206,34488 -> 220.127.116.11,19315 PR 6(tcp) len 20 44 -S 858797236 0
In addition to the firewall, the 2910G offers Content Security Management (CSM). The 2910G's CSM menu lists IM/P2P, URL, and Web Content filtering options. IM/P2P (and streaming) filtering are applied via firewall Call and Data Filter Sets as described previously, while URL and Web Content filters are applied in the CSM menu.
URL content filtering on the 2910G allows logging URL access and applying blacklists or whitelists. Up to eight different 32-character lists of keywords can be filtered in a blacklist or whitelist. (For reference, all seven of George Carlin's famous “Words You Can Never Say on Television” total 48 characters.)
Also within the URL content filter menu is the ability to block web sites with embedded code or files in the form of Java, ActiveX, compressed files, executable files, multimedia files, cookies, and proxy services. The URL content filter can also be customized to exclude specific subnets, and can be applied in a user-defined schedule.
Finally, the 2910G offers Web Content filtering through a partnership with SurfControl, which is owned by WebSense, a well-recognized name in Content filtering. There are 41 different categories that can be selected for filtering as shown in Figure 10 below.
Figure 10: Web content filter categories
With the web content filter enabled, trying to surf to a web site that matches any of the above categories results in a screen showing the message in Figure 11.