SnapGear Lite: an Inexpensive Home Office/Small Office Firewall and VPN Client

 in
You need protection, and with due respect to my programmer friends, the best simple protection is a hardware firewall.

The Internet is great. But, connecting a computer—or a computer network—directly to a broadband access device, like a cable modem or DSL router, is asking for trouble. Crackers prey on small-office or home computer users. Indeed, a friend's computer was cracked less than a day after it was connected to his new cable modem last September. When I heard, I immediately advised my friend to purchase a hardware firewall. That's my advice for you, too. If you're not using some sort of firewall, it's only a matter of time before a cracker finds you. You need protection, and with due respect to my programmer friends, the best simple protection is a hardware firewall.

That's where SnapGear's Lite firewall appliance comes in. It plugs in to your broadband access device and your computer (or your home or office network), then plugs in to the Lite box. I didn't know about this particular device when my friend had those problems last fall, but had I known about the Lite, I would have told my friend about it.

The Lite appliance has two additional benefits beyond the anti-cracker firewall: network address translation (NAT) and a virtual private network (VPN) client.

Network address translation lets you put more than one computer onto the Internet. Normally, you need one public IP (Internet Protocol) address for each computer, like 123.45.67.89 or 65.11.11.11. That number, which is analogous to a telephone number, is assigned by your internet service provider. When you use NAT, one device (in this case the Lite box) is assigned the public IP address, and it acts as the IP gateway. Meanwhile, computers on your home or business LAN have private IP addresses that are for use only on the LAN. Those private IP addresses are generally in the range of 192.168.x.x or 10.x.x.x, which are reserved for that purpose.

Let's say one of your computers, with a private IP address of 192.168.0.14, wants to check a web site. It asks the Lite, as the internet gateway, to get the information. The Lite translates the request to make it look like it came from 123.45.67.89 and forwards it to the web site. The web site responds to 123.45.67.89—that is, to the Lite. The Lite box then retranslates the request back to 192.168.0.14 and puts the packets onto your private LAN, so that your PC can receive the data and display the web page. With the Lite, the network address functionality works very well; you can put as many computers onto a single internet connection as you'd like, without an arbitrary limit.

Virtual private networking uses authentication and encryption to provide a secure link between two computer networks over the public internet. VPNs often are used to give telecommuters or branch offices direct access to a large corporate network, without exposing that network to crackers. Think of it as a secured tunnel between two buildings. To set up that tunnel, you need VPN functionality at both ends; one end acts as the host or server, and the other as a client that logs in to the VPN server.

VPN clients can be either in software, which enables a single computer to use the VPN, or in a hardware access device, so that it can bridge two networks and all the computers on those networks. The SnapGear Lite is a hardware-based VPN client, which can not only log in to most corporate networks using the IPSec protocol (which is the most common), but it also can emulate Microsoft's own PPTP (Point-to-Point Tunneling Protocol), which is the software-based VPN system built into Windows servers and Windows workstations. The Lite thus lets you use non-Windows PCs, such as Linux workstations or servers, to access a Microsoft-based VPN. That's an important benefit, if your employer uses Windows NT/2000 to host remote access.

Before we look at the Lite in detail, it's important to point out that none of these basic features—a hardware firewall, network address translation or a VPN client—is new. I've been using a similar hardware appliance from SonicWall for more than two years, and with the exception of the PPTP client, it's nearly identical. At least half a dozen other companies also make devices like this. What makes the Lite noteworthy is its driver support for Linux and its low price, which at $249 is a few hundred dollars less than other similar devices that I've used.

The Lite in Detail

About the size of an external Iomega Zip drive, the SnapGear Lite is a small box with a few LEDs, a jack for an AC adaptor and two RJ-45 connectors, one a 10Mbps Ethernet jack for hooking to your DSL or cable modem, the other a 10/100 Mbps Fast Ethernet jack for hooking up directly to a PC's network card or to your LAN switch or hub. The necessary cables are included.

The Lite also has an RS-232 serial port for configuring the Lite to work with a regular telephone modem. I didn't test the serial-port modem connection but rather used the device with my cable modem, in place of the SonicWall firewall appliance mentioned above, for about three weeks. On the LAN side, the Lite was hooked into a Linksys 16-port 10/100 Ethernet switch, which generally had between three and ten active computers at any time.

Also, as a matter of interest to Linux Journal readers, the Lite uses Linux internally, embedded into a 66MHz Motorola ColdFire XFC5272 microprocessor. A recent firmware upgrade, which came out during our review, gave the device the 2.4 kernel. Bear in mind that the Linux kernel is hidden in the device; you won't ever see or work with it directly.

Initial setup was simplicity itself; all you have to do is run a setup program on a local PC, which tracks down the Lite on the network and configures its private IP address (in my case, 192.168.0.14) and related information. That only has to be done once. Then, you browse to that IP address via Netscape or Opera, for example, and use that to configure the public IP address (so you can have internet connectivity) and then set up the firewall and VPN options.

The good news is that the Lite has a configuration program for Linux. The bad news is that it's not included on the CD-ROM that ships with the box—it only has the Windows version of the client. That's naughty and is a rather needless extra step for Linux users, considering that the compact disk only has 14.8MB of stuff on it. Be sure to download the Linux package from www.snapgear.com/downloads.html before you start tearing your network apart.

Setting up the Lite to provide network address translation and to use the proper public IP address was also straightforward using Netscape; my cable modem has a static IP address, issued by the ISP. In some cases those ISP IP addresses are issued automatically and dynamically, and according to the Lite's documentation, it can accommodate that type of network.

The Lite also can act as a DHCP (Dynamic Host Configuration Protocol), where Lite can assign private IP addresses automatically to the computers on your networks. I didn't use this setting, as my computers already had fixed IP addresses. Business networks wouldn't need that feature, as they likely would use fixed IP addresses or have a separate DHCP server, but this will be a useful feature for small-office or home networks.

One of the resources on my network is a web server. If you are expecting incoming traffic from the Internet, you have to configure the firewall to pass the appropriate type of data packets from the Internet to the appropriate private IP address, and thus to the right computer on your LAN. It was easy to redirect traffic on IP port 80 (HTTP) and port 23 (FTP) to my web server. The firewall appeared to do a good job of filtering bad packets; from outside my network, I launched Sub-Seven and Ping-of-Death attacks against the firewall and also attempted a port scan, and it blocked those attempts. Those are common crack attempts made against cable-modem users, and the firewall worked admirably.

My only reservation with the SnapGear Lite firewall is that it is not certified by a major firewall tester. Every other firewall I've tested, including SonicWall SOHO+, WatchGuard's Firebox and Check Point's best-selling (but expensive) Firewall-1 are certified by ICSA Labs (www.icsalabs.com), which puts firewalls through a pounding with a well-established and industry-standard test suite. The Lite isn't certified, and SnapGear doesn't even mention ICSA on its web site. However, according to a company spokesperson, SnapGear began working toward certification in January 2002 and hopes to have achieved it by the end of the second quarter.

The final tests involved making two virtual private network connections over the Internet. The first was to a Check Point VPN-1 device, which was configured for IPSec-based access. The second was a PPTP-based link to a Windows 2000 server. I had no trouble making either connection, though I would judge the process somewhat complex.

Someone with experience and good understanding of VPNs should have no trouble making it work. Someone without that experience will find the sketchy documentation (a 12-page booklet and a 73-page PDF electronic manual, with 20 pages devoted to VPNs) confusing and likely will need assistance from SnapGear or a knowledgeable system administrator. Once the VPN is set up, however, it appears to be reliable and sufficient for a typical small-office or home computer user. By the way, there is also an ICSA certification for IPSec compatibility that most major VPN product manufacturers use and promote; the Lite doesn't have that either.

So, here's the bottom line. If you're looking for hardware protection for your internet connection, the Lite is inexpensive and relatively easy to use. It also has the VPN functionality, and as far as I can tell, is unique in acting as a PPTP client, which is a real plus for Linux users. On the other hand, the firewall is not yet certified and the VPN functions aren't easy to set up. If you're okay with that, it's a good solution and certainly worth the price.

Product Information/The Good/The Bad

Alan Zeichick (zeichick@camdenassociates.com) is a technology analyst in the San Francisco Bay area who focuses on networking and software development.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

I am a network analyst with a large government agency. 20,000 users+ We have serious network requirements.

We have been testing the Snapgear Products for the last year or so for our small office connectivity requirements.

We have been evaluating them mainly for small sites > 5 nodes and single home users.

We like the snapgear because of it's ease of use and the feature set. We are mostly interested in the VPN functionality and the ability to preconfigured for our end-users.

The Snapgear is easy to use and has tremendous potential. Snapgear was first on the market with an integrated VPN/SOHO product. Linksys, Cisco, Symantec etc.. have just now caught up. Snapgear uses the Linux OS which has drawn much attention to them with-in that community.

Unfortunately Snapgear has been unable to provide a refined and stable product. The snapgear router must constantly be rebooted, freezes and drops off the network.

They have good tech support, however as a network admin you simply cannot afford to be on the phone with them daily.

They also have a good return policy, unfortunately we have spent more in return - shipping costs then in snapgear equipment.

This product lacks the quality and polish that you will find with other venders. I do not recommend this product for use with-in a production environment. And suggest that you evaluate other vendors.

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

I've seen this *exact* comment copy/pasted from another feedback column on a review at homenethelp.

http://www.homenethelp.com/web/review/snapgear_lite.asp
Like the others responding to this review, I've not seen any negative reviews regarding the reliability or "polish" of a SnapGear product. I'm left wondering if this particular review isn't FUD from a Cisco sales guy...

Is it stable or not?

Anonymous's picture

After a long search, we listed snapgear very high on functionality. However, your reaction is the first negative one. Can you indicate whether these experiences are still current and of what date/firmware they are?

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

Whew!

I've been researching inxpensive Firewall/Routers with VPN support & have been impressed by the specs & generally favourable reports/reviews I've seen for the SnapGear product line. I have to say that yours is the 1st negative report I've come across. If you don't mind me asking - how current were the SnapGear devices and the firmware you were evaluating?

Cheers

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

The snapgear documentation says it can act as a PPTP server. Does mean you can put this on your home network and connect to it with your windows pptp client?

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

Yes. That is absolutly correct. We have about 10 people working remotly connecting to ours throughout the day. They are using the native Windows PPTP client. Seems to work very well. We have had ours up and running for six months without any problems.

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

Yes, that's right. And vice versa (Connect the Snapgear to a Win Machine via PPTP)

So far the only firewall I've seen with this functionality.

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

This is a so-so product. One can find better product with lower price, i.e. D-link.

Re: Product Review: SnapGear Lite: an Inexpensive Home Office/Sm

Anonymous's picture

We tried the D-Link before trying the SnapGear. The D-Link is a good product, but did not have all of the features we needed. Maybe our situation is unique. I am not sure if everyone would use all the advanced features.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix