Netgear Exits VPN Router Business

[jec6613]

NETGEAR has EOL'd all of their remaining VPN routers (SRX5308, FVS318G, FVS318N and FVS336G), with the final software update from April being the last one coming out. They discontinued on September 1st and didn't bother to announce until about a week later, but it's right there on the product page.

 

[System Error Message]

Thats good news, all those platforms on all brands were absolutely terrible. I guess they realised that they consumer routers were doing better than these devices in VPNs.

 

[thiggins]

This is the statement posted on the product page:

Attention:
NETGEAR Inc. will terminate the ProSAFE VPN Firewalls on September 1, 2017. The last software update for these products was provided in April 2017. NETGEAR Inc. will continue to honor valid warranty claims for all ProSAFE VPN Firewall devices purchased from an authorized reseller. To complete the full exit from the product line, NETGEAR Inc. will no longer provide ProSAFE VPN Firewall software support or subscription updates for any ProSAFE VPN Firewall devices after September 1, 2017.

 

[jec6613]

Thats good news, all those platforms on all brands were absolutely terrible. I guess they realised that they consumer routers were doing better than these devices in VPNs.

There are a lot of site to site VPN users who use their equipment, not least of which is because they've been doing it since the 1990's when they were part of bay networks. Their consumer devices aren't real replacements, either.

I think they got out of it because it was always a side business for them anyway, and with increasing competition on all fronts they just couldn't keep up. Not the least of which are companies like Cisco tipping their hat into the ring and offering a decent VPN firewall finally, and the fact that until you move to 10 Gbps, everybody can pretty well keep on with the level playing field of 1 Gbps nowadays. When it launched, the SRX5308 was far faster and had more features than anything else at its price point ... today, not so much.

 

[System Error Message]

There are a lot of site to site VPN users who use their equipment, not least of which is because they've been doing it since the 1990's when they were part of bay networks. Their consumer devices aren't real replacements, either.

I think they got out of it because it was always a side business for them anyway, and with increasing competition on all fronts they just couldn't keep up. Not the least of which are companies like Cisco tipping their hat into the ring and offering a decent VPN firewall finally, and the fact that until you move to 10 Gbps, everybody can pretty well keep on with the level playing field of 1 Gbps nowadays. When it launched, the SRX5308 was far faster and had more features than anything else at its price point ... today, not so much.

More to do that these devices have been outdated. They shouldnt be sold when even consumer routers already beat them in price, performance and features. I've been campaigning against these devices for quite a while as its a shame and many chinese companies have been producing portable variants for travel when the same thing can be done with your PC/phone/laptop so i find these chinese made devices that have flooded the market now for VPN to be a sham due to the suspicious reason for releasing such a device in the first place (talking about travel routers, not VPN routers).

Site to site VPN can be done with some consumer routers today, and even more so for much cheaper with configurable routers. Both mikrotik and ubiquiti have hardware encryption in their hardware with ubiquiti using a much faster version of the SoC and they manage to fix their bugs much much earlier on that platform.

So its not that these devices couldnt keep up, they were buggy, slow and compared to todays routers lack some of the features even in VPN as well such as openVPN support. Cisco added openVPN support to their cisco RV line but even consumer routers beat it at performance. That platform is simply old, slow, buggy and lacking in features. Even for cisco to have released the cisco RV line is a disgrace to their quality reputation.

 

[jec6613]

You go on a long string about consumer routers - but a consumer router still isn't a replacement for even an old business grade VPN firewall. There's much more to it than pure performance and ability to use VPN.

Both mikrotik and ubiquiti have hardware encryption in their hardware with ubiquiti using a much faster version of the SoC and they manage to fix their bugs much much earlier on that platform.

It's mostly the bugfixing. Performance on the newer Netgear products was never a problem - in fact, it was often their strong suit. Against a similarly priced competitor, they were fast.

So its not that these devices couldnt keep up, they were buggy, slow and compared to todays routers lack some of the features even in VPN as well such as openVPN support. Cisco added openVPN support to their cisco RV line but even consumer routers beat it at performance. That platform is simply old, slow, buggy and lacking in features. Even for cisco to have released the cisco RV line is a disgrace to their quality reputation.

Buggy, some of them yes, some of them were like tanks Slow, same story, many were, others not so much. Wireline 1 Gbps with pretty much every feature turned on, handling four LANs, a half dozen VPN tunnels, and 50+ VLANs? Nobody came close until you spent twice as much. And, like I said, they were around for a very long time, which means many businesses with multiple sites bought in decades ago, and now has no upgrade path without a complete router forklift across all of your sites. Their products predate Mikrotik and Ubiquiti becoming options by more than a decade - and many of the early ones are still in use today, simply refusing to die - the installed infrastructure of these is exceptionally large simply because they've been around so long. With much of the US still unable to get above 10 Mbps of internet to a business, a 15 year old router is more than sufficient.

OpenVPN support is a so what, in fact from a pure security perspective I'd prefer it not have it. As for the Cisco RV line, that used to be entirely Linksys based firmware (and Linksys has continued that legacy in their own products now), while their latest are based on a subset of iOS and support Cisco's own VPN solutions - finally something worthy of the Cisco name. Their RV/SG refresh over the last year has been quite nice, clearly lifting code directly from their iOS products, with them finally making sense in their larger product lineup.

 

[thiggins]

OpenVPN support is a so what, in fact from a pure security perspective I'd prefer it not have it.

Please say some more about this.

 

[jec6613]

Please say some more about this.

It's a piece of software that needs patching almost as much as Windows does, but with most OpenVPN devices I'm at the mercy of the manufacturer to update firmware.

Sure, on a stand-alone box as a concentrator OpenVPN is a very good product, but integrated with a router's firmware ... I'd rather not.

Add to this that it's often OpenVPN+another product providing VPN access, and that increases the attack surface as well. All in all, it's just a better idea to use a concentrator if you want to use OpenVPN.

 

[thiggins]

Thanks jec6613

 

[System Error Message]

It's a piece of software that needs patching almost as much as Windows does, but with most OpenVPN devices I'm at the mercy of the manufacturer to update firmware.

Sure, on a stand-alone box as a concentrator OpenVPN is a very good product, but integrated with a router's firmware ... I'd rather not.

Add to this that it's often OpenVPN+another product providing VPN access, and that increases the attack surface as well. All in all, it's just a better idea to use a concentrator if you want to use OpenVPN.

talking about using openVPN as a VPN tunnel between site to site as an option.

 

[jec6613]

talking about using openVPN as a VPN tunnel between site to site as an option.

As concentrators? easy to recommend. As built into your edge router? not so much. Even the old SHA1 based VPN connections, if the endpoint is itself secure, ends up being more secure for most users than an unpatched OpenVPN using more modern security standards: SHA1 after all is still hard to break, if no longer impossible.

 

[sfx2000]

It's a piece of software that needs patching almost as much as Windows does, but with most OpenVPN devices I'm at the mercy of the manufacturer to update firmware.

Sure, on a stand-alone box as a concentrator OpenVPN is a very good product, but integrated with a router's firmware ... I'd rather not.

Add to this that it's often OpenVPN+another product providing VPN access, and that increases the attack surface as well. All in all, it's just a better idea to use a concentrator if you want to use OpenVPN.

I would agree - going into Enterprise space - just about every modern OS - both Mobile and Desktop - has native L2TP/IPSec support, and that can be integrated directly into ActiveDirectory (or other directory services) - since OS support is native, bug fixes arrive when the OS vendor releases, and most concentrators/appliances have native support there as well.

Nothing wrong with OpenVPN - it's robust, reasonably secure, but as @jec6613 points out, it's just one more thing to manage.

 

[RMerlin]

It's a piece of software that needs patching almost as much as Windows does, but with most OpenVPN devices I'm at the mercy of the manufacturer to update firmware.

IPSEC ain't any better. Look at the CVEs for Strongswan, for example:

https://www.cvedetails.com/vulnerability-list/vendor_id-2278/Strongswan.html

OpenVPN recently came through two separate security audit. I'd say 2.4.4 is a good point in time for an OpenVPN appliance. A lot of the recent OpenVPN fixes were also related to less frequently used features (like the recent security fix for key method 1, which has been deprecated for years anyway).

The attack vector can be greatly reduced by limiting what OpenVPN features you expose to end-users.

 

[RMerlin]

I would agree - going into Enterprise space - just about every modern OS - both Mobile and Desktop - has native L2TP/IPSec support,

The last time I experimented with L2TP on a Windows machine, it required me to modify a registry key for it to work properly. Not impressed...

 

[jec6613]

Going way OT:

The last time I experimented with L2TP on a Windows machine, it required me to modify a registry key for it to work properly. Not impressed...

I've never had that, but even if I had, a registry key is easy. I can write a GPO in just a few minutes and have every laptop in the enterprise use it with a connection profile sent to it. Similarly, I can push L2TP or IPsec policies via MDM. A registry key is really the least of my worries.

I'm honestly more interested in things like DirectAccess than OpenVPN, because it doesn't add management overhead. I'm already managing scores of Windows servers being patched in an automated fashion every month, a couple more is negligible. And I don't need to come up with a method of auditing access and compromised account detection, because with a properly Windows integrated solution (e.g. AnyConnect, DirectAccess, et cetera) I already have auditing systems in place.

But solutions like OpenVPN have their place, where in a more cost sensitive and less security conscious institution without external security auditors, and where the IT staff is small and lacking in the expertise to handle more complex infrastructures, one could easily use it on a small physical server in lieu of a Cisco ASR. I'd say run it virtual, but honestly to make it work properly you need so much virtual overhead with SDN and such that you're better off just getting a physical box and running it as a concentrator on a stick, or going to a more robust virtual solution.

IPSEC ain't any better. Look at the CVEs for Strongswan, for example:

https://www.cvedetails.com/vulnerability-list/vendor_id-2278/Strongswan.html

OpenVPN recently came through two separate security audit. I'd say 2.4.4 is a good point in time for an OpenVPN appliance. A lot of the recent OpenVPN fixes were also related to less frequently used features (like the recent security fix for key method 1, which has been deprecated for years anyway).

The attack vector can be greatly reduced by limiting what OpenVPN features you expose to end-users.

Yes, compared to another VPN product that's also open source and has the same complexity issues, I'd expect the same troubles. I don't expect the same on IOS, CatOS, Junos, or even things like VxWorks. Open source projects seeking to answer every solution introduce additional complexities that are simply unnecessary, and aren't subject to the same QC that most commercial products are with their much more limited scope. Even Windows DA systems are generally more secure, and as I mentioned above, at least they're patched regularly and aren't something more to manage.