SnapGear Lite: an Inexpensive Home Office/Small Office Firewall and VPN Client

Alan Zeichick

Issue #96, April 2002

You need protection, and with due respect to my programmer friends, the best simple protection is a hardware firewall.

The Internet is great. But, connecting a computer—or a computer network—directly to a broadband access device, like a cable modem or DSL router, is asking for trouble. Crackers prey on small-office or home computer users. Indeed, a friend's computer was cracked less than a day after it was connected to his new cable modem last September. When I heard, I immediately advised my friend to purchase a hardware firewall. That's my advice for you, too. If you're not using some sort of firewall, it's only a matter of time before a cracker finds you. You need protection, and with due respect to my programmer friends, the best simple protection is a hardware firewall.

That's where SnapGear's Lite firewall appliance comes in. It plugs in to your broadband access device and your computer (or your home or office network), then plugs in to the Lite box. I didn't know about this particular device when my friend had those problems last fall, but had I known about the Lite, I would have told my friend about it.

The Lite appliance has two additional benefits beyond the anti-cracker firewall: network address translation (NAT) and a virtual private network (VPN) client.

Network address translation lets you put more than one computer onto the Internet. Normally, you need one public IP (Internet Protocol) address for each computer, like 123.45.67.89 or 65.11.11.11. That number, which is analogous to a telephone number, is assigned by your internet service provider. When you use NAT, one device (in this case the Lite box) is assigned the public IP address, and it acts as the IP gateway. Meanwhile, computers on your home or business LAN have private IP addresses that are for use only on the LAN. Those private IP addresses are generally in the range of 192.168.x.x or 10.x.x.x, which are reserved for that purpose.

Let's say one of your computers, with a private IP address of 192.168.0.14, wants to check a web site. It asks the Lite, as the internet gateway, to get the information. The Lite translates the request to make it look like it came from 123.45.67.89 and forwards it to the web site. The web site responds to 123.45.67.89—that is, to the Lite. The Lite box then retranslates the request back to 192.168.0.14 and puts the packets onto your private LAN, so that your PC can receive the data and display the web page. With the Lite, the network address functionality works very well; you can put as many computers onto a single internet connection as you'd like, without an arbitrary limit.

Virtual private networking uses authentication and encryption to provide a secure link between two computer networks over the public internet. VPNs often are used to give telecommuters or branch offices direct access to a large corporate network, without exposing that network to crackers. Think of it as a secured tunnel between two buildings. To set up that tunnel, you need VPN functionality at both ends; one end acts as the host or server, and the other as a client that logs in to the VPN server.

VPN clients can be either in software, which enables a single computer to use the VPN, or in a hardware access device, so that it can bridge two networks and all the computers on those networks. The SnapGear Lite is a hardware-based VPN client, which can not only log in to most corporate networks using the IPSec protocol (which is the most common), but it also can emulate Microsoft's own PPTP (Point-to-Point Tunneling Protocol), which is the software-based VPN system built into Windows servers and Windows workstations. The Lite thus lets you use non-Windows PCs, such as Linux workstations or servers, to access a Microsoft-based VPN. That's an important benefit, if your employer uses Windows NT/2000 to host remote access.

Before we look at the Lite in detail, it's important to point out that none of these basic features—a hardware firewall, network address translation or a VPN client—is new. I've been using a similar hardware appliance from SonicWall for more than two years, and with the exception of the PPTP client, it's nearly identical. At least half a dozen other companies also make devices like this. What makes the Lite noteworthy is its driver support for Linux and its low price, which at $249 is a few hundred dollars less than other similar devices that I've used.

The Lite in Detail

About the size of an external Iomega Zip drive, the SnapGear Lite is a small box with a few LEDs, a jack for an AC adaptor and two RJ-45 connectors, one a 10Mbps Ethernet jack for hooking to your DSL or cable modem, the other a 10/100 Mbps Fast Ethernet jack for hooking up directly to a PC's network card or to your LAN switch or hub. The necessary cables are included.

The Lite also has an RS-232 serial port for configuring the Lite to work with a regular telephone modem. I didn't test the serial-port modem connection but rather used the device with my cable modem, in place of the SonicWall firewall appliance mentioned above, for about three weeks. On the LAN side, the Lite was hooked into a Linksys 16-port 10/100 Ethernet switch, which generally had between three and ten active computers at any time.

Also, as a matter of interest to Linux Journal readers, the Lite uses Linux internally, embedded into a 66MHz Motorola ColdFire XFC5272 microprocessor. A recent firmware upgrade, which came out during our review, gave the device the 2.4 kernel. Bear in mind that the Linux kernel is hidden in the device; you won't ever see or work with it directly.

Initial setup was simplicity itself; all you have to do is run a setup program on a local PC, which tracks down the Lite on the network and configures its private IP address (in my case, 192.168.0.14) and related information. That only has to be done once. Then, you browse to that IP address via Netscape or Opera, for example, and use that to configure the public IP address (so you can have internet connectivity) and then set up the firewall and VPN options.

The good news is that the Lite has a configuration program for Linux. The bad news is that it's not included on the CD-ROM that ships with the box—it only has the Windows version of the client. That's naughty and is a rather needless extra step for Linux users, considering that the compact disk only has 14.8MB of stuff on it. Be sure to download the Linux package from www.snapgear.com/downloads.html before you start tearing your network apart.

Setting up the Lite to provide network address translation and to use the proper public IP address was also straightforward using Netscape; my cable modem has a static IP address, issued by the ISP. In some cases those ISP IP addresses are issued automatically and dynamically, and according to the Lite's documentation, it can accommodate that type of network.

The Lite also can act as a DHCP (Dynamic Host Configuration Protocol), where Lite can assign private IP addresses automatically to the computers on your networks. I didn't use this setting, as my computers already had fixed IP addresses. Business networks wouldn't need that feature, as they likely would use fixed IP addresses or have a separate DHCP server, but this will be a useful feature for small-office or home networks.

One of the resources on my network is a web server. If you are expecting incoming traffic from the Internet, you have to configure the firewall to pass the appropriate type of data packets from the Internet to the appropriate private IP address, and thus to the right computer on your LAN. It was easy to redirect traffic on IP port 80 (HTTP) and port 23 (FTP) to my web server. The firewall appeared to do a good job of filtering bad packets; from outside my network, I launched Sub-Seven and Ping-of-Death attacks against the firewall and also attempted a port scan, and it blocked those attempts. Those are common crack attempts made against cable-modem users, and the firewall worked admirably.

My only reservation with the SnapGear Lite firewall is that it is not certified by a major firewall tester. Every other firewall I've tested, including SonicWall SOHO+, WatchGuard's Firebox and Check Point's best-selling (but expensive) Firewall-1 are certified by ICSA Labs (www.icsalabs.com), which puts firewalls through a pounding with a well-established and industry-standard test suite. The Lite isn't certified, and SnapGear doesn't even mention ICSA on its web site. However, according to a company spokesperson, SnapGear began working toward certification in January 2002 and hopes to have achieved it by the end of the second quarter.

The final tests involved making two virtual private network connections over the Internet. The first was to a Check Point VPN-1 device, which was configured for IPSec-based access. The second was a PPTP-based link to a Windows 2000 server. I had no trouble making either connection, though I would judge the process somewhat complex.

Someone with experience and good understanding of VPNs should have no trouble making it work. Someone without that experience will find the sketchy documentation (a 12-page booklet and a 73-page PDF electronic manual, with 20 pages devoted to VPNs) confusing and likely will need assistance from SnapGear or a knowledgeable system administrator. Once the VPN is set up, however, it appears to be reliable and sufficient for a typical small-office or home computer user. By the way, there is also an ICSA certification for IPSec compatibility that most major VPN product manufacturers use and promote; the Lite doesn't have that either.

So, here's the bottom line. If you're looking for hardware protection for your internet connection, the Lite is inexpensive and relatively easy to use. It also has the VPN functionality, and as far as I can tell, is unique in acting as a PPTP client, which is a real plus for Linux users. On the other hand, the firewall is not yet certified and the VPN functions aren't easy to set up. If you're okay with that, it's a good solution and certainly worth the price.

Product Information/The Good/The Bad

Alan Zeichick (zeichick@camdenassociates.com) is a technology analyst in the San Francisco Bay area who focuses on networking and software development.