August 01, 2008
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Excellent range of security features for the price, easy installation, WAN failover and load balancing, traffic metering, IPsec and SSL VPNs supported
- Weaknesses: SSL VPN performance isn't great and web filtering is very basic
- Verdict: Considering its low price, this compact appliance delivers an impressive range of security features, which includes both IPsec and SSL VPNs
Netgear's ProSafe brand of appliances has always aimed to offer SMEs a choice of affordable security solutions and the ProSafe Dual WAN Gigabit Firewall - FVS336G delivers a surprisingly good range of security measures with a very tempting price tag.
At the top of the list is support for both IPsec and SSL VPNs, giving you the best of both remote-access worlds. The tortuous installation procedures for IPsec VPNs makes them better suited to site-to-site links. Netgear is no exception, but at least its documentation is better than most. SSL VPNs are a better bet for providing secure remote access as they are much easier to configure and all users require is a web browser to access the appliance.
A NAT/SPI firewall provides a firm foundation, the dual WAN ports indicate link failover is on the menu and you get basic web filtering and traffic metering as well. This desktop box also offers a reasonable hardware specification as it sports a 300MHz processor teamed up with 64MB of memory and 16MB Flash memory. All four LAN ports are the Gigabit variety, as are the WAN ports.
Installation is a swift affair and you start by setting up your WAN ports. Coined auto-rollover, the second port can act as a backup link if the primary link fails. You can bind both WAN ports together for a load balanced connection. If the two WAN links aren't the same speed you can use protocol binding to ensure higher priority traffic is only routed through the faster connection. Where WAN connections are charged by volume you can use traffic metering to apply a limit in MB to either or both WAN ports.
Netgear's content filtering is very basic, only allowing you to block internet access to selected sites using a URL keyword and domain list. Each LAN system is placed in one of eight groups and you can decide which ones will have filtering applied to them. However, this feature is limited by the fact that only a single keyword list - with a maximum of 32 entries - is supported, so you can't apply different web-access policies to each group. However, you can block all web access to selected systems using the source MAC address filtering feature.
The SPI firewall defaults to blocking all unsolicited inbound traffic, but you can customise it with your own rules. These are used to deny or allow specific traffic and services, and one of three schedules can be applied to determine when each rule is active.
As expected, the price tag limits the number of SSL VPN features, as you don't get any application proxies. All the FVS336G allows you to do is define your LAN resources using their IP address and port number. However, the required user authentication options are present and correct as you can use the appliance's local database along with AD, NT domain or Radius servers.
When creating your SSL VPNs you can go for tunnels or port forwarding, where the latter offers support for TCP only but deploys a lightweight ActiveX client when a connection has been requested. To test this feature, we configured the primary WAN port with a fixed IP address on a different subnet to the LAN ports and used Windows XP workstations to act as remote clients. After pointing their web browser at the WAN port and providing their user credentials, clients are transported to a portal page with a connection icon. This pulls down an ActiveX control that sets up a virtual network adapter on their system and dishes out an IP address from a pool on the appliance.
We created a variety of port forwarding policies, allowing the test clients access to our internal mail and FTP servers but stopping them from seeing any other LAN resource. We found SSL VPNs easy enough to configure, but performance is nothing to write home about, with a variety of test files copied over FTP delivering average speeds of only 1.4MB/sec.
The FVS336G is an impressive little appliance that delivers a fine range of security features in return for a modest outlay. Netgear's web filtering is of very limited value, but the combination of load-balanced or failover WAN links plus IPsec and SSL VPNs makes it a good choice for SMEs looking to provide secure, reliable access to other sites and remote users.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- The information security implications of M&A deals
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Over 400,000 phishing sites have been detected each month in 2016
- TalkTalk customers urged to get routers swapped over hacker fears
- Report: Mirai 'is just the tip of the iceberg'
- Avalanche takedown involved searches in 40 countries
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime