Strengths: Excellent range of security features for the price, easy installation, WAN failover and load balancing, traffic metering, IPsec and SSL VPNs supported
Weaknesses: SSL VPN performance isn't great and web filtering is very basic
Verdict: Considering its low price, this compact appliance delivers an impressive range of security features, which includes both IPsec and SSL VPNs
Netgear's ProSafe brand of appliances has always aimed to offer SMEs a choice of affordable security solutions and the ProSafe Dual WAN Gigabit Firewall - FVS336G delivers a surprisingly good range of security measures with a very tempting price tag.
At the top of the list is support for both IPsec and SSL VPNs, giving you the best of both remote-access worlds. The tortuous installation procedures for IPsec VPNs makes them better suited to site-to-site links. Netgear is no exception, but at least its documentation is better than most. SSL VPNs are a better bet for providing secure remote access as they are much easier to configure and all users require is a web browser to access the appliance.
A NAT/SPI firewall provides a firm foundation, the dual WAN ports indicate link failover is on the menu and you get basic web filtering and traffic metering as well. This desktop box also offers a reasonable hardware specification as it sports a 300MHz processor teamed up with 64MB of memory and 16MB Flash memory. All four LAN ports are the Gigabit variety, as are the WAN ports.
Installation is a swift affair and you start by setting up your WAN ports. Coined auto-rollover, the second port can act as a backup link if the primary link fails. You can bind both WAN ports together for a load balanced connection. If the two WAN links aren't the same speed you can use protocol binding to ensure higher priority traffic is only routed through the faster connection. Where WAN connections are charged by volume you can use traffic metering to apply a limit in MB to either or both WAN ports.
Netgear's content filtering is very basic, only allowing you to block internet access to selected sites using a URL keyword and domain list. Each LAN system is placed in one of eight groups and you can decide which ones will have filtering applied to them. However, this feature is limited by the fact that only a single keyword list - with a maximum of 32 entries - is supported, so you can't apply different web-access policies to each group. However, you can block all web access to selected systems using the source MAC address filtering feature.
The SPI firewall defaults to blocking all unsolicited inbound traffic, but you can customise it with your own rules. These are used to deny or allow specific traffic and services, and one of three schedules can be applied to determine when each rule is active.
As expected, the price tag limits the number of SSL VPN features, as you don't get any application proxies. All the FVS336G allows you to do is define your LAN resources using their IP address and port number. However, the required user authentication options are present and correct as you can use the appliance's local database along with AD, NT domain or Radius servers.
When creating your SSL VPNs you can go for tunnels or port forwarding, where the latter offers support for TCP only but deploys a lightweight ActiveX client when a connection has been requested. To test this feature, we configured the primary WAN port with a fixed IP address on a different subnet to the LAN ports and used Windows XP workstations to act as remote clients. After pointing their web browser at the WAN port and providing their user credentials, clients are transported to a portal page with a connection icon. This pulls down an ActiveX control that sets up a virtual network adapter on their system and dishes out an IP address from a pool on the appliance.
We created a variety of port forwarding policies, allowing the test clients access to our internal mail and FTP servers but stopping them from seeing any other LAN resource. We found SSL VPNs easy enough to configure, but performance is nothing to write home about, with a variety of test files copied over FTP delivering average speeds of only 1.4MB/sec.
The FVS336G is an impressive little appliance that delivers a fine range of security features in return for a modest outlay. Netgear's web filtering is of very limited value, but the combination of load-balanced or failover WAN links plus IPsec and SSL VPNs makes it a good choice for SMEs looking to provide secure, reliable access to other sites and remote users.