Netgear FVS336G

Netgear delivers an affordable security appliance with the best of both VPN worlds and plenty more besides

The full name of Netgear's latest SMB router says it all, as the ProSafe Dual WAN Gigabit Firewall with SSL and IPSEC VPN really does pack in the features. With both IPsec and SSL VPNs on the menu you can create secure site-to-site tunnels using the former, and for easy mobile access use SSL VPNs that only require the user to log in from a standard web browser.

However, the level of SSL VPN features aren't as good as those offered by the PC Pro Recommended Netgear SSL312, although considering this solution costs over £60 more it's hardly surprising. Instead of application proxies, you have a more basic set of controls where you define only LAN resources based on IP addresses and port combinations. You don't get the Network Places option either, but you can use different domains to authenticate users with the appliance's local database or via AD, NT domain or RADIUS servers.

Users can be offered VPN tunnels or port forwarding, where the latter uses a lighter ActiveX client but only supports TCP. For testing, we used one port connected to our LAN and the primary WAN port configured in a different subnet, with a collection of workstations behind it acting as remote clients. After logging on to the appliance, our users were redirected to a portal page with a connection icon. Selecting this loads an ActiveX control, which creates a virtual network adapter that's assigned an IP address from the pool on the appliance.

We had no problems creating different access policies, where we could decide to allow external access to our FTP and mail servers but stop anything else on the LAN being seen. Performance isn't particularly good, as copying a 690MB video clip from an FTP server on the LAN to a remote client saw average speeds of only 1.4MB/sec.

The SPI firewall defaults to blocking all unsolicited inbound traffic, but you can modify it with your own rules. Specific traffic can be blocked or allowed, and one of three schedules can be applied to determine when rules are active. Failover options are good, as you can set the second WAN port to act as a backup link if the primary link goes down, or bind both together in a single load balanced link. Traffic metering could also prove useful, as you can apply a limit in megabytes to WAN usage and if it exceeds this during the current month, all further access can be blocked. The counter can be reset on a specific day of each month, you can allow a temporary increase if the threshold is breached, and also choose to only let email continue if required.

Internet access controls can also be applied, although these are rather basic. LAN systems can be placed in one of eight groups and have URL keyword blocking applied to them. You can create only a single URL keyword list and apply it to selected groups, so it isn't possible to use different policies for each group.

The FVS336G is offering a very good deal to small businesses that want a good combination of network security features. The SSL VPNs aren't the best, but they work - and that Netgear has managed to include them at all at this price is quite remarkable.

Author: Dave Mitchell