Netgear ProSafe Wireless N SSL VPN Firewall in Security appliances

Netgear's latest SMB router brings together a veritable cornucopia of features as it combines firewall duties, IPSec and SSL VPNs plus traffic management, and melds them together with a dual-band wireless-N access point. Supporting both VPN types simultaneously allows it to manage encrypted site-to-site tunnels and secure remote access for mobile workers at the same time.

The SRXN3205 has a quartet of Gigabit LAN ports and a single RJ45 WAN port that can be used for a direct connection or adding a suitable DSL or cable modem. The three removable wireless aerials are fitted at the back and the access point supports 802.11n/g or n/a operations, but not both together.

Netgear's web interface is well designed and provides easy access to all features. The SPI firewall defaults to blocking all unsolicited inbound traffic, but you can modify it with your own rules.

Specific services can be blocked or allowed and one of three time schedules applied. With only a single WAN port, failover is not an option, but traffic metering will prove useful as limits in MB can be applied to WAN usage.

If usage is exceeded during the current month all further access can be blocked. The counter can be reset on a specific day of each month, you can allow a temporary increase if the threshold is breached and also let email through if required.

Web browsing restrictions can also be applied although these are nothing more than URL or keyword lists.

LAN systems are placed in one of eight groups and have URL keyword blocking applied to them. You can only create a single URL keyword list and apply it to selected groups, so it's not possible to use different policies for each group. Wireless security includes WPA/WPA2 and RADIUS authentication plus ACLs using client MAC addresses. For wireless-N operations both 20MHz channels can be enabled and you can choose either 802.11a or g, as accompaniment.

For SSL VPNs the router supports multiple authentication domains which determine what LAN resources your mobile clients are allowed to access. Features are quite basic, as you can only define LAN resources based on IP addresses and port combinations. If you want application proxies then check out dedicated appliances such as Billion's BiGuard S20 or Netgear's own SSL312.

VPN tunnels provide full remote access to the LAN as though the client were locally connected. The port forwarding mode allows you to restrict access to specific servers and services, although this only supports TCP. Once a remote user logs on to the appliance they are redirected to a portal page that can be customised to suit.

Selecting the connection icon loads an ActiveX control that creates a virtual network adapter with an IP address assigned from a pool on the appliance, and we were able to create policies that restricted remote access to our internal FTP, web and mail servers. Performance isn't great, though, as the Netperf utility reported an average link speed between client and server of less than 2MB/sec.

There are some compromises in terms of features but having SSL and IPsec VPNs plus wireless-N services in a single box makes the SRXN3025 quite unique. It's easy enough to use and SMBs will like the low price tag as well.

Author: Dave Mitchell