Netgear Cable/DSL ProSafe Wireless VPN Security Firewall
May 23, 2003
Security isn't always the primary focus of most wireless products, but Netgear turns that on it's ear with a WLAN router that's a VPN-endpoint and more.
Many if not most broadband routers offer various levels of security and management functions. However, many of these same products distinguish themselves by an attractive price and easy setup, and to satisfy both requirements, the inclusion of comprehensive security and management capabilities are often not a priority.
Netgear's FVM318 takes a decidedly different approach. The FVM318 is of course a broadband SOHO router, but Netgear eschews this term in the product's name, going instead with the descriptive and verbose nomenclature of Cable/DSL ProSafe Wireless VPN Security Firewall.
Not surprisingly, these capabilities don't come without some cost - literally. At a street price of more than $700, the FVM318 is anywhere from four to six times more than a typical SOHO WLAN router.
The FVM318 uses Netgear's blue metal chassis rather than the more aesthetic plastic one used by more recently released Netgear products. A single removable dipole antenna rises from the back of the unit. Next to it can be found eight 10/100 ports, rather than the more typical four. The indicator lights on the front of the unit are logically laid out and well spaced for easy readability.
As far as WLAN capabilities are concerned, the FVM318 makes do with ordinary 802.11b, so it's not going to win any wireless throughput contests. Of course, in business, slow and steady wins the race, so a product like this with draft 802.11g support would probably be anathema to its intended audience.
The FVM318 supports the obligatory two WEP levels, but it also can also encrypt WLAN connections using IPSec. This offers two major benefits. First, when securing your WLAN with IPSec, you have the choice of several robust encryption algorithms, including 3DES, plus AES with 128-, 192-, and 256-bit cipher strengths. Moreover, IPSec encrypts the entire IP packet--not just the data payload like WEP does.
Another distinguishing feature of the FMV318 router compared to lesser model is that it functions not only as a VPN passthrough, but as an endpoint as well. As a result, the router can establish VPN sessions with remote clients directly, rather than simply acting as a conduit between a client and a separate VPN server on the LAN.
For the small enterprise that the FMV318 is targeted to, this approach carries obvious benefits, not the least of which is simplified setup and configuration of VPN settings, which can often be daunting with OS-based or third-party VPN products.
Because the encryption necessary to maintain VPN or WLAN connections involves a significant amount of processing overhead, the FVM318 has a dedicated co-processor to handle such matters, ensuring that overall router performance doesn't suffer at the hands of encryption calculations.
Like any router worth its salt, the FVM318 has a built-in DHCP server, but this one has two added features not typically found. One is the ability to put a WINS server address in the DHCP scope--often needed for NetBIOS resolution on Windows networks. The other is the ability to define reserved addresses in the DHCP scope. This gives you a consistent IP address for something like a printer, while still allowing the address to be managed globally through DHCP.One of the most useful features of the FVM318 is the diagnostics page. This page presents an array of troubleshooting tools, the equivalent of ping, nslookup, and tracert. While these capabilities can also be accessed via the Windows command line, having them built into the router can make troubleshooting easier, especially when you're trying to determine whether connectivity problems are the fault of your router or your ISP.
The FVM318 also goes gives you a little more flexibility than normal when it comes to remote management. You can of course specify a router port number for remote access as well a remote IP address, but the FVM goes a step further and allows you to specify an entire IP range. This is helpful when you might have more than one individual at a support organization (or satellite office) that might need access to the router in the event of trouble.
Another example of the security-conscious focus of the FVM318 is that the administrator console has a configurable timeout value (the default is 5 minutes) to help prevent unauthorized passers-by from accessing the console on an unattended machine. (But you'd never leave the browser console open and unattended, would you?)
The FVM318 offers strong logging and alerting functionality. It's one of relatively few routers that can be configured to immediately send e-mail security alerts, or simply send logs periodically according to a customizable schedule. The information recorded in those logs, incidentally, is customizable as well, and you can send them to a Syslog server for offline viewing.
Controlling access to the Internet from the LAN is important to most administrators, and in this regard, the FVM318's capabilities are as good as any I've seen. In addition to filtering Web access by keyword or domain name, you can block things like ActiveX, Java, and cookies. Of course, filtering these site components is often not practical, since many legitimate sites make use of them.
All of the access controls can be governed by a time-based schedule, and the FVM318 lets you define one "trusted" IP address that will not be bound by the access controls, which comes in handy for the boss (or at least the administrator).
Given that the FVM318 for all intents and purposes is identical to Netgear's FVS318 but for the addition of WLAN capability, there's not a whole lot to say about the WLAN side of the product.
The FVM318's WLAN throughput was solidly in the 4 Mbps range, very much commensurate for an 802.11b product. Since I tested the FVM318 using a D-Link DWL-650+ client, the throughput figures were slightly higher than normal owing to the performance benefit of the TI chipset's PBCC signaling method.
Of more interest was how the wireless throughput would fare when secured via IPSec. You can secure WLAN sessions by using the SoftRemote client by SafeNet, which is included on the CD. Setting up an IPSec security association between the FVM318 and a client wasn't difficult requiring only about five minutes per machine. In order to make a remote VPN connection, you need another piece of SafeNet client software which is not included with the FVM318. It costs $149 per copy, and the price drops to $99 with 10 or more copies. I wasn't able to get the VPN client built into Windows 2000/XP to work with the FVM318, evidently owing to a difference in supported encryption methods.
Back to WLAN performance. As it turns out, there was an IPSec performance penalty, but it was minimal. With IPSec enabled and using 256-bit AES encryption, the throughput at 10 feet was 4.28 Mbps, compared to 4.95 Mbps without encryption. (The router remained in the 4 Mbps realm throughout the distance testing.) Using 128-bit WEP the throughput was 4.64 Mbps, so the while the security delta between the two forms of encryption is wide, the performance delta was minimal.
It bears mentioning that Netgear claims the FVM318 can handle 32 WLAN IPSec tunnels plus 70 remote VPN tunnels at the same time, for a total of 102 simultaneous tunnels. I certainly can't verify that, but its worth mentioning that Netgear also claims 4.2 Mbps throughput out of an IPSec WLAN session, which was borne out by the results above.
In my view, the FVM318 nicely fills the gap between SOHO wireless router products, the higher-end enterprise devices which offer more advanced features but cost considerably more and often are much more difficult for non-technophiles to set up and maintain.
If the best possible wireless performance is not your primary concern but you need a router with more sophisticated management and security features, the FVM318 may very well be the router for you.