D-Link NetDefend DFL-CPG310 Security Appliance
April 19, 2006
D-Link's unified threat management security appliance packs a huge number of features into one box, but with a huge price.
The modern networked office requires a certain degree of vigilance, and not just from midnight burglars. Thanks to increasing network safety consciousness, you probably already have a router firewall on your broadband connection and anti-virus software on all of your PCs. The D-Link NetDefend DFL-CPG310 bundles these, wireless security, VPN
With a list price of $499.99, how does the NetDefend CPG310 differ from a typical small office router/firewall? What does its price tag nearly five times that of most wireless G routers really buy?
Wireless Router with Failover and Print Server
The DFL-CPG310 connects your LAN to the Internet as a router. It features four wired Ethernet ports and supports 802.11b/g wireless clients. You can connect clients with G, Super G or XR support to the CPG310 for speeds up to 108Mbps. These features alone are common on many SOHO routers.
Going beyond the average router, D-Link has added dual WAN ports for Internet failover
The router also includes a serial port that can connect to an external dial-up modem. Should any one option fail, the router can automatically failover to a working connection, preventing any disruption in Internet connectivity. For some businesses this safety net could be critically valuable, while for others, overkill.
With the $499 "PowerPack" software upgrade, multiple NetDefend routers can failover to one another.
The CPG310 supports WEP
Unlike more basic routers, the CPG310 isolates the wireless LAN from the wired LAN. Each must reside on separate local IP subnets
The appliance also features a USB print server that lets you connect any USB-capable printer and share it within your LAN or across the Internet.
QoS Traffic Shaping
Quality-of-Service, or QoS
A typical QoS configuration, for example, would assign VoIP
Firewall and SmartDefense
The CPG310 includes a highly configurable firewall. Its most basic configuration is a simple slider with three levels of protection: high, medium and low. Each is preset to allow and disallow kinds of traffic. At its lowest setting the firewall will allow all outgoing traffic from the LAN; at its highest setting, only major network services such as Web, e-mail, FTP
You can customize the firewall well beyond these basic templates and allow incoming traffic from a list of common servers including Web, e-mail, telnet
What really separates the NetDefend appliance's firewall from your garden-variety SOHO router is its so-called "SmartDefense" technology. As an SPI or stateful packet inspection firewall, the NetDefend goes beyond merely blocking or allowing network ports. It analyzes communication patterns over time to discern the "intent" behind the traffic.
For example, SmartDefense is aware of four types of Denial of Service attacks
|The D-Link NetDefend CPG310 Security Appliance|
Virtual Private Networks allow computers to connect with each other securely whether they are on the same LAN or halfway across the world. The CPG310 can be configured as either a VPN Server or Client. Most offices will set it up as a VPN Server, thereby allowing clients outside your network to securely connect to your internal resources such as e-mail, printer and shared files.
The router includes (both on CD and as a free download) the CheckPoint SecuRemote VPN client for both Windows and Mac OS X. Using this client either within your LAN or from a machine elsewhere on the Internet, you can create a completely secure VPN connection to the router.
The base CPG310 supports two VPN networks and includes a five-user license for the SecuRemote client software. Upgraded to the PowerPack, VPN support is bumped to 15 VPNs with a 25-user license for the client software. The PowerPack also increases VPN throughput from 20 to 30 Mbps.
The CPG310 can be actively updated through D-Link's annual subscription service. The least expensive, at $99 per year, includes firmware and security updates, online and telephone support and dynamic DNS
With dynamic DNS your router can post its IP address to an online DNS service even if your broadband provider does not provide you a static IP. Dynamic DNS is becoming a more common feature on mid-range routers with far lower price points.
The CPG310 includes the VStream anti-virus scanner that analyzes a variety of traffic including e-mail, Web and FTP on-the-fly for virus fingerprints. You receive an initial database for virus definitions as part of the included 90-day subscription to D-Link's anti-virus service.
A $299 per-year subscription to D-Link's anti-virus service buys you both security updates and support plus updated virus definitions. You can continue to use VStream anti-virus scanning without a subscription, but the router will not receive new virus definitions.
As D-Link notes, scanning for viruses at the network perimeter may not be complete protection. Because a virus can enter your network through other means files on a CD, Zip disk, or thumb drive for instance desktop anti-virus software may still be prudent.
Another $199 per year buys you access to the CPG310's Web-filtering feature. Less specifically a security defense, Web filtering lets you block LAN access to certain categories of Web content such as adult, gambling or Web-mail sites. In the workplace, content filtering is often used to "increase productivity" by reducing distractions.
As with most Web-filtering services, you have no control over what sites are included in the 30-plus categories. Nor can you create white or blacklists to specifically include or exclude certain sites.
One Box Fits All?
With the NetDefend CPG310, D-Link certainly stuffs a lot of functionality into one box. The unit goes well beyond the basic router/firewall/wireless features found in most small office network appliances. Of course, it has a price to match.
Getting the most out of the CPG310 requires a reasonable level of networking knowledge. There are a couple of basic wizards included in the administration interface, but they merely brush the surface of this unit's features. Some features such as QoS involve settings spread across several categories. It would be nice if, for your $500, D-Link included a printed manual a 485 page PDF file included on the CD isn't quite the same.
Despite its broad array of features, the CPG310 could provide better performance on some of its basic offerings. Its wireless range, for example, is significantly more limited than the ZyXEL X-550 or Linksys WRT54G routers, both of which cost about $100.
Taking into account the extra $499 for the PowerPack upgrade and as much as $500 per year in optional subscriptions to keep the unit up to date, the NetDefend CPG310 is not just a security solution, but a serious financial investment. Its sophistication and price may well exceed the needs of many small businesses. Match the CPG310 with a medium-sized business, and now you're in business.
Aaron Weiss a technology writer, screenwriter and Web development consultant who spends his free time stacking wood for the winter in Upstate New York. His Web site is: bordella.com
This story courtesy of SmallBusinessComputing.com.