 |
||||
 | |
| ||
|
||||
| ||||
|
|
||||
Careers
Convergence
Data Center
LANs
Net/Systems Mgmt.
NOSes
Outsourcing
Routers/Switches
Security
Service Providers
Small/Med.
Storage
WAN Services
Web/e-commerce
Wireless/Mobile
Newsletters
This Week in NW
Tests/Reviews
Buyer's Guides
Opinion
Forums
Special Issues
How to/Primers
Case Studies
Network Life
Encyclopedia
IT Briefings
SMB Networks / Home Networks /
Review: Secure SOHO routers
Efficient Networks and NetGear bundles earn top honors.
 
|
|||
 | |||
|
You face a tough balancing act when sending workers to remote or home offices. You need to equip them with a broadband connection, but also you need to keep your network safe without spending a bundle. There are still more choices to navigate. Some DSL providers include a modem when you sign up for their service, some don't. Others lease you a modem or modem/router, or let you select your own from an approved vendor list.
To help you decide which modem/router might work best in your network, we tested four units (from Cisco, Lucent, Efficient Networks and 2Wire) that included the DSL modem and two routers (NetGear and ZyWall) that rely on a broadband modem for the connection. Vendors opting not to participate in our test included Allied Telesyn, NetVanta, NexLand, MultiTech Systems and SonicWall.
How we did it
Interactive Scorecard and NetResults
Why require stateful inspection?
Buyer's guide: SOHO routers
Archive of Network World reviews
Subscribe to the Product Review newsletter
Growing competition in this market means security features formerly reserved for high-end routers (such as the stateful inspection firewall feature we required for inclusion here) now appear in more affordable units (those less than $800 as required in this test) targeting small offices. We assessed how each fits this new security bill, and evaluate each for its ease of setup and remote-management capabilities.
Advertisement: |
Efficient's 5930 Business Gateway and NetGear's FR314 earned the Network World Blue Ribbon award for being best-suited to the small office market. Good setup, strong security and neophyte-friendly network management software put these units ahead of the pack.
Efficient DSL modem/router combos
All necessary cables came in the box with the Efficient 5930, including a DSL cable and RJ45-to-serial adapter for use with the console port. The Quick Start flyer gave clear directions and supplied the administrative user name and default password.
In the name of safety, the Efficient 5930 forced a password change immediately. It also presented a "Firewall Scripts" page, requiring you to choose maximum, medium, minimum or no firewall protection. Users can ignore security, but they have to do it consciously.
The only setup hitch came when we tried to configure the eight-port 10/100Base-T hub on the 5930 before plugging in the DSL. Because the DSL link was inactive, the 5930 disabled the Dynamic Host Configuration Protocol (DHCP) server so that clients couldn't receive the IP address for connection to the 5930. Customers eager to start their networks before the DSL line is active should take note.
Stateful inspection goes beyond basic IP firewalls by tracking the state of the communications between outside and inside systems. Incoming packets must contain information about a session in progress, not just a valid IP address and port number.
Efficient's Web Manager interface minimizes the task of creating a firewall rule. Command buttons for create and modify/view start the rule-making process, with drop-down menus listing protocols and applications to consider in the rule. Radio buttons let you choose protocols (TCP, User Datagram Protocol [UDP], Internet Control Messaging Protocol, Simple Mail Transfer Protocol [SMTP] and others), and only port number and IP address number ranges must be typed in. Security is never a no-brainer, but creating rules doesn't get much easier than picking from a menu and checking boxes.
This Efficient model includes a 56K modem for backup so that when a DSL link drops and subsequently is revived, the switching between the DSL and 56K link occurs automatically. Users with a modem or another WAN link will appreciate the support for an external modem on the console serial port.
The clean Web interface makes unit management straightforward. Eighteen menu options help navigation.
The most consumer-oriented product in terms of packaging and software presentation that we tested is the 2Wire HomePortal 1000, which comes in a stand-up case that saves desktop space.
Start-up help focuses on the ways the 2Wire product can connect to a home network, including Ethernet, Universal Serial Bus and 802.11b.There was not much information covering DSL connection or security.
The internal DHCP server parcels out IP addresses in the 172.16.x.x range. This address range is unroutable (over the Internet) but vendors normally use the 10.0.0.0 or 192.168.x.x. This unique addressing probably will not interfere or overlap any existing network.
Propping up the "HomePortal" self-tag, 2Wire loaded client software on multiple systems for easy sharing. User and network management screens, heavy on icons, provide good help supported by additional control screens placed on PC taskbars and context menus.
Unwelcome for a home-oriented system was the lack of a forced password or any depth to the firewall configurations. 2Wire offers a decent set of inbound and outbound firewall filters, but no port control options. All inbound data traffic gets filtered for known hacks, but to trust the vendor's settings and filters because a user can't change them. HomePortal includes an upgrade link on its client page for one-click automated upgrades.
Regular Cisco users might be shocked, but the Cisco 827 product we tested ships with color-coded plugs and cables. A CD-ROM labeled Fast Step provides easy, Web-based installation.
For management purposes, users can see all the Cisco IOS settings via a browser, but many can't be changed without knowledge of Cisco's command-line interface. Still, we favor this approach because the Web interface won't threaten remote workers who need to change their own information but it does let more technical support staff perform normal IOS operations when necessary.
Features aren't lacking in the 827, but you need to know how to find them. To control which packets open to stateful inspection, you must dig into PDF documentation. We suggest a trip to the Cisco Web site for real examples of "context-based access control."
Lucent's CellPipe 50 includes a serial nine-pin to 25-pin adapter, but not a serial cable, which you can't do without in this case. The main configuration window is archaic, resembling the long-retired Ascend ISDN router. Control-n moves the cursor from one item to the next inside the VT100 display. When a service provider sells the CellPipe 50, it uses the Turn-up software for automatic configuration. Just hope you don't have to change a configuration setting yourself.
Firewall configuration mercifully avoids the ancient VT100 display screen in favor of the surprisingly adept SecureConnect Manager application. This tool is a bit complex but offers excellent flexibility. Multiple firewall configurations can be saved, modified, deleted or loaded from any Windows workstation, and three can be stored on the router.
Lucent plays a role in this market because of its Bell roots and its ability to sell equipment to providers, not because it makes a consumer-friendly product.
Broadband routers only
The NetGear FR314 fits between the DSL (or cable) modem and the PC. It includes four 10/100Base-T ports to support PCs directly or via a link to a hub.
The setup wizard forces you to set a password, configures DHCP based on information queried from your broadband provider and automatically protects against a variety of hacks. The 134-page electronic manual provides clear, but not deep, help.
The content firewall filters are set via a browser-based administrative page. It's easy to block URLs with particular keywords. To check the value of a setting, you can tap the "Log only" function and examine your changes before completely blocking access. Time settings also are supported.
Stateful inspection rules are set in the Web administrative interface. Check boxes make it easy to block all of one type of service, such as Network News Transfer Protocol (NNTP) or ping packets.
Proxy servers can be set for any of the eight major protocols controlled (HTTP, FTP, SMTP, Post Office Protocol 3, DNS, NNTP, Ping and Key Exchange). To create new rules, type the rule name, fill in the IP port range and pick the protocol and service from menus.
The router and firewall log files are easy to configure and view from the left-hand menu tree. Quick reports, including Web site hits and addresses ranked by traffic, are two clicks deep.
Another consumer-friendly, router-only product, the ZyWall 10 included color-coded cables and a short Read me first booklet. It offers one 10/100Base-T Ethernet plug to connect to a single PC or wiring hubs supporting up to 32 systems.
Installation was quick because the ZyWall 10 provided IP addresses to clients through DHCP, translated the IP addresses when routing to the broadband connection, and demanded the default password be changed before continuing.
The firewall component is enabled at start-up and guards against denial-of-service attacks and blocks incoming BootP requests automatically.
A content filter list with 13 potential blocking points and time of day settings mirrors the same function in the NetGear router. You can exempt individual computers or entire IP address ranges from content filtering. Packet-filter rules are built by clicking lists of commonly blocked packet types and setting blocking and logging choices.
Summary
Users have to decide for themselves whether they want to use a combination DSL modem/router package or employ a separate DSL modem and router. The convenience of a single unit, offered by 2Wire, Cisco, Lucent and Efficient must be balanced by the value of cleanly separating the phone company's responsibility from your own network. Using a NetGear or ZyWall unit to link a network to the phone company sets a clear point of demarcation and a clear point of responsibility for the broadband provider.
So if you decide you'd prefer the convenience of the combination DSL modem/router, we favor the Efficient 5930 because of its security depth and ease of management.
If you want to go with the router-only option, the differences between the NetGear FR314 and ZyWall 10 are slim, but we lean slightly toward the NetGear because its security administration was a tad easier.
|
|
Gaskin is a Dallas author who has been helping small and midsize businesses use technology since 1986. He can be reached at readers@gaskin.com.
Gaskin is also a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Test Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.
Related Links
Buyer's guide: SOHO routers
We've compiled this downloadable list of 52 different SOHO routers from 14 vendors.
Why require stateful inspection?
Isn't network address translation (NAT) security in your SOHO router enough? Not anymore. Net.Worker, 06/10/02.
Address Resolution Protocol
I understand the theory behind Address Resolution Protocol, but how does a remote machine differentiate between different media access control addresses of machines on the same subnet by sending out FFFF.FFFF.FFFF for the destination MAC? Network World, 05/27/02.
More power to the user
Products debuted at Interop aim to simplify SOHO and mobile work. Net.Worker, 05/20/02.
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
 |
 |
 |
|||||
|
|
|
|
|
|||
Contact us | Terms of Service/Privacy | How to Advertise Reprints and links | Partnerships | Subscribe to NW About Network World, Inc. Copyright, 1994-2006 Network World, Inc. All rights reserved. |
