Netgear FVS336G ProSafe Dual WAN Gigabit Firewall
REVIEWED BY JOEL SNYDER
The latest ProSafe series firewall brings together nearly everything Netgear offers in the security space, including firewall, IPsec and SSL VPN, neatly packaged into a small-office friendly device, with no fan and an internal power supply. For deployments needing a minimum of security rules, the FVS336G offers broad features at an attractive price.
Netgear's ProSafe user interface has been honed from years of development in more than a dozen products, making basic setup and configuration of the FVS336G very easy. Our starting configuration took less than 10 minutes, and almost everything we tried was easy to understand and quick to do. For example, we wanted to test the dual-WAN capability of the FVS336G; Netgear provides two ways of using two WAN interfaces, load balancing and failover. Each option worked fine, and the user interface was intuitive.
We also had a good user experience in testing the SSL VPN client (up to 10 simultaneous users are supported). Windows and Mac users were able to connect, log in and deploy the client software without reading the manual or encountering confusing buttons. We also had no problems building a site-to-site VPN (up to 25 tunnels are supported), thanks to the VPN wizard and good default settings.
The FVS336G is not for the network manager who wants a fine-grained security policy. Although there are some features, such as time-of-day policies, the FVS336G is for the network manager who wants to allow all traffic out, block inbound traffic and be done with security configuration. This is true on both the firewall and VPN sides of the product. As a two-zone firewall (inside and outside), the policy set is simple, which should meet the needs of most small offices.
We found the logging to be poorly thought out and implemented. Log messages either overwhelmed with trivia or failed to capture the information needed to audit traffic. Policies such as NAT are global to the entire firewall--it's either on or off, making anything but the most basic deployments problematic.
The SSL VPN was a particular disappointment. With a default "permit all" policy that can't be changed, we found that trying to control access once someone logs in over the SSL VPN is impossible. Moreover, when we tried to put in an SSL VPN policy that didn't simply grant broad access, we ran into bugs in the way policies are evaluated, giving less security than the policy indicated. We also found bugs in enabling remote management, but fortunately the error was in the direction of greater security--remote management could not be enabled.
The FVS336G is not a UTM firewall, but it has limited UTM features, including content filtering by keyword and domain, as well as blocking of ActiveX and Java controls.
Our performance testing showed the FVS336G with a throughput of about 37 Mbps, less than Netgear's advertised rate of 60 Mbps, but still plenty fast even in dual-WAN deployments using DSL or cable modem connections. Netgear advertises slightly lower performance for IPsec (16 Mbps) and SSL VPN (10 Mbps) traffic.
Although the FVS336G is not a gigabit performer, the street price of $265 to $300 (the list price is $425), along with a lifetime warranty and free software updates, make this a good and economical choice for the small business with modest security needs, including easy-to-use SSL VPN remote access.
Testing methodology: We evaluated the FVS336G by connecting it directly to the Internet and placing test systems on the inside interface. We then tried to implement three different security policies for firewall and SSL VPN.
This Content Component encountered an error