The FVS336G has a multitude of security options to customize its stateful packet inspection (SPI) firewall. By default, a stateful packet inspection firewall blocks all WAN-LAN traffic that hasn't been initiated by a device on the LAN. NETGEAR has 54 pre-built TCP/UDP services, such as HTTP and FTP, to simplify the opening of ports on the firewall. If additional ports need to be defined, the Services menu enables adding the needed definitions.
Firewall rules can then be created to map traffic with specific destination ports to specific IP addresses. Additionally, up to three different schedules can be defined to apply to any custom firewall rules. This helps to lock down the network during off hours.
Figure 12 shows a successful FTP rule that maps external FTP requests to an internal server on my LAN, with no schedule applied, as per the "Allow Always" setting.
Figure 12: Setting an FTP rule
The FVS has a content filtering ability that can be configured to inspect the text in a URL for objectionable language. I was disappointed to find, however, that users clever enough to use an IP address instead of a URL can bypass URL text filtering. Up to 64 keywords can be added to the blocked list. Known acceptable URLs that may contain the objectionable word can be permitted via the trusted domain list.
For example, to block the word "ogle" but permit "google.com," define "ogle" as a blocked keyword and "google.com" as a trusted domain. This configuration will give a screen like Figure 13 below warning if a user goes to ogle.com, but will allow access to google.com.
Figure 13: A URL blocked by keyword displaying an error message
Note: the FVS336G's web filtering inspects the URL, not the content of the web page. An offensive web site could pass the content filter if the defined word isn't in the URL.
To block specific end users from accessing the Internet entirely, source MAC filtering can be enabled. Devices with their MACs added to the NETGEAR source MAC table will be able to access LAN devices, but will be blocked from the WAN interface.
Some network applications present challenges for NAT/SPI firewalls, as they are initiated with one destination port, but the server responds on another port. The SPI firewall would then not recognize the response and block the incoming flow. This can be overcome by defining the outgoing port and responding incoming ports using NETGEAR’s Security-Port Triggering menu as displayed in Figure 14.
Figure 14: Port Triggering menu
A feature missing from the FVS336G is the ability to define a port or specific server to be part of a "demilitarized zone," more commonly known as the DMZ. I brought this up with NETGEAR, who indicated this is an intended feature that got delayed. A future release should add the ability of a software configurable DMZ port.
In the meantime, you can do essentially the same thing by setting port forwarding rules for TCP and UDP ports 1-65534 to the IP address of the machine that you want to place in the "DMZ."
The FVS336G also includes multiple tools for network troubleshooting, including ping, log output for firewall and VPN trouble shooting, DNS lookup and a packet capture feature. I was also impressed that the FVS336G has a debug capability, which I used while working with NETGEAR’s Engineers on the Dynamic DNS issue. Debug capability is the ability to produce an output of the data streams sent between devices, useful in troubleshooting code and device problems.
The FVS336G throughput results in Table 3 are impressive, considering the FVS336G's 300Mhz CPU compared to the FVX538's 533Mhz CPU. IPSec and SSL throughput numbers are displayed with two values, the first representing Remote-Local throughput, and the second representing Local-Remote throughput.
Notice that the FVS336G's SSL VPN performance is more than double that of the Linksys RVL200.
|IPSec Tunnels||SSL Tunnels||Throughput|
|IPSec (Mbps)||SSL (Mbps)||WAN-LAN (Mbps)||LAN-WAN (Mbps)|
Table 3: Tunnels and throughput
(*Note: the RV042 supports five PPTP VPN tunnels.)