The 2920 is a highly customizable security device for controlling network traffic. Configuration is hierarchical, meaning you can create Objects and Profiles and then apply them to various Rules as desired.
There are five menus devoted to security configurations: NAT, Firewall, Objects, Users and Content Security Management (CSM.)
The NAT menu is where basic firewall configurations, such as opening ports, forwarding ports and setting up a DMZ are configured.
The Firewall menu is for configuring Traffic Filtering Rules and Denial of Service (DoS) prevention. Traffic Filtering and DoS options are highly detailed. You can create 12 different Traffic Filters using different combinations of CSM profiles, which I'll describe shortly. Further, there are 15 different DoS attacks recognized by the 2920, as shown in Figure 14.
Figure 14: DoS attack defenses
The Object menu is where you'll create custom traffic sources, destinations, or types that you want to filter. Specifically, this menu allows for defining single or groups of IP addresses, ranges or subnets; single or groups of traffic types by layer 4 protocol and port; single or groups of keywords; and file extensions.
The User menu is new as of firmware 3.3.6. I found this feature quite useful. It enables you to set web browsing and network access levels based on users. In a home, you could set up user names for kids and parents, with different levels of permissions. In a business, you can set up different levels of permissions based on employee responsibilities.
Note, the User menu determines whether the 2920 operates in either Rule-Based or User-Based mode. If Rule-Based is selected, traffic is filtered equally for all users, as on the 2910. If User-Based is selected, individual users must authenticate to the router and their network activity is controlled based on their allowed permissions.
I tested the 2920 configured as User-Based. I set up two users on the 2920, one restricted via the CSM features, the other unrestricted. The user menu allows you to create up to 200 different users. The 2920 also supports connecting to a RADIUS server for external user authentication. Individual users can be placed into groups, and security policies can be applied by individual or group.
Each user can be assigned a different policy defining their level of network access. Time limits and schedules for network access can be applied to each user as well.
The CSM menu is where you define specific traffic to filter. CSM on the 2920 has three elements, Application, URL, and Web Filtering.
The Application control, previously labeled as the IM/P2P menu in the original firmware, provides options for filtering Instant Messaging (IM) applications, Peer to Peer (P2P) applications, well known protocols, and various network services.
Filterable IM applications include both client and web based apps. There are 19 specific IM applications recognized by the 2920, as shown in Figure 15. I tested this functionality by configuring the 2920 to block access to Yahoo IM on my restricted user account, and permitted Yahoo IM on the other. It worked as expected and blocked access to Yahoo IM on the restricted user account and permitted Yahoo IM on the user.
Figure 15: IM blocking
In addition to the IM filters, there are 17 recognized P2P applications, 20 well known protocols, and 63 miscellaneous protocols filterable by the 2920. As mentioned earlier in this section, additional traffic flows can be identified and filtered by port number in the Object menu.
URL filtering on the 2920 is done by keyword. Eight different URL profiles can be created, each using up to 200 different keywords for filtering. Keywords are defined in the Object menu, described previously. I set up a URL profile to block the word “yahoo,” assigned it to one of my users, and then tried to surf yahoo.com with that user. I received the message shown in Figure 16, confirming that the URL filter was blocking my web activity as intended.
Figure 16: URL filtering message
Updated 12/13/2010: Updated web content filtering pricing
Web filtering, also known as content filtering, is one of the biggest changes to the 2920 with firmware 3.3.6. This new firmware changed the router from using free web site categorization services to a subscription based service via a partnership with CommTouch. You get a free 30 day trial of the CommTouch service when you register your new router, but after 30 days, the subscription costs
$50/year $95 - $110 / year.
Eight different web filtering profiles can be created. On each one, you can chose from 65 different categories of web sites to block or permit. The router menu has a handy link to CommTouch's website to determine the category of a website.
When a user browses a site, it is first checked via CommTouch to determine its category. If the category matches a blocked category, the user is presented with a message such as shown in Figure 17.
Figure 17: Content filter message
I set up a one rule to block websites and applied it to my restricted user account, and another rule to pass all websites for my unrestricted user account. When I opened a browser, I was prompted to enter my user name and password. I logged in with my restricted user account and was blocked from restriced sites with the messages shown in Figure 17. (This message can be customized.) Users stay authenticated unless they specifically log out or close all browser windows. Logging in as my unrestricted user allowed me to surf the blocked site.
The 2920 includes software to run a syslog server on a Windows PC, which has been updated over the version provided with the 2910. This software was useful for troubleshooting my configurations and examining the performance of the 2920. The new syslog software, v4.2.0 shown in Figure 18, adds tabs for collecting data on DoS attacks, CSM activity, network traffic, VPN traffic, and network statistics.
Figure 18: Syslog application
In addition to the syslog software, the 2920 has quite a few other useful network tools. The route table, arp cache, DHCP table, and NAT sessions table are viewable via menu options. A ping and traceroute tool are provided. As with the 2910, there is an option for monitoring data flows, as well as viewing traffic graphs, as shown in Figure 19.
Figure 19: Traffic graph
I pulled data from our Router Charts to compare throughput with several other Dual WAN routers I've tested. I looked at the Draytek 2920 compared to the older Draytek 2910G, as well as the Netgear SRX5308 and the NETGEAR 336G.
|WAN-LAN||LAN-WAN||Total Simultaneous Throughput||Max Connections||Price|
Table 4: Router performance comparison
As you can see, the 2920 is a nice upgrade from the 2910, significantly outperforming it in all throughput measurements. Further, the 2920 handily outperforms the older NETGEAR 336G as well. On the other hand, the 2920 isn't in the same league for raw throughput as the NETGEAR SRX5308.
I put an asterisk next to the $190 price because Draytek told me the recommended list price of the 2920 is $190-210, the recommended list price on the 2920n is $230-250, and the recommended list price on the 2920Vn is $280-300.
This didn't quite jibe with what I found on the web, though. The lowest price I could find for the 2920 was at guideband.com for $294. I also found the 2920n on Amazon for $347.00 and at DSLwarehouse.com for $335. So, no sign of Draytek's suggested price. It looks that buyers could benefit from having Draytek widen its U.S. distribution, so that there could be some competition.
Overall, I liked the addition of the User Management features in the latest 3.3.6 firmware because they add to the overall security feature set. Gigabit LAN ports and higher throughput are also significant improvements over the 2910. The addition of jumbo frame support is a plus, even if it was a bit of a challenge to figure out.
But I remain disappointed with the user manual and documentation on Draytek products. I've configured a lot of different VPN devices, and I can usually figure things out without the manual. But for those with less experience, I think the 2920 will be a challenge.
In my review of the 2910, I was impressed that web filtering was free. So when I first got the 2920, I was pleased to see it was still free. But after I upgraded to the new firmware, free was no more and web filtering is now
$50 about $100 per year.
Relatively speaking, $50 / year is
competitive compared comparable to other devices, such as the SonicWall TZ100W, where web filtering runs $95 / year. Nevertheless, I think Draytek should have found a way to keep web filtering free; it was one of the reasons I recommended the 2910.
I concluded my review of the 2910 saying I was “pleasantly surprised by the Draytek 2910G” and “it's priced right,” with the weakness being throughput performance.
To conclude this review on the 2920, I am pleasantly surprised this time by the new features. I'm also pleased that throughput performance is no longer a weakness. When the 2920 becomes available in the US for $190-210 as Draytek says, I'll say the same thing about the 2920 as I did the 2910—that it is a relatively inexpensive, yet effective, solution to control web traffic on a small network.