|At a Glance|
|Product||NETGEAR ProSafe VPN Firewall 8 (FVS114)|
|Summary||Low-cost IPsec-endpoint router supporting 8 concurrent tunnels, running at speeds greater than T1|
|Pros||• Good product for the price
• Helpful web-based VPN wizard for setting up gateway and remote-client VPN connections
|Cons||• No free technical support
• No support for authenticated SMTP emailing of logs
• Remote VPN client software could end up costing more than the hardware
We live in an increasingly connected world, and in this day and age, people expect access to the resources on their office networks—instantly and easily, no matter where they are.
For employees who need to connect to their office computer from home, remote-control services such as GoToMyPC Corporate and LogMeIn are popular, affordable, easily-deployable solutions that require no investment in hardware.
Many applications, however, require Layer 3 network connectivity that GoToMyPC Corporate and LogMeIn are not designed to provide. For these applications—whether it’s an employee synchronizing email directly with the corporate mail server or companies connecting their branch offices together—a Virtual Private Network (VPN) is the answer.
A VPN creates a private network using the Internet. Traffic over the Internet is encrypted through the use of VPN communication paths called “tunnels,” and security policies ensure that only authorized users have access to the private network. You may ask, “are VPNs difficult to set up?” Well, they can be. As for the “are they expensive?” question, the answer is not really. You can set up a LAN-to-LAN VPN for well under $200.
This review will take a look at NETGEAR’s FVS114 ProSafe VPN Firewll 8, which supports up to eight LAN-to-LAN or remote-client VPN connections.
Although named a “VPN firewall,” the FVS114 is actually a fairly traditional router enhanced with VPN capabilities. If fact, as you’ll notice from some of the screen images used in this article, the FVS114 management interface is very similar to what you’ll find in NETGEAR’s routers targeted at home consumers. However, the FVS114 is housed in a blue metal box, a design that NETGEAR generally uses for its business-class products.
The front panel of the FVS114 contains LED indicators for Power, Test, Link/Act for each of the four ports, and a 100 LED for each port that is lit when a 100 Mbps connection is made on the associated port. I was surprised that there wasn’t a VPN Status LED; some routers with VPN capabilities have a VPN Status LED so that you can tell at a glance if a session is active.
The rear panel of the FVS114, shown in Figure 1, contains the port connections, DC Power input, and Reset button.
Figure 1: FVS114 Rear
The FVS114 cover is held in place by a single screw. A peek inside the FVS114 reveals (Figure 2) that the FVS114 is powered by a Realtek 8650B 200 Mhz RISC-based network controller, 2 MB of Flash, and 16 MB of SDRAM.
Figure 2: FVS114 Interior
Installation and Feature Tour
Installation and basic configuration of the FVS114 for Internet connection is quite straightforward. An illustrated Installation Guide is included to guide you through the cabling of your computer, the FVS114, and your broadband modem. The accompanying resource CD contains the PDF versions of the Installation Guide and other documentation along with a link to the FVS114 home page.
The first time you access the FVS114, the Internet configuration wizard runs by default. It takes you through configuring your Internet connection and confirms that you’re connected.
Thereafter, the wizard doesn’t run again, but you can always connect to the firewall to change its settings. Rather than force you to type in the router’s IP address, NETGEAR supplies a DNS entry for the router’s home page, http://www.routerlogin.net. That URL will always take you to the home page of the FVS114. NETGEAR also notes that advanced users can bypass the wizard by typing http://www.routerlogin.net/basicsetting.htm and filling in admin as the user name and password as the password.
The management interface makes generous use of frames and scrollable text boxes. Menu functions (links to setting screens) are grouped vertically in the leftmost column under the main section headings of Setup, Security, VPN, Maintenance, Advanced and Web Support.
NETGEAR reserves the center column for displaying the configuration and setting screens. Netgear sometimes gets a little carried away with frames. On some screens, such as the Logs screen, there are actually four scrolling windows! The right column of the management interface shows the context-sensitive Help pages.
Figure 3 below shows the Basic Settings screen, which enables you to configure and check the status of your FVS114.
Figure 3: Basic Setting
The FVS114 features an SPI (Stateful Packet Inspection) firewall. By default, the firewall automatically blocks the TCP and UDP floods, which are usually DoS (Denial of Service) attacks, and the non-standard packets, which could be used by hackers and in DoS attacks. Optionally, you can also choose to discard fragmented packets.
Note: On the FVS114, NETGEAR uses terms that are more likely to be understood by network administrators rather than consumers. For example, the term, “port forwarding,” will not appear anywhere on the FVS114; instead, what you will find are “rules.”
Figure 4 below shows the Rules screen, which enables you to see the existing firewall rules or create new ones to block or allow specific traffic.
Figure 4: Default Firewall Rules
You control inbound and outbound traffic with firewall rules. By default, the FVS114 has two Firewall rules: all LAN users are allowed outbound traffic for all services, and all inbound traffic from the WAN is blocked (except responses to requests).
As mentioned above, you won’t find port forwarding anywhere on the FVS114 interface. If you want port forwarding, you must create a rule to forward inbound traffic to a specific LAN address for a specific service. You might perform this task if, for example, you were hosting an FTP server on your network. The FVS114 provides a pre-populated list of 40 common services, such as FTP, HTTP, Telnet and others, which you can use when defining rules.
Figure 5 shows an inbound firewall rule set to forward FTP traffic to a local host on the LAN.
Figure 5: Rule to Forward FTP Traffic to a Local Host on the LAN
If you need to create a rule for a service that’s not included on the list, you can use the Services screen to define your custom service. Later, you can use this service when you’re creating the rule.
For each rule, you decide how to handle the traffic by choosing from the following options: BLOCK always; ALLOW always; BLOCK by schedule, otherwise Allow; and ALLOW by schedule, otherwise Block.
There’s only one global schedule that you set up from the Schedule screen; therefore, if you decide to apply schedules to your rules, the same schedule will apply to all the rules.
The VPN capabilities are the real reason to consider buying the FVS114. If you don’t need a VPN, there are other routers on the market that offer a more complete set of features including wireless capabilities, a robust Ubicom-based QoS (Quality of Service) engine, and extensive profiles for automatically opening ports for online gaming. The FVS114’s VPN features, however, are impressive for such an inexpensive box.
The summary below of the 114’s VPN features is taken from the security features section of the FVS114 Web page. If you’re familiar with IPsec gateways, you’ll see that the 114’s feature set is pretty good for such an inexpensive box.
- VPN Functionality: Eight (8) dedicated VPN tunnels, Manual key and Internet Key Exchange Security Association (IKE SA) assignment with pre-shared key and RSA/DSA signatures, key life and IKE lifetime time settings, perfect forward secrecy (Diffie-Hellman groups 1 and 2 and Oakley support), operating modes (Main, Aggressive, Quick), fully-qualified domain name (FQDN) support for dynamic IP address VPN connections.
- IPSec Support: IPSec-based 56-bit (DES), 168-bit (3DES), or 256-bit (AES) encryption algorithm, MD5 or SHA-1 hashing algorithm, AH/AH-ESP support, PKI features with X.509 v.3 certificate support, remote access VPN (client-to-site), site-to-site VPN, IPSec NAT traversal (VPN pass through).
Note that the FVS114 supports digital certificate-based authentication. The management interface enables you to generate a “Self Certificate” request (using the Certificates link under the VPN section) that can be submitted to a Certificate Authority (CA) and import the certificate that you receive from a CA. However, it can’t generate a usable certificate directly. The management interface also enables you to upload a Certificate Revocation List (CRL) from your CA (using the CRL link under the VPN section).
Two types of VPNs tunnels are supported by the FVS114: LAN-to-LAN and remote-client. Rather than clutter up the review, I’ve provided detailed instructions for setting up a LAN-to-LAN tunnel and guidelines for setting up a remote-client tunnel here in Appendix A.
The wizard worked well for setting up a LAN-to-LAN tunnel using a pre-shared key. Once I overcame some self-generated problems from my not-so-real-world test configuration, I was able to set up a client-to-gateway tunnel, using the Resource CD’s application notes.
Once the LAN-to-LAN VPN connection is established, you’ll have access to resources on the remote LAN. In my tests, I created a share on the remote LAN and mapped a drive to it. Similarly, the net view \\remote_IP command line prompt properly displayed the shared resources for that remote IP address.
The FVS114 management interface also enables you to view the status of the VPN and data for each active VPN tunnel. To access the VPN Status/Log screen, use the VPN Status link under the VPN section.
Figure 6 shows a VPN Status screen example.
Figure 6: VPN Status
The FVS114 logs security-related events based on your log settings. Use the Logs screen (accessed using the Logs link under the Security section) to specify the entries to include in the log. By default, the entries recorded are known DoS and port scans, attempted access to blocked sites, and router operations (such as admin login).
The log files can also be sent to a syslog server or alternatively to an email address hourly, daily, weekly (you specify the hour), or when the log fills up. You also can enable email alerts for conditions such as a detected DoS attack, a detected abnormal TCP flag scan, and an attempted access to a blocked Web site.
Figure 7 shows the log entry configuration options and a partial listing of log entries.
Figure 7: Log Screen
Note the four scrolling windows!
I’ll admit that a couple of things disappointed me about the logging features. First, the log email feature supports only unauthenticated SMTP mail. If your ISP requires authentication for SMTP access, you won’t be able to send email from the FVS114. Second, an option is not available to log remote access from VPN clients. Since this is a VPN appliance, VPN logging capability should be included.
Moving on to the router maintenance features of the FVS114, you’ll find typical entries under the Maintenance section—Router Status, Attached Devices, Settings Backup, Set Password, Diagnostics and Router Upgrade. Interestingly, Attached Devices only shows attached clients. It doesn’t show the LAN-to-LAN connections. Likewise, the Router Status only shows basic LAN and WAN status. The status of any VPN connections is shown separately in the VPN Status/Log screen, which you will have to access through the VPN Status link under the VPN section.
Finally, if you need to configure the advanced features of the FVS114, use the links under the Advanced section, which seem to be a collection of menus that could have been included in other sections or menus that didn’t fit under other section categories. For your reference, they are summarized below:
- WAN Setup, which allows you to designate a LAN port for the DMZ, enable/disable Ping response on the WAN port, and to set the MTU (Maximum Transmit Unit) size.
- Dynamic DNS, which allows you to configure the three dynamic DNS (DDNS) services (DynDNS, TZO.COM and ngDDNS) that the FVS114 supports.
- LAN IP Setup, which lets you set the IP addressing scheme for your LAN, configure your DHCP server pool, and set up DHCP reservations. Note that the DHCP log shows entries for each DHCP address negotiation.
- Static Routes, which allows you to provide additional routing information to your firewall for unusual cases.
- Remote Management, which enables you to choose your remote management port and provides HTTPS access
- UPnP, which allows you to enable UPnP (Universal Plug and Play) (disabled by default)
Performance Results and Conclusion
Although the FVS114 design is a bit dated, it is also inexpensive for an IPsec endpoint router. So considering its price point, the FVS114 performed reasonably well.
We put the FVS114 through our suite of router tests, and the results are shown in Table 1.
|Test Description||Throughput – (Mbps)|
|WAN – LAN||37|
|LAN – WAN||39|
Table 1: Routing throughput
These results place it squarely in the middle of our Router Performance Charts.
Our tests showed that the tunnel throughput, however, was significantly lower than that of routing because of the processing load of the IPsec encryption. Table 2 shows that when 3DES encryption for IKE and Tunnel (the default wizard settings) was selected, the FVS114 provided throughput of 7.8 Mbps for Local-to-Remote, Remote- to-Local, and Simultaneous throughput tests (which are described here).
|Test Description||Throughput – (Mbps)|
|3DES encryption for IKE and Tunnel||7.8|
|AES-256 encryption for IKE and Tunnel||1.4|
Table 2: IPsec tunnel throughput
When encryption was kicked up a level to AES-256 for IKE and Tunnel, performance dropped dramatically to 1.4 Mbps for Local-to-Remote, Remote-to-Local, and Simultaneous tests. Still, that’s only slightly slower than a traditional business-class T-1 (1.5 Mbps) connection, so the FVS114 is still considered quite usable.
Overall, the FVS114 provides a cost-effective solution to providing secure LAN-to-LAN VPNs as well as remote VPN client access. At Internet shopping sites, prices for the FVS114 start at $65.00! Of course, if you’re planning to connect two offices together, you’ll need an FVS114 on each end. But that’s still not a lot for what you get.
To sum up: it’s inexpensive, the VPN tunnel setup is relatively easy, and throughput, while not screaming fast, should be sufficient for many applications. The FVS114 could be a good choice for small-to-moderately-sized networks.
Appendix A: LAN-to-LAN VPN Setup
NETGEAR includes a VPN Wizard to help you set up the FVS114 for either the LAN-to-LAN VPN or for remote-client VPN access. NETGEAR calls the LAN-to-LAN VPN, a gateway-to-gateway VPN. You would use this type of VPN if, for example, you wanted to connect two LANs in remote offices. Of course, for this configuration, you’ll need two FVS114s, one for each endpoint.
If you do your homework and write down all of the settings for each endpoint, you can have your LAN-to-LAN VPN running in a matter of minutes. For each end of the VPN, you’ll need to know either the WAN IP address or FQDN (fully qualified domain name) and the IP subnet address and subnet mask for each LAN. The FVS114 supports DDNS (Dynamic Domain Name Service) from three different DDNS providers, so even if the ISP on one or both ends of the VPN supplies a dynamic IP address, you’ll still be able to use the FVS114 for a LAN-to-LAN VPN.
Note: It’s also very important to note that the IP subnets of the LANs in each remote office must be different. One office could use the default LAN addressing scheme of 192.168.0.0/24, but the LAN address on the second FVS114 would need to be changed. In my example, I set the second LAN address to 192.168.50.0/24.
Let’s walk through setting up the LAN-to-LAN VPN using the VPN Wizard.
Step 1 – Name the VPN, create a pre-shared key, choose the VPN type, and click Next. For LAN-to-LAN, choose a remote VPN Gateway for the remote IP type.
Note: Be sure to write down the pre-shared key you create. The pre-shared keys must match on both routers.
Figure 8: Wizard Page for VPN Name, Key, and VPN Type
Step 2 – Fill in the WAN IP Address or FQDN for the “other” FVS114 and click Next.
Figure 9: Wizard Page for WAN IP Address
Step 3 – Enter in the IP Address and Subnet Mask of the “other” FVS114 and click Next. In a typical configuration with a 24-bit subnet mask (255.255.255.0), the LAN IP addresses will end with a “0”.
Figure 10: Wizard Page for LAN IP Address and Subnet Mask
Step 4 – The VPN Wizard displays a summary screen. If you want to see the detailed configuration parameters that the VPN Wizard created, click the here link.
Figure 11: Wizard Page for Summary
Step 5 – Click Back to return to the Summary screen; then, click Done to complete the configuration procedure, click Done.
Figure 12 shows configuration parameters that the VPN Wizard created.
Figure 12: Wizard Page of Configuration Parameters
Step 6 – Repeat the steps above for the “other” FVS114.
- The pre-shared key must be the same as the first FVS114.
- The settings for the WAN or FQDN must be the same as the first FVS114.
- The settings for the LAN address and subnet mask must be the same as the first FVS114.
Step 7 – Once both of the FVS114s have been properly configured, access the VPN Status/Log screen (from VPN Status link under VPN section) and click VPN Status. From the VPN Status screen, click Connect to open the tunnel. Alternatively, any IP traffic targeted at the remote LAN will also open the tunnel.
Appendix A: Remote Client VPN Setup
Configuring a remote-client VPN is even easier than creating the LAN-to-LAN VPN. NETGEAR calls the remote-client VPN, a client-to-gateway VPN. You would use this type of VPN if, for example, you wanted to provide secure access from a remote PC, such as someone working from home connecting to an office network.
Again, you start with the VPN Wizard, only in this case, there’s only one real step. You merely have to name the connection and assign a pre-shared key. For the remote client, the VPN Wizard automatically configures the rest of the required settings.
Enter the name of the connection, create a pre-shared key, select remote VPN client, and click Next.
Figure 13: Wizard Page for Remote VPN Client Connection Name and Key
When the VPN Wizard displays a summary screen, click Done.
Figure 14: Wizard Page for Client Summary
Configuring the remote client is quite a bit more difficult than setting up a VPN tunnel. For a client to access the LAN behind the firewall, you must install VPN client software on the computer that you wish to get securely connected. To make things simple, I used NETGEAR’s ProSafe VPN Client that comes in VPN01L (single license) and VPN05L (five licenses) forms, listing for $44.95 and $144.95, respectively.
For the client side, there’s no configuration wizard to help you through the process, and there’s no free technical support for ProSafe VPN Client, either. So if you run into a problem that you can’t solve, you may have to spend money for premium support.
NETGEAR does however provide an extensive CD-based user’s manual that has multiple appendices containing step-by-step instructions for configuring the client to work with each of NETGEAR’s ProSafe VPN Firewalls. The instructions include screen images, and if you follow the instructions, you should be able to connect successfully to the FVS114. My advice is to print out the appendix pages relating to the FVS114 and the VPN client (15 pages total) and checkmark each step as you complete it.
Figure 15: Netgear ProSafe Client Policy Editor
The ProSafe VPN client puts an icon in the system tray. A right click on the icon allows you to configure your connection using the Security Policy Editor, connect or disconnect to the VPN endpoint, or view the connection log file.