The FWAG has a decent set of wireless security features. I'll start by noting one that's not commonly available on competing products - the Enable Bridging to Wireless LAN checkbox near the bottom of each radio's admin screen (which is checked by default). This feature keeps all wireless and Ethernet clients separated and is handy for folks who want to wirelessly share their broadband connection with anyone within range, but keep those users off their wired LAN. (The feature also works in reverse, keeping wired clients from reaching wireless users.)
The Trusted PC feature lets you enter MAC addresses of clients that will be allowed to connect to the FWAG. The feature doesn't offer a "pick list" of currently associated wireless clients to ease the chore of creating the MAC Address Filter list, nor can you save or load the filter list - again for ease of configuration.
Only WEP encryption was supported in the firmware that shipped with the FWAG, but NETGEAR sent me Beta firmware that supports Wi-Fi Protected Access (WPA), which is why you see it in radio admin page screenshots. I've been nagging NETGEAR to get its act together on WPA support since they announced, but didn't ship, it earlier this year. NETGEAR has told me that "all new builds" of their WAG511 CardBus client card will ship with WPA-enabled firmware, but the update still isn't available for download from the WAG511's support page. WPA support for the FWAG is supposed to ship this month (Sept 2003), but given NETGEAR's past track record on WPA, if this feature is important to you - and it should be - I'd hold onto your money until you see the download actually available on the FWAG's support page.
TIP: For more information about WPA, see our Wi-Fi Protected Access (WPA) NeedToKnow - Part II.
Moving back to WEP, you can enter 64 or 128 bit keys for 11b/g and 64, 128, and 152 bit keys for 11a directly in Hexadecimal. Both radios also support key entry using an alphanumeric passphrase. The passphrase method generates four different keys in 64 bit mode, four identical keys in 128 bit mode, and doesn't work at all when the 11a 152 bit WEP mode is selected. Keys also can't be saved to a file, which would make client entry a little easier.
Both WPA "enterprise" (RADIUS) and WPA-PSK modes are supported, but only with the mandatory TKIP encryption. NETGEAR appears to have chosen to not allow access to the stronger, optional AES encryption that Broadcom-based products provide, even though Atheros' chipsets include an embedded hardware AES encryption co-processor.