|At a Glance|
|Product||D-Link RangeBooster N Router (DIR-625)|
|Summary||Mid-range single-band two-antenna 802.11 draft-N router with subscription-based managed security service|
|Pros||• Very easy to set up
• Excellent routing performance
• Built-in automatic QoS
• Parental control and reporting through subscription-based managed service
|Cons||• 10/100 Mbps LAN ports
• Securespot 2.0 only partially effective at blocking web sites
• Currently no Mac thin client (coming this summer)
Whether you are shopping for your first router or are looking to upgrade to the latest 802.11 draft-N wireless technology, there are a lot of choices to sift through. At the premium end of the market, you have routers such as D-Link’s DIR-655 with three antennas and gigabit Ethernet LAN ports. The budget routers generally have two antennas that support 2T2R (two transmit, two receive) MIMO and typically LAN ports that support only 10/100Mbps Ethernet.
Recently, we rounded up six budget-priced draft-N routers and reached some fairly interesting conclusions. First, as Tim reported, "there really isn't that great a performance gain from the more expensive products when they are operated in their default 20 MHz bandwidth mode." Second, buying a budget router doesn’t necessarily mean that you’re scrimping on features.
Tim chose D-Link’s DIR-625 as the best overall choice from the group of six products reviewed. To recap briefly, the DIR-625 is one step up from D-Link’s draft-N entry-level DIR-615 (also included in the roundup) and features four 10/100 LAN ports, a Ubicom IP5100U CPU and Atheros’ xSpan AR5416/AR2144 3T3R chipset. For more details, check out the DIR-625 slideshow. The DIR-625 has built-in QoS (uplink only) that automatically classifies and prioritizes voice and gaming traffic.
In addition, the router, which turned in the highest routing performance speeds in the roundup, supports the advanced features found in the top of the line DIR-655, such as port forwarding, port triggering, filtering, and a feature I really like—DHCP reservation. The DIR-625 also is unique among all of D-Link’s routers because it is the first of their routers to support Securespot 2.0.
Securespot 2.0 is a subscription-based managed security service. Since we already covered the basic features of the DIR-625 as well as the routing and wireless performance, for this review, I’ll focus on Securespot 2.0 managed services.
Since this is Securespot 2.0, clearly there was a Securespot 1.0. In fact, Securespot 1.0 was available only on D-Link’s DSD-150 Securespot Internet Security Adapter—a device that plugged into your network between your cable/DSL modem and your router. Reading Bill Meade’s DSD-150 review, it was with some amount of trepidation that I jumped into Securespot 2.0. After all, Bill’s installation seemed like a nightmare.
Securespot 2.0 is quite similar to its predecessor with one major exception—it’s integrated into the DIR-625. You don’t have to do any special cabling to implement managed services. In addition, like its predecessor, the back-end service is provided by D-Link’s partner, Bsecure.
When enabled, Securespot 2.0 proxies web requests out to Bsecure for filtering according to content filters that you define for each computer on your local network. In addition, Bsecure can push out firewall rules to your router to automatically protect your network from "zero day" attacks. Optionally, you can choose to install the Bsecure thin client, which enables Pop-up blockers, Anti-Virus, and identity theft protection—all provided by McAfee.
Bsecure doesn’t use the same McAfee VirusScan application offered in retail. They use only the McAfee AV engine with their own drivers, to produce a much smaller download and reduce the footprint on the PC. They currently use the 5200 engine, which is the same one used by the McAfee retail product and updated with the same daily dat file updates from McAfee's server.
From a SOHO network management standpoint, the Securespot 2.0 concept is quite attractive. From a single console, you can control firewall rules, Internet access, content filtering, reporting of filter violations, and notification of violations. Though the central console has an updated, easier to use interface than Securespot 1.0, we uncovered some issues that indicate Securespot 2.0 is still a work in progress.
Setup and Installation
Like all D-Link routers, setup and installation is a simple, wizard-guided experience. The wizard includes animation to help you with connecting your cables correctly, or, if you’re replacing an existing router, how to reconnect all of the cables. After your router has been configured and you have access to the Internet, you can register for the 30-day trial period of Securespot 2.0.
By default, the computer you use to register with Bsecure is the first computer to appear on your network map. A couple of things to note:
- The administrator password (i.e., the login for Bsecure) is not the same as the administrator’s password. In fact, you could set up Bsecure to manage your network, and if you don’t change the router’s password, someone could completely disable Bsecure.
- When you log in to Bsecure with your credentials, you’ll see your entire managed network. You can manage it from anywhere, as you are logging into Bsecure’s site using HTTPS.
- When you activate Securespot 2.0, additional computers on your network will not have Internet access until you register them.
Figure 1: D-Link Securespot 2.0 Management Console
Figure 1, above, shows the Securespot 2.0 management console. In the upper left corner, you can see that the DIR-625 icon is selected. When the router icon is selected, changes you make impact all computers on your network unless you choose to manage specific computers individually.
In this image, you can see the fully populated test network including two PCs—one running XP Home, the other XP Pro—and a Macintosh running Mac OS 10.5.2. I returned the only Vista system that I briefly owned, so I couldn’t verify whether Securespot 2.0 properly supports it.
The first icons with the green "ON" LEDs in the lower left corner of the screen are global controls. The identity protection, popup blocker, and AV/spyware controls apply to individual computers, and are grayed-out until the thin client has been installed.
Once enabled, Securespot blocks Internet access for new devices until they have been registered—sort of… Initially, I registered "Testbed" as the first computer on my network. I then plugged in "Craig’s Toshiba." It acquired an IP address from the DIR-625, and I found that I could connect to secure web sites (HTTPS), ping names and addresses on the Internet, Telnet, and FTP without registering. What was blocked was web traffic on port 80.
Figure 2: Securespot 2.0 intercepts the first port 80 web request for new computers on your network.
Figure 2 contains the screen I got when making my first web page (HTTP) request on a previously unmanaged "new" computer. To register, I named the computer and typed in the administrator password I used to register with Bsecure (Figure 3). Alternatively, I could have registered as "Guest," which would have provided limited Internet access for 24 hours. To keep your neighbors from poaching your bandwidth, you can password protect the Guest account. (You did, of course, set up wireless security, didn’t you?)
Figure 3: Registering a new computer with Bsecure
As a test, I left the guest login unprotected and the wireless network unsecured. It didn’t take long for someone to attach. When I viewed the network map, I noticed a new computer I didn’t recognize, so I deleted it. When I applied the changes, I got the following error message seen in Figure 4:
Figure 4: Error screen when removing a computer from my network
I checked the network map and confirmed that the "intruder" was indeed deleted. Thereafter, I changed the guest password and enabled wireless security.
After a successful registration, you are prompted to optionally download and install the Bsecure thin client (Figure 5). This enables antivirus/anti-spyware, identity protection, and a popup blocker.
Figure 5: Bsecure thin client installation is optional
The download for the PC is a little under 3MB and installs fairly quickly. I contacted Bsecure, and they informed me that there currently is not a Mac OS client available but one is currently under development that should be available by the end of summer. Once the thin client is installed on your PC, an icon appears in the system tray and hovering over the Securespot icon displays its status (Figure 6).
Figure 6: System tray with Securespot icon
By right-clicking the Securespot icon (Figure 7), the client has full control over the thin client’s functions, including scheduling AV scans, updating signatures, or, for that matter, deleting scheduled scans. In some managed environments, administrators would probably not want to cede that much control to their clients, but I didn’t find a way to "lock down" the Bsecure thin client. In fact, due to the current architecture of Securespot, these settings have to be done at the local computer—they can’t be accomplished from the central management console.
Figure 7: Right-clicking on the Securespot icon shows the thin client options
Parents who want to control Internet access for their kids will be especially interested in the parental control and parental reporting features of Securespot 2.0 As mentioned previously, Parental controls policies can be set for the entire network or for individual computers. Parental control has six main features as shown in Figure 8, below, in the right panel.
Figure 8: Parental Control functions
Parental Controls - more
Site Categories (Figure 9) lets you choose which categories of web sites to block. There are 81 content categories you can choose from. Bsecure has four pre-defined age groups (Child 0-8, Youth 9-12, Adolescent 13-18, and Adult 18+) and each is pre-populated with blocked categories appropriate for the selected age group. There’s also a custom category should you choose not to use one of the pre-defined groups.
Figure 9: Partial category list for Parental Control
Other options include Custom Allow Lists and Custom Block Lists, for allowing/blocking specific sites, setting a blocked site Password Override, and Safety Lock. Safety Lock will block Internet access and force a computer reboot if the client tries to visit a specified number of blocked sites. Parental control also includes Schedules. A parent (or administrator) can elect to block access to the Internet either for the entire network or for specific computers by creating a schedule.
Figure 10: Schedule of blocked Internet access for Craig’s_Toshiba
Figure 10, above, shows not only a custom schedule for the selected computer, but also shows that the thin client is installed and that AV/spyware, pop up blockers, spam control and identity protection are active.
Parental Reporting (Figure 11) gives you the option to review detailed logs of web activity, receive either email or SMS notifications of attempts to visit blocked sites, and a calendar view of activity.
Figure 11: Parental Reporting on my test Securespot network
Clicking on a specific colored day on the calendar yields a detailed Access Report for that day, as seen in Figure 12. The report lists the profile that blocked the attempt, the URL, the category, the number of access attempts, and the age group.
Figure 12: Securespot network Access Report
I have to admit, I was looking forward to putting Securespot through its paces—especially content filtering. From the management console, I selected "craigs_toshiba" and clicked on "Custom" to create some custom filters. However, I discovered that when I tried to save them, they weren’t being saved properly. A call to tech support yielded that there is a problem with the current "custom" filter function. A patch will be forthcoming "soon."
For my test, I added some additional categories such as Health/Medicine, Political Opinion, Personals/Dating, Sports, and Comics. I started out with the Political Opinion category. To test, I entered "political opinion" into Google’s search. I then clicked on some of the resulting links, including www.conservativevoice.com. Virtually none of my selections was blocked. I also tried some other sites not on Google’s first page, including www.alternet.org. That also was not blocked. I contacted Bsecure’s tech support and they confirmed that those sites were not tagged as "Political Opinion," but rather as "News."
Next, I tried the same test, i.e., entering the Bsecure category name "personals/dating" into Google and trying some of the top links. personals.yahoo.com was not blocked. Nor was eharmony.com. However, match.com was blocked. Again, I contacted tech support and they confirmed that personals.yahoo.com was coded properly, but also came through unblocked. About an hour later, personals.yahoo.com was being properly blocked, as were sites that I reported in other categories, including webmd.com that was previously unblocked in the Health/Medicine category.
It was interesting to observe the filters tightening up over the four-day course of my testing. Suddenly, category names were being blocked when I tried to access them through Google as well as other search engines. Not that I have great expertise or experience in this category, but I did find that Bsecure did a very credible job in blocking pornographic sites—probably one of the first categories that Bsecure tackled. Many were blocked at the search engine level, as were terms like "XXX" or "hot babes."
The mail notification feature worked as expected. My inbox quickly filled up with email notices as I intentionally tried to access sites that Bsecure properly blocked.
From the management console, for each client that has the Bsecure thin client installed, you can see that the protection is enabled for that computer. You can’t, however: schedule AV scans, view AV scan logs, update signatures, or view quarantines for any of the "managed" clients. Nor can you configure identity protection and the popup blocker for client machines from the management console. You have to create those settings on each client computer.
To me, the idea of a management console is to centrally manage clients without having to leave my desk. However, there’s good news. The next version (Version 2.2) is supposed to add the ability to manage endpoint client security from the management console. Version 2.2 is expected to be released in mid-July.
I realize that keeping up with the ever-expanding universe of web pages and blogs has to be a gargantuan task. Finding new sites and properly categorizing them would undoubtedly take a small army of people to do. Nevertheless, that’s the business that Bsecure has chosen to be in and it’s not like they just got into the business.
This is the second version of a product that has been around for almost two years and it’s not presented as Beta. Frankly, I’m very disappointed that for the fairly simplistic tests I ran, so many websites I expected to be blocked were not blocked.
Although Bsecure responded swiftly in closing the holes that I found, I shouldn’t have found them at all. Bsecure’s explanation is that a number of additional categories had been added to Securespot, but data from their existing database hadn’t been completely ported to the new categories.
If there is good news in this, it’s that the underlying mechanism appears to work if the database is properly coded. Moreover, since the content filtering is done "in the cloud" rather than locally, updates to the databases, as I learned, take effect immediately.
I was also disappointed in the handling of managed clients. In my perfect world, the management console should actually manage the clients. Fortunately, Bsecure is already addressing that concern with a planned future revision. I’ll be holding onto the DIR-625 to see how well the next revision works.
Securespot 2.0 is free to try out for 30 days when you buy a DIR-625. Thereafter, it’s $60/year—a fee that includes McAfee licenses for up to three computers. Additional licenses are $20/year. The annual fee also includes content filtering for all of the computers on your network—there’s not a "per seat" charge for content filtering.
In today’s constantly changing and often-dangerous Internet environment, a consumer-oriented, affordable managed service is long overdue. Corporations have been using a combination of perimeter security and client based security for years. Securespot is trying to make that level of protection affordable for the consumer. However, it still has a way to go before it is a service that I would heartily recommend.
That said, there are plenty of other good reasons to buy the DIR-625, even if you decide that Securespot 2.0 managed services is not for you. You’re still getting a great wireless router at a bargain price.