Faster and stronger: Six ADSL firewall routers tested

Distributed and expanding companies are increasingly using VPN connections to access and share information between offices and branches. We test ADSL firewall routers that are designed for this purpose.



Distributed and expanding companies are increasingly using VPN connections to access and share information between offices and branches. We test ADSL firewall routers that are designed for this purpose.


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

The routers in this review are designed to protect multiple machines on private networks. They are also designed to connect remote branches to a head office.

One of the more important aspects of a firewall is to block ports used to exploit a system. Now with more than 65,000+ ports available on a system a firewall does a fair bit of port blocking.

In order to test just how well these firewall routers block ports we used Nmap, which shows how many ports the firewall leaves open by default.

You also expect a router/firewall to provide good logs, support for virtual private networks (VPN), and use Point-to-Point Tunneling Protocol (PPTP) with varying levels of encryption from DES, 3DES, and AES.

A firewall should also support blacklists -- databases of hacker or cracker friendly IP addresses and domain names that can be added to the firewall to explicitly block connections to and from these systems.

We invited all the major vendors to submit products and the ones that took us up on our offer were Cisco/Linksys, Netgear, Nortel, Allied Telesyn, Dynalink, and D-Link.


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

D-Link DSL-300G
D-Link DFL-700


The D-Link solution was part of a two-piece solution, ie there was a separate ADSL modem and firewall device. All the other submissions used an all-in-one integrated solution. It does the same job as an all-in-one device but it does cost more.

There are also additional cables that get in the way and an extra device that you have to configure.

You first have to connect the DSL-300G to your phone line. We decided to configure the modem first so we connected a PC to the DSL-300G. We had to then install a small utility which comes on the install CD.

From this utility you can run a basic setup which will allow you to configure the modem using your PC's Web browser. Here you can configure your ADSL account user name and password and connect to your service.

Once completed, we tested the service and all seemed fine and unplugged the PC from the DSL-300G. We then ran a network cable from the Ethernet port of the DSL-300G to the WLAN port of the DFL-700. We also had to run a network cable from the LAN port on the DFL-700 to our PC. Once we did this we were ready to configure the firewall.

Like most of the other units tested we had to open up a browser at 192.168.1.1 to configure the firewall. In this case there wasn't much to configure besides the WAN port. There was also a DMZ port on the back. After a few ping tests to see who was around we were up and running.

This product may sound complext to set up, and indeed there is more involved than with the other devices tested, but overall it actually is not that bad.

After taking a closer look inside the firewall we could see that it's quite a capable firewall. Not only does it offer firewall security but it also supports VPNs, content filtering, and bandwidth management, as well as having good logs and reporting.

Product D-Link DSL-300G
D-Link DFL-700
Price AU$999.95
Vendor D-Link Australia
Phone 1300 766 868
Web http://www.dlink.com.au
 
Interoperability
Very good levels of network and logging support.
Futureproofing
Good levels of customisation and scalability provided, albeit in a slightly more difficult to deploy package.
ROI
Priced quite high for the features.
Service
1 year warranty.
Rating
D-Link DSL-300G & DFL-700


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Dynalink RTA770

The Dynalink was without a doubt the easiest router to setup. We plugged our phone line into the DSL port on the back of the unit. We then plugged a PC into one of the switch ports. From here all we had to do was find out its default IP address, which was 192.168.1.1. After launching a browser and logging into the unit all we had to do was enter our ADSL login name and password and that was it. All up it took us 30 seconds to get online -- a great result.

The Dynalink is not big on features but that also explains the low price of AU$199. Under the advanced menu is a firewall component that allows you to filter IP packets. Besides that there wasn't too much to speak of -- it allows for remote management which was good, however the system logs and traffic statistics only offer basic reporting.

Product Dynalink RTA770
Price AU$199
Vendor Askey Australia
Phone 1800 653 962
Web www.dynalink.com.au
 
Interoperability
Average levels of network and logging support.
Futureproofing
Not very much expansion ability available. Relatively easy to deploy.
ROI
Moderately priced for the features.
Service
1 year warranty.
Rating
½
Dynalink RTA770


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Netgear DG834

The Netgear ADSL router represents excellent value for money. It certainly wasn't the least featured but happened to be the least expensive router in this review. Setup was straightforward -- only the Dynalink was easier. Physically they were all set up the same except for the D-Link, as already explained. Besides having to have to enter the ADSL login details, with the Netgear device we had to select the encapsulation we were going use as well as the multiplexing method that matches with our ISP.

The DG834 had a very simple GUI -- what made it stand out from the rest was a help pane which explained what every setting does. It also featured some great security features like being able to block sites and setup rules to block or allow specific traffic. You can also schedule when rules are applied and you can have the system logs e-mailed to you. There were some useful maintenance settings to help you manage the router.

Product Netgear DG834
Price AU$169
Vendor Netgear
Phone 1800 502 061
Web www.netgear.com.au
 
Interoperability
½
Good levels of network and logging support.
Futureproofing
Not very much expansion ability available. Relatively easy to deploy.
ROI
½
Moderately priced for the features.
Service
3 year warranty.
Rating
½
Netgear DG834


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Nortel Contivity 251

The Nortel box was one of the more serious routers. It was also one of the easier routers to set up thanks to the included startup wizard. Again, like the other units tested, the hardware setup was straightforward and the only place where you might run into a few setup issues is the software setup.

However, we didn't have any of those problems with this one; we were guided through two Web pages which asked us to select our ISP parameters followed by our ADSL login details. Once we got passed this stage the setup program runs a test that checks your LAN connections as well as your WAN connections. If it returns all passes you know you are online.

As previously stated, the Nortel is a serious device which not only provides firewall security by setting rules for outbound and inbound traffic but also content filtering which can block Web sites that contain keywords. It can also create VPNs that make use of DES, 3DES, and AES. System logs can also be sent to administrators on specified days and times.

Product Nortel Contivity 251
Price AU$775
Vendor Nortel
Phone 02 8870 5000
Web www.nortel.com
 
Interoperability
Very good levels of network and logging support.
Futureproofing
½
Very good levels of expansion available, very easy to deploy.
ROI
½
Very well priced for the features when compared to the similar competition.
Service
1 year warranty.
Rating
Nortel Contivity 251


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Linksys WAG54G

The Linksys router was the only router that offered wireless capabilities. It supports both A and G wireless modes. Setting up this unit wasn't too hard, there are just a few things you have to do such as select the encapsulation, multiplexing parameters as well as enter your ADSL login credentials. It takes a few moments to establish a link, something that we didn't really find with the other units. If you look under the wireless menu you can set up WEP or WPA which uses stronger encryption.

Under the security menu you can configure the security settings of the firewall. You can filter Java Applets, Cookies, Active X objects, and Proxies. By default the router blocks anonymous Internet requests. We only found this option enabled on the Linksys which was a bit surprising. We actually had to disable this fine option because it was stopping us pinging the router from a public PC.

We encountered problems running nmap -- which in fact is a great result because it means we couldn't exploit any open ports. However, we thought this was strange so we disabled the firewall and we surprisingly we still couldn't run nmap. Unfortunately we didn't have much time to get to the bottom of this, with more time we could have possibly got it to run nmap but it most likely would've invovled tweaking the unit to make it less secure. So it really is to the device's credit we couldn't find any open ports.

The Linksys also has an integrated VPN server supporting DES and 3DES encryption. Not bad for a device that only costs AU$249. The Linksys can be setup for remote management and has some decent reporting built in. It can also e-mail security alerts.

Product Linksys WAG54G
Price AU$249
Vendor Cisco-Linksys
Phone 1800 678 808
Web www.linksys.com.au
 
Interoperability
Very good levels of network and logging support.
Futureproofing
Good levels of customisation and scalability provided. Wireless capabilities.
ROI
Excellent price for the features.
Service
3 year warranty.
Rating
½
Linksys WAG54G


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Allied Telesyn AR440S

Setting up the hardware was easy -- you basically have to plug your phone line into the back of the unit then run a network cable from the unit to your PC. DHCP wasn't enabled on this router so we couldn't see the router until we manually set the IP address of our PC.

Once we could see the router we followed the Quick Start menu to get things rolling. You first have to set the encapsulation and multiplexing parameters and from there you enter your ISP login and password details and then apply the settings. We actually thought this all would have been enough to get it running but not so! In fact we had to resort to contacting the vendor for help and only after a few attempts did we manage to get it all working.

The quick install guide fell well short of providing enough information to help us configure the router. By our understanding it's a new product so there may be some kinks that still need to be ironed out by Allied Telesyn.

As for the rest of the installation, we had set the interface to accept remotely assigned addresses, setup the firewall, NAT, set DHCP, and then create traffic policies so we could see beyond the LAN. It sounds a bit painful and it was, especially compared to the other units, but then again how often would you have to setup your firewall from scratch?

The AR44OS comes with traffic filtering capabilities, giving you control over traffic that passes through the unit. VPNs are supported using AES as well as DES and 3DES. Software quality of service and traffic shaping features were included in this release. In the area of monitoring, management, and diagnostics this unit is really well equipped. The diagnostics in particular can display traffic counters for layers 1, 2, 3, and 4.

Product Allied Telesyn AR440S
Price AU$907.50
Vendor Allied Telesyn International
Phone 1800 228 595
Web www.alliedtelesyn.com.au
 
Interoperability
Excellent levels of network and logging support.
Futureproofing
Excellent levels of customisation and scalability provided. Definitely a unit for experienced engineers.
ROI
Reasonably priced for the features.
Service
2 year warranty.
Rating
Allied Telesyn AR440S

Specifications

Product Allied Telesyn AR440S D-Link DSL-300G/ D-Link DFL-700 Dynalink RTA770
Company Allied Telesyn International D-Link Australia Pty Ltd Askey Australia
Phone 1800 228 595 1300 766 868 1800 653 962
Web Site www.alliedtelesyn.com.au www.dlink.com.au www.dynalink.com.au
Price (inc GST) AU$907.50 AU$999.95 AU$199
Warranty 2 years 1 year 1 year
Ethernet LAN 5-port 10/100Mbps can be used as LAN or DMZ 1-port 10/100Base-TX 4-port 10/100 Mbps
Other Ports (USB, Serial) 1 x Async. serial, 1 x PIC expansion bay WAN port (10/100), DMZ port (10/100) and serial console port USB
URL/ Content Filtering URL filtering performed using Firewall HTTP proxy Yes No
Bandwidth management LLQ, PQ, WRR, DWRR, PQ with WRR/DWRR, 802.1P, IP TOS, IP DSCP, RSVP Yes No
DoS protection A stateful inspection firewall provides protection against SYN and FIN flooding, ping of death, smurf attacks and port scans. Yes No
VPN server Yes Yes Pass-through only
Encryption standards supported DES, 3DES, AES AES, 3DES, DES, CAST128, Blowfish and Twofish NA
Target market Home, SoHo, enterprise, service provider SME SOHO

Product Linksys WAG54G Netgear DG834 Nortel Contivity 251
Company Cisco-Linksys Netgear Nortel
Phone 1800 678 808 1800 502 061 02 8870 5000
Web Site www.linksys.com.au www.netgear.com.au www.nortel.com
Price (inc GST) AU$249 AU$169 AU$775
Warranty 3 years 3 years 1 year
Ethernet LAN 4-port 10/100Mbps 4-port 10/100Mbps 4-port 10/100 Mbps
Other Ports (USB, Serial) None ~ RS232, DB-9f
URL/ Content Filtering Yes Yes Blocks ActiveX, Java applets, and cookies, and disables Web proxies so that network administrators can tailor remote site access policies to be consistent with rest of enterprise.
Bandwidth management Yes   No
DoS protection Yes Yes Stateful packet inspection, attack logging and e-mail alerts
VPN server Yes Pass-through only Yes
Encryption standards supported DES, 3DES NA DES, 3DES, AES
Target market ADSL users after a fully featured wireless home gateway for their home or small business network. Home & SME Enterprise


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

How we tested

Interoperability
What features are included that enable the device to play well with other equipment?

Futureproofing
Upgrade paths and expansion capabilities?

ROI
What features & performance do the $$$ get?

Service
What is included, what isn't, and how long is the warranty?

Each firewall was initially setup and tested with the factory default or manufacturer recommended settings. Our test rig comprised of a target machine -- a generic Intel PC with Microsoft Windows XP Professional. This was placed initially on a fully open public IP address and we ran our tests across it from another Windows XP Professional PC running behind the firewall router.

We tested firewalls from a local network aspect, also from the outside in. The first of these testing tools was Nmap v3.10Alpha4 which was run in a Windows environment and allowed us. while offline, to firstly configure our firewall and then, with no risk of blocking half the companies network traffic, test the box before setting it live on the network.

Nmap amongst other things has a very handy port scanning and reporting utility. Remember that port scanning is one of the first foot-printing tools a script kiddy would use to identify what ports are open on a system and thereby identify potential weaknesses in that box. So instead of sniffing from port 1 to 65,000 in a row simultaneously, Nmap in stealth mode scans random ports on the target machine at user defined intervals and builds up its report from there. For the purposes of this test we ran tests on the basic 1605 "common" ports.

The second test was from the inside out and uses a LeakTest v1.2 from the target machine back to itself, simulating a Trojan horse.

The third test was a simple throughput test. We basically downloaded and uploaded data to and from central sever located in a high-quality datacentre.

Data Throughput
We initially decided to run throughput tests on all the routers. But as we ran these tests over different times of the day we got inconsistent scores. It was interesting to note that we managed to get throughput rates of 1249kbps down and 216kbps up when only using the Dlink ADSL modem. When plugging in the DLink firewall throughput rates had dropped to about 1000kbps for downloading. The other routers managed scores between 400 and 700kbps for downloads. Again we can't place too much emphasis on these results as the tests were run at different times of the day. But they at least give you an indication that a firewall will somewhat reduce your throughput speeds.

Internet connection
Alpahlink Internet Services was used to connect all the routers to the outside world. The service that we employed uses a 1500kbps down and 256kbps up stream which Alphalink offers for AU$99.90 a month. Alphalink also support speeds of 256/64, 512/128 & 512/512. See www.alphalink.com.au for more information.

Final notes
We decided there was no point in creating our own rulesets as it would defeat the purposes of the test. Remember all firewalls can be customised by the user for their own purposes.


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Sample scenario

This company needs to install ADSL routers in its remote branches in order to share content with the head office.

Approximate budget: Under AU$1000
Requires: One simple remote office solution that includes the following features: firewall, VPN, Web filtering, bandwidth management, and a Web-based interface.
Best solution: Nortel Contivity 251

Filters

Because ADSL routers share a common telephone line with standard analog phones, you need to install a line filter and you are going to have to do this to each phone or phone device that shares the same line as the ADSL service. Anyone could install one of these filters but if you have more than four phones you will need to install a central filter which should be installed by a technician.

What these line filters do is cut out the high pitched noises the ADSL router makes. It also enables you to use your phone line to make standard phone calls.

Nmap v3.75 against the firewall from the outside WAN

Router Ports Detected Name Leak Test
Dlink 23 telnet Fail
  80 http Pass
  113 auth Pass
  443 https Pass
Dynalink 80 http Fail
  443 https Pass
Netgear 21 ftp Fail
  22 ssh Pass
  80 http Pass
  256 FW1-secureremote Pass
  443 https Pass
  554 rtsp Pass
  636 ldapssl Pass
Nortel 80 http Fail
  443 https Pass
Linksys   Did Not Run Fail
Allied Telesyn 80 http Fail
  113auth Pass
  443 https Pass


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

T&B Editor's choice
Editor's choice: Nortel Contivity 251

The Nortel Contivity 251 is our pick for both the scenario and the Editor's Choice award. It included all of the features asked for in the scenario except for bandwidth management. It was easy to setup and manage, and the price tag was very good considering what you get. The Linksys also deserves a worthy mention for offering wireless.

This article was first published in Technology & Business magazine.
Click here for subscription information.


Contents
Introduction
D-Link
Dynalink
Netgear
Nortel
Linksys
Allied Telesyn
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

About RMIT IT Test Labs

RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All