Home & Office
Faster and stronger: Six ADSL firewall routers tested
Distributed and expanding companies are increasingly using VPN connections to access and share information between offices and branches. We test ADSL firewall routers that are designed for this purpose.
Distributed and expanding companies are increasingly using VPN connections to access and share information between offices and branches. We test ADSL firewall routers that are designed for this purpose.
Contents  Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
One of the more important aspects of a firewall is to block ports used to exploit a system. Now with more than 65,000+ ports available on a system a firewall does a fair bit of port blocking.
In order to test just how well these firewall routers block ports we used Nmap, which shows how many ports the firewall leaves open by default.
You also expect a router/firewall to provide good logs, support for virtual private networks (VPN), and use Point-to-Point Tunneling Protocol (PPTP) with varying levels of encryption from DES, 3DES, and AES.
A firewall should also support blacklists -- databases of hacker or cracker friendly IP addresses and domain names that can be added to the firewall to explicitly block connections to and from these systems.
We invited all the major vendors to submit products and the ones that took us up on our offer were Cisco/Linksys, Netgear, Nortel, Allied Telesyn, Dynalink, and D-Link.
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
D-Link DFL-700
The D-Link solution was part of a two-piece solution, ie there was a separate ADSL modem and firewall device. All the other submissions used an all-in-one integrated solution. It does the same job as an all-in-one device but it does cost more.
There are also additional cables that get in the way and an extra device that you have to configure.
You first have to connect the DSL-300G to your phone line. We decided to configure the modem first so we connected a PC to the DSL-300G. We had to then install a small utility which comes on the install CD.
From this utility you can run a basic setup which will allow you to configure the modem using your PC's Web browser. Here you can configure your ADSL account user name and password and connect to your service.
Once completed, we tested the service and all seemed fine and unplugged the PC from the DSL-300G. We then ran a network cable from the Ethernet port of the DSL-300G to the WLAN port of the DFL-700. We also had to run a network cable from the LAN port on the DFL-700 to our PC. Once we did this we were ready to configure the firewall.
Like most of the other units tested we had to open up a browser at 192.168.1.1 to configure the firewall. In this case there wasn't much to configure besides the WAN port. There was also a DMZ port on the back. After a few ping tests to see who was around we were up and running.
This product may sound complext to set up, and indeed there is more involved than with the other devices tested, but overall it actually is not that bad.
After taking a closer look inside the firewall we could see that it's quite a capable firewall. Not only does it offer firewall security but it also supports VPNs, content filtering, and bandwidth management, as well as having good logs and reporting.
| |||||||||||||||||||||||||||||||
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
The Dynalink was without a doubt the easiest router to setup. We plugged our phone line into the DSL port on the back of the unit. We then plugged a PC into one of the switch ports. From here all we had to do was find out its default IP address, which was 192.168.1.1. After launching a browser and logging into the unit all we had to do was enter our ADSL login name and password and that was it. All up it took us 30 seconds to get online -- a great result.
The Dynalink is not big on features but that also explains the low price of AU$199. Under the advanced menu is a firewall component that allows you to filter IP packets. Besides that there wasn't too much to speak of -- it allows for remote management which was good, however the system logs and traffic statistics only offer basic reporting.
| |||||||||||||||||||||||||||||||
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
The Netgear ADSL router represents excellent value for money. It certainly wasn't the least featured but happened to be the least expensive router in this review. Setup was straightforward -- only the Dynalink was easier. Physically they were all set up the same except for the D-Link, as already explained. Besides having to have to enter the ADSL login details, with the Netgear device we had to select the encapsulation we were going use as well as the multiplexing method that matches with our ISP.
The DG834 had a very simple GUI -- what made it stand out from the rest was a help pane which explained what every setting does. It also featured some great security features like being able to block sites and setup rules to block or allow specific traffic. You can also schedule when rules are applied and you can have the system logs e-mailed to you. There were some useful maintenance settings to help you manage the router.
| |||||||||||||||||||||||||||||||
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
The Nortel box was one of the more serious routers. It was also one of the easier routers to set up thanks to the included startup wizard. Again, like the other units tested, the hardware setup was straightforward and the only place where you might run into a few setup issues is the software setup.
However, we didn't have any of those problems with this one; we were guided through two Web pages which asked us to select our ISP parameters followed by our ADSL login details. Once we got passed this stage the setup program runs a test that checks your LAN connections as well as your WAN connections. If it returns all passes you know you are online.
As previously stated, the Nortel is a serious device which not only provides firewall security by setting rules for outbound and inbound traffic but also content filtering which can block Web sites that contain keywords. It can also create VPNs that make use of DES, 3DES, and AES. System logs can also be sent to administrators on specified days and times.
| |||||||||||||||||||||||||||||||
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
The Linksys router was the only router that offered wireless capabilities. It supports both A and G wireless modes. Setting up this unit wasn't too hard, there are just a few things you have to do such as select the encapsulation, multiplexing parameters as well as enter your ADSL login credentials. It takes a few moments to establish a link, something that we didn't really find with the other units. If you look under the wireless menu you can set up WEP or WPA which uses stronger encryption.
Under the security menu you can configure the security settings of the firewall. You can filter Java Applets, Cookies, Active X objects, and Proxies. By default the router blocks anonymous Internet requests. We only found this option enabled on the Linksys which was a bit surprising. We actually had to disable this fine option because it was stopping us pinging the router from a public PC.
We encountered problems running nmap -- which in fact is a great result because it means we couldn't exploit any open ports. However, we thought this was strange so we disabled the firewall and we surprisingly we still couldn't run nmap. Unfortunately we didn't have much time to get to the bottom of this, with more time we could have possibly got it to run nmap but it most likely would've invovled tweaking the unit to make it less secure. So it really is to the device's credit we couldn't find any open ports.
The Linksys also has an integrated VPN server supporting DES and 3DES encryption. Not bad for a device that only costs AU$249. The Linksys can be setup for remote management and has some decent reporting built in. It can also e-mail security alerts.
| |||||||||||||||||||||||||||||||
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
Setting up the hardware was easy -- you basically have to plug your phone line into the back of the unit then run a network cable from the unit to your PC. DHCP wasn't enabled on this router so we couldn't see the router until we manually set the IP address of our PC.
Once we could see the router we followed the Quick Start menu to get things rolling. You first have to set the encapsulation and multiplexing parameters and from there you enter your ISP login and password details and then apply the settings. We actually thought this all would have been enough to get it running but not so! In fact we had to resort to contacting the vendor for help and only after a few attempts did we manage to get it all working.
The quick install guide fell well short of providing enough information to help us configure the router. By our understanding it's a new product so there may be some kinks that still need to be ironed out by Allied Telesyn.
As for the rest of the installation, we had set the interface to accept remotely assigned addresses, setup the firewall, NAT, set DHCP, and then create traffic policies so we could see beyond the LAN. It sounds a bit painful and it was, especially compared to the other units, but then again how often would you have to setup your firewall from scratch?
The AR44OS comes with traffic filtering capabilities, giving you control over traffic that passes through the unit. VPNs are supported using AES as well as DES and 3DES. Software quality of service and traffic shaping features were included in this release. In the area of monitoring, management, and diagnostics this unit is really well equipped. The diagnostics in particular can display traffic counters for layers 1, 2, 3, and 4.
| |||||||||||||||||||||||||||||||
| Product | Allied Telesyn AR440S | D-Link DSL-300G/ D-Link DFL-700 | Dynalink RTA770 |
| Company | Allied Telesyn International | D-Link Australia Pty Ltd | Askey Australia |
| Phone | 1800 228 595 | 1300 766 868 | 1800 653 962 |
| Web Site | www.alliedtelesyn.com.au | www.dlink.com.au | www.dynalink.com.au |
| Price (inc GST) | AU$907.50 | AU$999.95 | AU$199 |
| Warranty | 2 years | 1 year | 1 year |
| Ethernet LAN | 5-port 10/100Mbps can be used as LAN or DMZ | 1-port 10/100Base-TX | 4-port 10/100 Mbps |
| Other Ports (USB, Serial) | 1 x Async. serial, 1 x PIC expansion bay | WAN port (10/100), DMZ port (10/100) and serial console port | USB |
| URL/ Content Filtering | URL filtering performed using Firewall HTTP proxy | Yes | No |
| Bandwidth management | LLQ, PQ, WRR, DWRR, PQ with WRR/DWRR, 802.1P, IP TOS, IP DSCP, RSVP | Yes | No |
| DoS protection | A stateful inspection firewall provides protection against SYN and FIN flooding, ping of death, smurf attacks and port scans. | Yes | No |
| VPN server | Yes | Yes | Pass-through only |
| Encryption standards supported | DES, 3DES, AES | AES, 3DES, DES, CAST128, Blowfish and Twofish | NA |
| Target market | Home, SoHo, enterprise, service provider | SME | SOHO |
| Product | Linksys WAG54G | Netgear DG834 | Nortel Contivity 251 |
| Company | Cisco-Linksys | Netgear | Nortel |
| Phone | 1800 678 808 | 1800 502 061 | 02 8870 5000 |
| Web Site | www.linksys.com.au | www.netgear.com.au | www.nortel.com |
| Price (inc GST) | AU$249 | AU$169 | AU$775 |
| Warranty | 3 years | 3 years | 1 year |
| Ethernet LAN | 4-port 10/100Mbps | 4-port 10/100Mbps | 4-port 10/100 Mbps |
| Other Ports (USB, Serial) | None | ~ | RS232, DB-9f |
| URL/ Content Filtering | Yes | Yes | Blocks ActiveX, Java applets, and cookies, and disables Web proxies so that network administrators can tailor remote site access policies to be consistent with rest of enterprise. |
| Bandwidth management | Yes | No | |
| DoS protection | Yes | Yes | Stateful packet inspection, attack logging and e-mail alerts |
| VPN server | Yes | Pass-through only | Yes |
| Encryption standards supported | DES, 3DES | NA | DES, 3DES, AES |
| Target market | ADSL users after a fully featured wireless home gateway for their home or small business network. | Home & SME | Enterprise |
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
Interoperability
What features are included that enable the device to play well with other equipment?
Futureproofing
Upgrade paths and expansion capabilities?
ROI
What features & performance do the $$$ get?
Service
What is included, what isn't, and how long is the warranty?
Each firewall was initially setup and tested with the factory default or manufacturer recommended settings. Our test rig comprised of a target machine -- a generic Intel PC with Microsoft Windows XP Professional. This was placed initially on a fully open public IP address and we ran our tests across it from another Windows XP Professional PC running behind the firewall router.
We tested firewalls from a local network aspect, also from the outside in. The first of these testing tools was Nmap v3.10Alpha4 which was run in a Windows environment and allowed us. while offline, to firstly configure our firewall and then, with no risk of blocking half the companies network traffic, test the box before setting it live on the network.
Nmap amongst other things has a very handy port scanning and reporting utility. Remember that port scanning is one of the first foot-printing tools a script kiddy would use to identify what ports are open on a system and thereby identify potential weaknesses in that box. So instead of sniffing from port 1 to 65,000 in a row simultaneously, Nmap in stealth mode scans random ports on the target machine at user defined intervals and builds up its report from there. For the purposes of this test we ran tests on the basic 1605 "common" ports.
The second test was from the inside out and uses a LeakTest v1.2 from the target machine back to itself, simulating a Trojan horse.
The third test was a simple throughput test. We basically downloaded and uploaded data to and from central sever located in a high-quality datacentre.
Data Throughput
We initially decided to run throughput tests on all the routers. But as we ran these tests over different times of the day we got inconsistent scores. It was interesting to note that we managed to get throughput rates of 1249kbps down and 216kbps up when only using the Dlink ADSL modem. When plugging in the DLink firewall throughput rates had dropped to about 1000kbps for downloading. The other routers managed scores between 400 and 700kbps for downloads. Again we can't place too much emphasis on these results as the tests were run at different times of the day. But they at least give you an indication that a firewall will somewhat reduce your throughput speeds.
Internet connection
Alpahlink Internet Services was used to connect all the routers to the outside world. The service that we employed uses a 1500kbps down and 256kbps up stream which Alphalink offers for AU$99.90 a month. Alphalink also support speeds of 256/64, 512/128 & 512/512. See www.alphalink.com.au for more information.
Final notes
We decided there was no point in creating our own rulesets as it would defeat the purposes of the test. Remember all firewalls can be customised by the user for their own purposes.
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
This company needs to install ADSL routers in its remote branches in order to share content with the head office.
Approximate budget: Under AU$1000
Requires: One simple remote office solution that includes the following features: firewall, VPN, Web filtering, bandwidth management, and a Web-based interface.
Best solution: Nortel Contivity 251
Filters
Because ADSL routers share a common telephone line with standard analog phones, you need to install a line filter and you are going to have to do this to each phone or phone device that shares the same line as the ADSL service. Anyone could install one of these filters but if you have more than four phones you will need to install a central filter which should be installed by a technician.
What these line filters do is cut out the high pitched noises the ADSL router makes. It also enables you to use your phone line to make standard phone calls.
Nmap v3.75 against the firewall from the outside WAN
| Router | Ports Detected | Name | Leak Test |
| Dlink | 23 | telnet | Fail |
| 80 | http | Pass | |
| 113 | auth | Pass | |
| 443 | https | Pass | |
| Dynalink | 80 | http | Fail |
| 443 | https | Pass | |
| Netgear | 21 | ftp | Fail |
| 22 | ssh | Pass | |
| 80 | http | Pass | |
| 256 | FW1-secureremote | Pass | |
| 443 | https | Pass | |
| 554 | rtsp | Pass | |
| 636 | ldapssl | Pass | |
| Nortel | 80 | http | Fail |
| 443 | https | Pass | |
| Linksys | Did Not Run | Fail | |
| Allied Telesyn | 80 | http | Fail |
| 113 | auth | Pass | |
| 443 | https | Pass |
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||
The Nortel Contivity 251 is our pick for both the scenario and the Editor's Choice award. It included all of the features asked for in the scenario except for bandwidth management. It was easy to setup and manage, and the price tag was very good considering what you get. The Linksys also deserves a worthy mention for offering wireless.
This article was first published in Technology & Business magazine.
Click here for subscription information.
Contents Introduction D-Link Dynalink Netgear Nortel Linksys Allied Telesyn Specifications How we tested Sample scenario Editor's choice About RMIT | ||||