Try our RSS feed

Unix Review > Archives > 2001 > 0105
Print-Friendly Version

May 2001

SOHOware BroadGuard Secure Cable/DSL Router

Review by Adam Olson

So, you just ordered your high-speed broadband Internet service. But what are you going to connect it to? You need a device that will meet your functionality requirements and provide the security needed for a network behind a broadband connection. There are several such products available. In this review, I will focus on one in particular: the SOHOware BroadGuard Secure Cable/DSL Router.

BroadGuard at a Glance
The BroadGuard was aesthetically pleasing straight out of the box. It is fairly small, measuring 10.2 inches X 6.6 inches X 1.8 inches. The front panel is comprised of status labels and LEDs, while the back of the unit contains 4 auto-sensing 10/100 RJ-45 ports, a Cable/DSL RJ-45 port, a reset button, and a power interface.

What exactly does the BroadGuard do? The BroadGuard is a Cable/DSL router with enhanced firewall capabilities. It sits between a Cable or DSL circuit and a private network, allowing simultaneous access for home or business users, while at the same time protecting them from outside intruders.

Initial Configuration
This device was exceptionally easy to set up and get running. I literally plugged it into my DSL modem, went into the admin GUI, enabled PPPoE, entered my account information, configured my workstation to use the BroadGuard, and I was browsing away. It took less than four minutes--and most of that time was waiting for my workstation to reboot.

Key Features
Some of the most important features sported by the BroadGuard are Stateful Packet Inspection (SPI), access control and monitoring, a Denial of Service (DoS) monitor, a Demilitarized Zone (DMZ) function, built in NAT, and DHCP.

SPI is important because it tracks the state of sessions, typically TCP sessions. When SPI is implemented in any network device, the device knows which sessions were truly initiated on the inside interface, thus making it possible to drop any superfluous traffic trying to enter from the Internet. This traffic is often times generated by crackers trying to probe or DoS the internal network. The BroadGuard gets a big plus for supporting SPI.

I consider access control to be a prerequisite for buying any BroadGuard-type equipment. The BroadGuard supports restricting access to specific applications by host IP. There is also a form that lists

web sites that you don’t want anyone to be able to access. My personal preference on access control is to be able to permit access to a few specific applications and deny the rest--the "permit some, deny all" logic. Access control is handled in the opposite fashion on the BroadGuard. You deny access to certain applications and the remaining items on the list are allowed. I would like to see an option where I could simply fill in the firewall rule set myself. That way, I could really customize my rule sets.

The BroadGuard provides an Access Monitor within the admin GUI. The monitor provides a simple snapshot of internal hosts and the external machines they are connected to.

The DoS monitor is a great addition to a router in this class. After I got the BroadGuard up and running, I went to an Internet site that portscans the connecting IP to test its resiliency and security. After running this test against the BroadGuard, I promptly received an email from the monitoring system on the BroadGuard that someone had attempted a WinNuke attack on my system. The packets were discarded and the portscan site reported that not a single port or hole was responding at all. This is a great thing to see in terms of security. The device and your network look dead to the outside, which is ideal.

What If I Want to Play Games?
What’s the use of a fast broadband circuit if you can’t break out Quake--or whatever your favorite game may be--on occasion? I know that when I get the urge and I’m behind a router or firewall performing NAT, applications like GameSpy often cease to function. DirectX networking components that require the acceptance of inbound traffic on funny ports often cause this. I was very happy to see that the BroadGuard has a work-around for this. It includes support for a Demilitarized Zone (DMZ), where you allow all traffic to reach certain inside hosts. Adding hosts via the admin GUI to the DMZ was very straightforward.

The BroadGuard also supports port forwarding, which is another way to get around these kinds of problems. The admin GUI has a form where you can specify the external ports that should be forwarded to specific internal machines. The DMZ solution is easier, but port forwarding provides a greater level of security.

VPN Access
An additional function of the DMZ feature is to allow the passing of VPN traffic. A VPN is handy when you have remote users who require access to internal information, or when you need to build a VPN tunnel between offices. The BroadGuard accommodates Microsoft (Point-to-Point Tunneling Protocol) PPTP tunnels within the DMZ feature. You can add the VPN server or client into the DMZ and PPTP traffic will then be able to get through the BroadGuard.

NAT and DHCP
By default, the BroadGuard is ready to NAT all outbound connections and act as a DHCP server. Network Address Translation (NAT) is what allows a group of machines to share the same public address. The Dynamic Host Configuration Protocol (DHCP) allows new nodes to be added to the network with ease. During the boot process, the new workstation is given all the required network information, so the user can simply open up a browser and fire away.

Performance
To test performance, I started a number of large file transfers and compared them against the same file transfer times when the BroadGuard was not in the network configuration. The BroadGuard did not inject any latency into the session and performed very well.

Documentation
To be perfectly honest, I didn’t ever need to consult the documentation on a problem! The admin GUI is very intuitive, and I found the manual to be more for supplementary reference. The user guide has quite a bit of information in it and should answer any questions you may have. I know it did for me.

Likes, Dislikes, and Conclusion
If I were in the market right now for a router that could support up to 253 users behind a Cable or DSL circuit, I would purchase the BroadGuard. I really like the built-in firewall security of the BroadGuard, as well as the additional features like DHCP, a very easy to use administrative GUI, and real-time reporting via email. The initial set up could not have been easier, and the performance on the BroadGuard is great.

If I could add anything to the BroadGuard, it would be an interface to the firewall rule set that would permit me to fully customize my ACL logic.

Overall, the BroadGuard is a rock solid Cable/DSL router with a lot of security features. It is a great fit for a network of 253 nodes or less that would like to share a Cable or DSL connection.

Score Card
Installation 5
Documentation 5
Functionality 4
Ease of Use 5
Performance 5
Overall 5
Scale = 1 (lowest) - 5 (highest)

Vendor Information
SOHOware, Inc.
3050 Coronado Drive
Santa Clara, CA 95054
(800) 632-1118
http://www.sohoware.com/

About the Author
Adam Olson has been living up, down, and across California. He has helped build a successful ISP (http://www.humboldt1.com/), designed and configured portions of the California Power Network while working at MCI WorldCom, spent time at a startup in Santa Clara  (http://www.quaartz.com/), and is currently building a new company. He can be reached at mailto:adamo@humboldt1.com.

Sys Admin Spotlight

New Products
New Products

CMP DevNet Spotlight

Highlighting Multiple Search Keywords in ASP.NET
This article demonstrates how to highlight a multiple keywords within a DataGrid control, no matter where they are in the text.

In the News

Cell Users Compromise Airplane Safety, Study Says
Carnegie Mellon University researchers conclude that passengers are regularly violating the ban on using the devices and are creating risk to airplane navigation.


Apple Fixes Critical Safari Bug, 16 Other Flaws
Apple Computer releases its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines.


Registrar Firms Objects To ICANN-VeriSign Agreement
Domain registrars are seeking to derail the agreement before the U.S. Department of Commerce approves the deal.


Bagle Bullies Users Into Infections
A variant of the long-running Bagle worm appeared Wednesday, and tried to bully people into installing its payload.


Philadelphia Will Provide Wi-Fi Access For Under $20 Per Month
City's agreement with Earthlink will create a 135-square-mile hotspot supplied largely by 700 discounted discounted T-1 links.


Vista Expected In Early October
Global rollaout of next version of Windows will come in first week of October 2006, after two release candidates, says Tom's Hardware site.


Oracle Challenges Google With New Enterprise Search Engine
Oracle Secure Enterprise Search 10g can locate information in enterprise applications, E-mail systems, and stored documents.


Newsletter

Subscribe to the UnixReview Newsletter

Subscribe to Sys Admin

Subscribe to THE journal for UNIX systems administrators. Receive 45% off your subscription by following the link below:

CD-ROM

Sys Admin and The Perl Journal CD-ROM version 11.0

Version 11.0 delivers every issue of Sys Admin from 1992 through 2005 and every issue of The Perl Journal from 1996-2002 in one convenient CD-ROM!

Order now!




MarketPlace

Dual-Core AMD Opteron server /graphics workstation
Utilize the power of two Dual-Core AMD Opteron 64-bit processors, and high speed PCI Express 16x databus from any location. Portable graphics development workstation and server. Differentiate your custom applications on this sylish portable system.

UNIX and Linux Performance Tuning Simplified
SarCheck is a UNIX performance analysis and tuning tool for most UNIX and Linux systems. It produces recommendations and explanations, complete with supporting graphs and tables. Get the most from your hardware by keeping your systems tuned.

DOVICO Time & Project Tracking Software
Award Winning Project Tracking And Costing Software Application!

Timesheet + time tracking for payroll and projects
Clockware is the first timesheet and time tracking software that is 100% J2EE-compliant. Clockware's Payroll Timesheet integrates with all major Payroll systems. Clockware also supports Time and Attendance, and Project Timesheets in one system.

Wanna see your ad here?

Free Unix Spec BookManage IT with less effort. Go!Get to root cause faster. Troubleshoot with ease.Get better mainframe performance. Go! • Buy Sell Used Cisco Hardware • SSL Certificates from VeriSignPoint-of-Sale SuppliesA+ Certification • Unix managed hosting review • Webcore ColdFusion Hosting