SOHOware BroadGuard Secure Cable/DSL Router
Review by Adam Olson
So, you just ordered your high-speed broadband
Internet service. But what are you going to connect it
to? You need a device that will meet your functionality
requirements and provide the security needed for a
network behind a broadband connection. There are several
such products available. In this review, I will focus on
one in particular: the SOHOware BroadGuard Secure
BroadGuard at a Glance
The BroadGuard was
aesthetically pleasing straight out of the box. It is
fairly small, measuring 10.2 inches X 6.6 inches X 1.8
inches. The front panel is comprised of status labels
and LEDs, while the back of the unit contains 4
auto-sensing 10/100 RJ-45 ports, a Cable/DSL RJ-45 port,
a reset button, and a power interface.
What exactly does the BroadGuard do? The BroadGuard
is a Cable/DSL router with enhanced firewall
capabilities. It sits between a Cable or DSL circuit and
a private network, allowing simultaneous access for home
or business users, while at the same time protecting
them from outside intruders.
This device was
exceptionally easy to set up and get running. I
literally plugged it into my DSL modem, went into the
admin GUI, enabled PPPoE, entered my account
information, configured my workstation to use the
BroadGuard, and I was browsing away. It took less than
four minutes--and most of that time was waiting for my
workstation to reboot.
Some of the most important
features sported by the BroadGuard are Stateful Packet
Inspection (SPI), access control and monitoring, a
Denial of Service (DoS) monitor, a Demilitarized Zone
(DMZ) function, built in NAT, and DHCP.
SPI is important because it tracks the state of
sessions, typically TCP sessions. When SPI is
implemented in any network device, the device knows
which sessions were truly initiated on the inside
interface, thus making it possible to drop any
superfluous traffic trying to enter from the Internet.
This traffic is often times generated by crackers trying
to probe or DoS the internal network. The BroadGuard
gets a big plus for supporting SPI.
I consider access control to be a prerequisite for
buying any BroadGuard-type equipment. The BroadGuard
supports restricting access to specific applications by
host IP. There is also a form that lists
web sites that you don’t want anyone to be able to
access. My personal preference on access control is to
be able to permit access to a few specific applications
and deny the rest--the "permit some, deny all" logic.
Access control is handled in the opposite fashion on the
BroadGuard. You deny access to certain applications and
the remaining items on the list are allowed. I would
like to see an option where I could simply fill in the
firewall rule set myself. That way, I could really
customize my rule sets.
The BroadGuard provides an Access Monitor within the
admin GUI. The monitor provides a simple snapshot of
internal hosts and the external machines they are
The DoS monitor is a great addition to a router in
this class. After I got the BroadGuard up and running, I
went to an Internet site that portscans the connecting
IP to test its resiliency and security. After running
this test against the BroadGuard, I promptly received an
email from the monitoring system on the BroadGuard that
someone had attempted a WinNuke attack on my system. The
packets were discarded and the portscan site reported
that not a single port or hole was responding at all.
This is a great thing to see in terms of security. The
device and your network look dead to the outside, which
What If I Want to Play Games?
use of a fast broadband circuit if you can’t break out
Quake--or whatever your favorite game may be--on
occasion? I know that when I get the urge and I’m behind
a router or firewall performing NAT, applications like
GameSpy often cease to function. DirectX networking
components that require the acceptance of inbound
traffic on funny ports often cause this. I was very
happy to see that the BroadGuard has a work-around for
this. It includes support for a Demilitarized Zone
(DMZ), where you allow all traffic to reach certain
inside hosts. Adding hosts via the admin GUI to the DMZ
was very straightforward.
The BroadGuard also supports port forwarding, which
is another way to get around these kinds of problems.
The admin GUI has a form where you can specify the
external ports that should be forwarded to specific
internal machines. The DMZ solution is easier, but port
forwarding provides a greater level of security.
An additional function of the
DMZ feature is to allow the passing of VPN traffic. A
VPN is handy when you have remote users who require
access to internal information, or when you need to
build a VPN tunnel between offices. The BroadGuard
accommodates Microsoft (Point-to-Point Tunneling
Protocol) PPTP tunnels within the DMZ feature. You can
add the VPN server or client into the DMZ and PPTP
traffic will then be able to get through the BroadGuard.
NAT and DHCP
By default, the BroadGuard is
ready to NAT all outbound connections and act as a DHCP
server. Network Address Translation (NAT) is what allows
a group of machines to share the same public address.
The Dynamic Host Configuration Protocol (DHCP) allows
new nodes to be added to the network with ease. During
the boot process, the new workstation is given all the
required network information, so the user can simply
open up a browser and fire away.
To test performance, I started
a number of large file transfers and compared them
against the same file transfer times when the BroadGuard
was not in the network configuration. The BroadGuard did
not inject any latency into the session and performed
To be perfectly honest, I
didn’t ever need to consult the documentation on a
problem! The admin GUI is very intuitive, and I found
the manual to be more for supplementary reference. The
user guide has quite a bit of information in it and
should answer any questions you may have. I know it did
Likes, Dislikes, and Conclusion
If I were
in the market right now for a router that could support
up to 253 users behind a Cable or DSL circuit, I would
purchase the BroadGuard. I really like the built-in
firewall security of the BroadGuard, as well as the
additional features like DHCP, a very easy to use
administrative GUI, and real-time reporting via email.
The initial set up could not have been easier, and the
performance on the BroadGuard is great.
If I could add anything to the BroadGuard, it would
be an interface to the firewall rule set that would
permit me to fully customize my ACL logic.
Overall, the BroadGuard is a rock solid Cable/DSL
router with a lot of security features. It is a great
fit for a network of 253 nodes or less that would like
to share a Cable or DSL connection.
Ease of Use 5
Scale = 1 (lowest) -
Santa Clara, CA 95054
About the Author
Adam Olson has been
living up, down, and across California. He has helped
build a successful ISP (http://www.humboldt1.com/), designed
and configured portions of the California Power Network
while working at MCI WorldCom, spent time at a startup
in Santa Clara (http://www.quaartz.com/), and is
currently building a new company. He can be reached at