Try our RSS feed

May 2001

SOHOware BroadGuard Secure Cable/DSL Router

Review by Adam Olson

So, you just ordered your high-speed broadband Internet service. But what are you going to connect it to? You need a device that will meet your functionality requirements and provide the security needed for a network behind a broadband connection. There are several such products available. In this review, I will focus on one in particular: the SOHOware BroadGuard Secure Cable/DSL Router.

BroadGuard at a Glance
The BroadGuard was aesthetically pleasing straight out of the box. It is fairly small, measuring 10.2 inches X 6.6 inches X 1.8 inches. The front panel is comprised of status labels and LEDs, while the back of the unit contains 4 auto-sensing 10/100 RJ-45 ports, a Cable/DSL RJ-45 port, a reset button, and a power interface.

What exactly does the BroadGuard do? The BroadGuard is a Cable/DSL router with enhanced firewall capabilities. It sits between a Cable or DSL circuit and a private network, allowing simultaneous access for home or business users, while at the same time protecting them from outside intruders.

Initial Configuration
This device was exceptionally easy to set up and get running. I literally plugged it into my DSL modem, went into the admin GUI, enabled PPPoE, entered my account information, configured my workstation to use the BroadGuard, and I was browsing away. It took less than four minutes--and most of that time was waiting for my workstation to reboot.

Key Features
Some of the most important features sported by the BroadGuard are Stateful Packet Inspection (SPI), access control and monitoring, a Denial of Service (DoS) monitor, a Demilitarized Zone (DMZ) function, built in NAT, and DHCP.

SPI is important because it tracks the state of sessions, typically TCP sessions. When SPI is implemented in any network device, the device knows which sessions were truly initiated on the inside interface, thus making it possible to drop any superfluous traffic trying to enter from the Internet. This traffic is often times generated by crackers trying to probe or DoS the internal network. The BroadGuard gets a big plus for supporting SPI.

I consider access control to be a prerequisite for buying any BroadGuard-type equipment. The BroadGuard supports restricting access to specific applications by host IP. There is also a form that lists

web sites that you don’t want anyone to be able to access. My personal preference on access control is to be able to permit access to a few specific applications and deny the rest--the "permit some, deny all" logic. Access control is handled in the opposite fashion on the BroadGuard. You deny access to certain applications and the remaining items on the list are allowed. I would like to see an option where I could simply fill in the firewall rule set myself. That way, I could really customize my rule sets.

The BroadGuard provides an Access Monitor within the admin GUI. The monitor provides a simple snapshot of internal hosts and the external machines they are connected to.

The DoS monitor is a great addition to a router in this class. After I got the BroadGuard up and running, I went to an Internet site that portscans the connecting IP to test its resiliency and security. After running this test against the BroadGuard, I promptly received an email from the monitoring system on the BroadGuard that someone had attempted a WinNuke attack on my system. The packets were discarded and the portscan site reported that not a single port or hole was responding at all. This is a great thing to see in terms of security. The device and your network look dead to the outside, which is ideal.

What If I Want to Play Games?
What’s the use of a fast broadband circuit if you can’t break out Quake--or whatever your favorite game may be--on occasion? I know that when I get the urge and I’m behind a router or firewall performing NAT, applications like GameSpy often cease to function. DirectX networking components that require the acceptance of inbound traffic on funny ports often cause this. I was very happy to see that the BroadGuard has a work-around for this. It includes support for a Demilitarized Zone (DMZ), where you allow all traffic to reach certain inside hosts. Adding hosts via the admin GUI to the DMZ was very straightforward.

The BroadGuard also supports port forwarding, which is another way to get around these kinds of problems. The admin GUI has a form where you can specify the external ports that should be forwarded to specific internal machines. The DMZ solution is easier, but port forwarding provides a greater level of security.

VPN Access
An additional function of the DMZ feature is to allow the passing of VPN traffic. A VPN is handy when you have remote users who require access to internal information, or when you need to build a VPN tunnel between offices. The BroadGuard accommodates Microsoft (Point-to-Point Tunneling Protocol) PPTP tunnels within the DMZ feature. You can add the VPN server or client into the DMZ and PPTP traffic will then be able to get through the BroadGuard.

NAT and DHCP
By default, the BroadGuard is ready to NAT all outbound connections and act as a DHCP server. Network Address Translation (NAT) is what allows a group of machines to share the same public address. The Dynamic Host Configuration Protocol (DHCP) allows new nodes to be added to the network with ease. During the boot process, the new workstation is given all the required network information, so the user can simply open up a browser and fire away.

Performance
To test performance, I started a number of large file transfers and compared them against the same file transfer times when the BroadGuard was not in the network configuration. The BroadGuard did not inject any latency into the session and performed very well.

Documentation
To be perfectly honest, I didn’t ever need to consult the documentation on a problem! The admin GUI is very intuitive, and I found the manual to be more for supplementary reference. The user guide has quite a bit of information in it and should answer any questions you may have. I know it did for me.

Likes, Dislikes, and Conclusion
If I were in the market right now for a router that could support up to 253 users behind a Cable or DSL circuit, I would purchase the BroadGuard. I really like the built-in firewall security of the BroadGuard, as well as the additional features like DHCP, a very easy to use administrative GUI, and real-time reporting via email. The initial set up could not have been easier, and the performance on the BroadGuard is great.

If I could add anything to the BroadGuard, it would be an interface to the firewall rule set that would permit me to fully customize my ACL logic.

Overall, the BroadGuard is a rock solid Cable/DSL router with a lot of security features. It is a great fit for a network of 253 nodes or less that would like to share a Cable or DSL connection.

Score Card
Installation 5
Documentation 5
Functionality 4
Ease of Use 5
Performance 5
Overall 5
Scale = 1 (lowest) - 5 (highest)

Vendor Information
SOHOware, Inc.
3050 Coronado Drive
Santa Clara, CA 95054
(800) 632-1118
http://www.sohoware.com/

About the Author
Adam Olson has been living up, down, and across California. He has helped build a successful ISP (http://www.humboldt1.com/), designed and configured portions of the California Power Network while working at MCI WorldCom, spent time at a startup in Santa Clara  (http://www.quaartz.com/), and is currently building a new company. He can be reached at mailto:[email protected].