Many if not most broadband routers offer various levels of security and management
functions. However, many of these same products distinguish themselves by an
attractive price and easy setup, and to satisfy both requirements, the inclusion
of comprehensive security and management capabilities are often not a priority.
Netgear’s FVM318 takes a decidedly different approach. The FVM318 is of course
a broadband SOHO router, but Netgear eschews this term in the product’s name,
going instead with the descriptive and verbose nomenclature of Cable/DSL
ProSafe Wireless VPN Security Firewall.
Clearly the intent here is to communicate that security is a major, if not
the primary, focus of the product. It didn’t take much time working with it
to realize that this was in fact the case. The FVM318 puts security and management
front and center on the list of features.
Not surprisingly, these capabilities don’t come without some cost – literally.
At a street price of more than $700, the FVM318 is anywhere from four to six
times more than a typical SOHO WLAN router.
The FVM318 uses Netgear’s blue metal chassis rather than the more aesthetic
plastic one used by more recently released Netgear products. A single removable
dipole antenna rises from the back of the unit. Next to it can be found eight
10/100 ports, rather than the more typical four. The indicator lights on the
front of the unit are logically laid out and well spaced for easy readability.
As far as WLAN capabilities are concerned, the FVM318 makes do with ordinary
802.11b, so it’s not going to win any wireless throughput contests. Of course,
in business, slow and steady wins the race, so a product like this with draft
802.11g support would probably be anathema to its intended audience.
The FVM318 supports the obligatory two WEP levels, but it also can also encrypt
WLAN connections using IPSec. This offers two major benefits. First, when securing
your WLAN with IPSec, you have the choice of several robust encryption algorithms,
including 3DES, plus AES with 128-, 192-, and 256-bit cipher strengths. Moreover,
IPSec encrypts the entire IP packet–not just the data payload like WEP does.
Another distinguishing feature of the FMV318 router compared to lesser model
is that it functions not only as a VPN passthrough, but as an endpoint as well.
As a result, the router can establish VPN sessions with remote clients directly,
rather than simply acting as a conduit between a client and a separate VPN server
on the LAN.
For the small enterprise that the FMV318 is targeted to, this approach carries
obvious benefits, not the least of which is simplified setup and configuration
of VPN settings, which can often be daunting with OS-based or third-party VPN
Because the encryption necessary to maintain VPN or WLAN connections involves
a significant amount of processing overhead, the FVM318 has a dedicated co-processor
to handle such matters, ensuring that overall router performance doesn’t suffer
at the hands of encryption calculations.
Like any router worth its salt, the FVM318 has a built-in DHCP server, but
this one has two added features not typically found. One is the ability to put
a WINS server address in the DHCP scope–often needed for NetBIOS resolution
on Windows networks. The other is the ability to define reserved addresses in
the DHCP scope. This gives you a consistent IP address for something like a
printer, while still allowing the address to be managed globally through DHCP.
One of the most useful features of the FVM318 is the diagnostics page. This
page presents an array of troubleshooting tools, the equivalent of ping, nslookup,
and tracert. While these capabilities can also be accessed via the Windows command
line, having them built into the router can make troubleshooting easier, especially
when you’re trying to determine whether connectivity problems are the fault
of your router or your ISP.
The FVM318 also goes gives you a little more flexibility than normal when it
comes to remote management. You can of course specify a router port number for
remote access as well a remote IP address, but the FVM goes a step further and
allows you to specify an entire IP range. This is helpful when you might have
more than one individual at a support organization (or satellite office) that
might need access to the router in the event of trouble.
Another example of the security-conscious focus of the FVM318 is that the administrator
console has a configurable timeout value (the default is 5 minutes) to help
prevent unauthorized passers-by from accessing the console on an unattended
machine. (But you’d never leave the browser console open and unattended, would
The FVM318 offers strong logging and alerting functionality. It’s one of relatively
few routers that can be configured to immediately send e-mail security alerts,
or simply send logs periodically according to a customizable schedule. The information
recorded in those logs, incidentally, is customizable as well, and you can send
them to a Syslog server for offline viewing.
Controlling access to the Internet from the LAN is important to most administrators,
and in this regard, the FVM318’s capabilities are as good as any I’ve seen.
In addition to filtering Web access by keyword or domain name, you can block
things like ActiveX, Java, and cookies. Of course, filtering these site components
is often not practical, since many legitimate sites make use of them.
All of the access controls can be governed by a time-based schedule, and the
FVM318 lets you define one "trusted" IP address that will not be bound
by the access controls, which comes in handy for the boss (or at least the administrator).
Given that the FVM318 for all intents and purposes is identical to Netgear’s
FVS318 but for the addition of WLAN capability, there’s not a whole lot to say
about the WLAN side of the product.
The FVM318’s WLAN throughput was solidly in the 4 Mbps range, very much commensurate
for an 802.11b product. Since I tested the FVM318 using a D-Link DWL-650+ client,
the throughput figures were slightly higher than normal owing to the performance
benefit of the TI chipset’s PBCC signaling method.
Of more interest was how the wireless throughput would fare when secured via
IPSec. You can secure WLAN sessions by using the SoftRemote
client by SafeNet, which is included on the CD. Setting up an IPSec security
association between the FVM318 and a client wasn’t difficult requiring only
about five minutes per machine. In order to make a remote VPN connection, you
need another piece of SafeNet client software which is not included with the
FVM318. It costs $149 per copy, and the price drops to $99 with 10 or more copies.
I wasn’t able to get the VPN client built into Windows 2000/XP to work with
the FVM318, evidently owing to a difference in supported encryption methods.
Back to WLAN performance. As it turns out, there was an IPSec performance penalty,
but it was minimal. With IPSec enabled and using 256-bit AES encryption, the
throughput at 10 feet was 4.28 Mbps, compared to 4.95 Mbps without encryption.
(The router remained in the 4 Mbps realm throughout the distance testing.) Using
128-bit WEP the throughput was 4.64 Mbps, so the while the security delta between
the two forms of encryption is wide, the performance delta was minimal.
It bears mentioning that Netgear claims the FVM318 can handle 32 WLAN IPSec
tunnels plus 70 remote VPN tunnels at the same time, for a total of 102 simultaneous
tunnels. I certainly can’t verify that, but its worth mentioning that Netgear
also claims 4.2 Mbps throughput out of an IPSec WLAN session, which was borne
out by the results above.
In my view, the FVM318 nicely fills the gap between SOHO wireless router products,
the higher-end enterprise devices which offer more advanced features but cost
considerably more and often are much more difficult for non-technophiles to
set up and maintain.
If the best possible wireless performance is not your primary concern but you
need a router with more sophisticated management and security features, the
FVM318 may very well be the router for you.