NetGear SRX5308: Gigabit UTM for small offices

Today, more and more companies are faced with the task of ensuring safe access of employees to their own information resources, as well as providing communication between branches and the head office via secure Internet channels. The industry offers such customers affordable and productive all-in-one devices, whose task is to ensure the safe operation of the corporate network in 24x7 mode, as well as to increase the efficiency of employees and protect internal and external information resources of the company. We will consider one of these devices from NetGear today.

Netgear SRX5308

The NetGear SRX5308 firewall is designed for companies that require performance of communication channels. Four WAN ports support two session-level load balancing modes, as well as switching to improve fault tolerance. Although it is not possible to combine ports to increase throughput, connecting at speeds up to 1 Gbit / s on each of the four WAN ports is more than enough for small companies, especially in our country. Again, balancing and fault-tolerant configuration is much more important. And, of course, the most important thing for many is the performance of the internal architecture, thanks to which even in the filtering mode at the session level (Stateful Packet Inspection), a performance of 1 Gbit/s is achieved.

NetGear SRX5308 allows you to create up to 125 VPN tunnels when using the IPSec standard or up to 50 when using SSL. Is it too much or too little? Let's just say that for a company with a dozen branches and several hundred employees, this is enough. But let's first look at the device itself. The device is made in a small steel case with a height of 1U. The case is quite compact, but in the kit you will find corners for mounting it in a rack.

Netgear SRX5308

On the front side, 4 LAN ports and 4 WAN ports are evenly spaced, as well as several indicators. A separate indicator shows whether the 4th LAN port is working in DMZ mode or not, obviously so that you don't accidentally connect a private resource to the public zone. Actually, that's all. At the back is an RS232 port, a hardware reset button, a power outlet, and a Kensington connector.

Netgear SRX5308

The case is blown by a single small fan from left to right. When working, the NetGear SRX5308 is very audible, so it is better to install it in a closed network cabinet.

Netgear SRX5308

Opening the lid, we see a fairly freely arranged Board with two radiators that provide passive cooling of the processors. The firewall has 512 MB of memory, which allows it to work with a large number of connections at the same time. Let's remind you that there can be up to 200,000 of them.

Configuration and web interface

By default, NetGear SRX53078 is configured for simple Internet access with basic traffic filtering. Setting parameters is done via the Web interface, which seems to be a bit too clever for web designers with bookmarks.

To begin with, you can choose the type of internal address translation - NAT or normal routing. When configuring WAN ports, you can set fault-tolerant configurations or configure load balancing, but the possibilities do not end there - in the advanced settings, you can set a traffic limit on each of the WAN ports, which will allow you to consistently work out the provided limit on each of the four providers.

Netgear SRX5308 Menu

Naturally, you can assign your own DynDNS account to each WAN port, but unfortunately, other dynamic DNS providers are not included in the service.

Port set-up

The ability to redirect ports from WAN to LAN can be configured for a whole range of IP addresses at once, both global and local. This makes it easy to configure VOIP services, messengers, and other network applications at the IP address level of your system.

VLAN setup

You can configure the local network configuration more effectively using virtual VLANs, and even with the ability to tightly bind VLANs to physical ports on the firewall. Ports can be combined into virtual networks, and you can create up to 254 VLANs in total. You can also use a simple grouping of LAN ports. Interestingly, by default, LAN ports are already organized in the default VLAN network, so working with VLANs initially will make it easier to configure a complex office network with the necessary security parameters.

Service Blocking

Service blocking

Setting up a Firewall is, in General, powerful, but not as much as we would like. You can choose services with port identification, a range of local and global IP addresses, and use QoS. Today, enterprise-class devices already offer intelligent services to block access to sites based on their category, as well as real-time antivirus programs. However, it should be understood that these real-time filters require significant processor resources (remember at least how antivirus affects your computer), so NetGear left this functionality to older, and therefore expensive UTM models. In NetGear SRX5308, you can filter Proxy servers, Java applications, ActiveX, and Cookies. There is also protection against TCP and UDP flooding, disabling the ping response and enabling invisible mode. To restrict access to sites, you can set keywords that you can use to block unwanted sites. Although, to be honest, a starting list of unwanted keywords and trust sites would not hurt.

Service blocking

The most important function of devices of this level is to create high-performance VPN tunnels for connecting between two similar devices or between a client and a gateway. When creating them, you can use up to two WAN ports in fault tolerance mode. The interface is so simple that even an untrained person can create a secure VPN connection. We remind you that you can access up to 125 VPN connections at speeds up to 180 Mbit/s. And if your organization doesn't allow end-to-end VPN connections for security reasons, you can restrict their use for IPSec, PPTP, and L2TP. Active Directory, LDAP, Radius, WIKI, MEDS, NT domain, and local user database are supported for authentication.

VPN tunnelling

For SSL connections, there is a function for downloading and generating certificates. You can establish up to 50 SSL connections at speeds up to 21 Mbps.

VPN Tonnelling

In General, we can say that the setup will require some time to learn, most of all because of the confusing navigation through the menu. The Web interface lacks one status window, which would display all the information, as they say, to the maximum.

Test results

OK, let's move on to testing. Two computers with Intel Pro 1000/PT Gigabit network cards were used for testing.

Configuration 1:

  • Intel Core i7 860
  • 8 Gb RAM DDR3
  • 160 Gb Velociraptor
  • Windows 7 Professional

Configuration 2:

  • Intel Xeon 3220
  • 4 Gb RAM
  • 1000 Gb Hitachi 7200RPM
  • Windows 7 Professional

Computers were connected to each other by a CAT5 cable, after which the IXChariot 6.70 test was run with the High_Performance_Throughput script, in which the value of Transactions per Second was set to 100.

The maximum LAN-LAN speed is close to the physical maximum of the interface, but already at the WAN output, even with a PPPoE connection, the speed drops by 1.5 times. This is a bad sign for high-speed applications where encryption is performed at the application level. But we are more interested in the speed of VPN connections. Here, the performance of IPSec allows us to say that Gigabit gateways with VPNs are already a justified purchase.

About price

The average retail price of the Netgear SRX5308 is $ 550. This is the most affordable Gigabit firewall to date. As a rule, such devices cost from 30,000 rubles, and if you look at network equipment for 2 or more WAN ports, then prices start from 11 thousand rubles, so even if you consider this gateway simply as a solution for providing fault-tolerant Internet access for the office, Netgear SRX5308 looks very profitable.

Conclusions

Such equipment for organizing communication between offices via secure channels, as a rule, has a high cost, and a significant part of such devices is still 100 - megabit. The secret of the Netgear SRX5308 is simple: the device has a weak processor, on which the WAN speed drops even when the ACL filter is enabled, not to mention the VPN. For small companies that cannot pay for Gigabit Internet access channels, but need to organize VPN access to the corporate network, even a 32-megabit connection can be considered a blessing, and the ability to save significantly at the stage of building a network is essential.

An important advantage of Netgear SRX5308 is the actual completeness of the device. In other words, you get all the functionality for the entire life of the device without additional modules, without license fees. You don't have to pay for the number of available VPN connections as your business grows, or for increasing the number of VLANs that are already sufficient.

The disadvantages of Netgear SRX5308 include:

  • relatively low WAN performance
  • lack of built-in antivirus
  • too sophisticated settings menu

The advantages of Netgear SRX5308 include:

  • very favorable price
  • good functionality
  • ready to work without additional licenses

For small companies that set themselves the task of combining several offices into a single network, as well as giving employees the opportunity to work on Outsource, Netgear SRX5308 is an option that is very difficult to find an alternative to. This is a great purchase.

Michael Degtjarev (aka LIKE OFF)
26/02.2011


Read also:

Creating a "human firewall" to deal with insider threats

Employees can pose a significant risk to the security of corporate networks and the data they hold. The severity of this problem is confirmed by research – 68% of organizations feel moderately or extremely vulnerable to insider ...

Evolution of cyber threats in OT environments

This year marks the 10th anniversary of the discovery of Stuxnet. The malicious computer worm made headlines because it was targeting supervisory control and data collection systems. Since then, there have been many similarly...