Warp Speed Web Access: Sharing the Bandwidth
Adding broadband access to your small office is a big step toward doing business effectively over the Internet. But as soon as you fix your bandwidth problem, you run into another one: A low-cost DSL or cable modem supplies only a single port for hooking up a computer. In order to keep your ISP service costs down, you will want to connect all of your PCs to that new broadband connection--and you'll want all those networked PCs to be safe from the incursions of hackers.
What you need is an Internet router--a hardware device that lets you network multiple computers, protect them with a firewall, and connect them to the Internet.
Before DSL and cable Internet connections became popular, routers were expensive pieces of equipment designed for large-office networks. Now, however, you can buy a router that connects four computers--perfect capacity for a home or small office--for less than $200. If you already own a hub or a switch, you can purchase a less-expensive gateway product that adds firewall and connection-sharing capabilities. If you like to roam, you can connect a wireless hub to one of these routers or gateways and share bandwidth among ethernet-connected and wireless-enabled computers.
Alternatively, you could try Microsoft's Windows Internet Connection Sharing utility, but this approach requires that you keep a host computer on at all times for others to get onto the Net. In contrast, if you use a router, only that device must remain on for any of the computers it serves to access the Web.
Sharing files and printers are two obvious advantages of creating a small network, but with all your PCs connected continuously to the Internet, firewall protection becomes quite important. Nearly all of these products include firewall functions that let you decide the permeability of the connection between your network and the Internet. You can hide your PCs from the Net completely, or you can selectively open holes in the firewall to allow outside access to PCs on the internal network--a very useful capability if you want to run a Web server.
We looked at four small-office/home-office routers: Asanté's $208 FriendlyNet FR3004LC, NetGear's $161 RT314, SOHOware's $166 NBG600 Broadband Internet Gateway, and WatchGuard's $340 SOHO. We also tested Farallon's $154 NetLine Broadband Gateway, paired with a Farallon five-port switch (a $70 product that supplies network ports but doesn't offer some features--such as a firewall--that the Broadband Gateway does). At one end of the spectrum, WatchGuard's SOHO provides a number of security features for protecting small office networks, while remaining easy to configure. At the other end of the range, SOHOware's NBG600 aims at the home market, with a strong focus on documentation, parental controls, and easy setup--but with less emphasis on security.
Our Best Buy is Asanté's FriendlyNet FR3004LC. It's easier to configure than most of the competing routers, and it offers a backup modem port and an integrated print server (though we found that the print server didn't work with many printers). A less expensive version of Asanté's router, the $175 FR3004, is identical except that it lacks the last two features; it may be a better alternative until Asanté can correct the more expensive model's print server problem. For buyers who need high security, WatchGuard's SOHO costs more but provides better protection against hackers.
In our informal tests, we saw little difference in download speed among the routers--all were powerful enough to cope with several computers browsing the Web at the same time. So your buying decision should come down to the features the different units offer.
To connect to the Internet, each computer must have a unique network address (known as an IP number). Typically, however, Internet service providers furnish you with only one IP address for an inexpensive Asymmetric Digital Subscriber Line (ADSL) or cable Internet account (though you can purchase additional ones). To solve this problem, all the routers we tested depend on Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) capabilities. NAT permits multiple computers to share a single, external IP address. DHCP lets the router automatically distribute hidden internal IP addresses among computers on the network: Each PC receives an assigned IP address when it boots up, thereby permitting it to connect to the Net.
Every product in our review can be used with either a static IP address (one that never changes) or a dynamic one based on a log-in routine. Most cable accounts require you to log in every time you go online; thus, they use a dynamic IP address. Many DSL accounts use a technique called PPPoE (Point to Point over Ethernet), which does the same thing. With a static IP address you can run a Web server or office e-mail server--even using your own domain name, if you like.
Though these products function similarly, their internal architecture differs: The WatchGuard and SOHOware routers use internal 10Base-T hubs, which allow you to transmit data at a maximum of 10 mbps; the Asanté, Farallon, and NetGear routers use more-sophisticated 10/100Base-T switches, which can transmit data at up to 100 mbps. Perhaps more important, a hub sends network data to all available ports, while a switch relays it only to the computer that is supposed to receive it. As a result, with a switch, data doesn't collide and thus slow down as much. Nevertheless, any of these products can share Internet bandwidth and still have plenty of headroom to spare, and most vendors agree that the architectural distinctions between the routers don't matter much unless your small office traffics in large files (as, for example, a graphics design studio would).
Ready, Set, Go
Most of the routers that we examined allow you to configure them via a Web browser from any computer on the LAN; the Asanté even lets you change settings from outside the firewall. The exception is NetGear's RT314: It uses a Web page wizard for basic setup, but then you must use Telnet--a text-based application--to configure its firewall. Telnet is available on many different operating systems, but it's a bear to use compared to Web-based configuration utilities. A NetGear representative told us that the company has plans to release a firmware update that will strengthen its Web-configuration capability, but this feature wasn't yet ready for us to test.
Some router vendors lean on their setup wizards just a bit too much, scrimping on documentation. Only the SOHOware NBG600 and the Asanté FriendlyNet FR3004LC come with paper manuals, quick-start guides, and electronic manuals on CD-ROM; Netgear and Farallon supply quick-start pamphlets, but no comprehensive manual. Even so, Asanté's manual isn't exactly complete. For some settings, the text warns, "Note: This feature should only be used by users with an extensive knowledge of TCP/IP." It doesn't explain these matters further, though the settings involved are important to the router's functions; for example, setting the router to allow remote administration is one task that receives this squib. Still, FriendlyNet is the easiest of the group to configure, and Asanté says that it's working to improve the manual.
The WatchGuard SOHO doesn't provide any documentation--paper or plastic (CD)--in the box. As a result, to set up the router, you must first use your existing setup to connect to the company's Web site, look up the appropriate settings, print them out, hook up the router, and then input the settings. Very convenient.
Building a Firewall
On the Internet, a port number tells a computer what type of data it's receiving. For instance, Web traffic comes in on port 80, while e-mail is retrieved through port 110. Every router we tested ships with all ports hidden from outside access, but the router automatically allows inbound traffic through any port if the data was requested by a computer on your local network. So when you access a Web site or check your e-mail, the router allows the pages and messages to reach your computer, but if an outsider attempts to access a computer behind the firewall, the router won't be able to match the attempt with a computer (because no internal request was made).
In some instances, you may want to leave certain ports unhidden. For example, to let the outside world see your Web site (running on a server behind your firewall), you must configure the router to leave port 80 open. Thereafter, the router directs all incoming traffic arriving on port 80 to the server; this technique is commonly referred to as port forwarding. You may also need to establish open outgoing ports so computers on your local network can access streaming media, game servers, or videoconferencing. To guard against hackers, who sniff the Internet looking for unprotected computers, you must leave as few network ports exposed as possible.
Unfortunately, however, the SOHOware NBG600 does not allow port forwarding. Instead, it lets you expose one computer to all inbound traffic (rendering it totally unprotected). SOHOware calls this exposed area Gaming Zone; the other routers we looked at offer similar functions. Entirely exposing one computer does not necessarily create a network-wide security risk, as long as you keep your sensitive files on computers that will remain secure. But it does mean that the NBG600 is less flexible than the other products, which allow you to expose all ports or selectively forward port requests to individual computers. SOHOware says that the router is aimed at the family market, so it doesn't focus on sophisticated firewall configurations.
To heighten security further, WatchGuard's SOHO firewall adds enhanced dynamic packet filtering. SOHO examines each arriving packet of data to verify that it was sent in response to a request submitted from inside the firewall. If the packet wasn't requested, the router rejects it. The other products here rely solely on the inherent ability of NAT to hide computers behind one network address. To gain access to a hidden computer and inflict damage, a hacker must find a way to coax the router into translating the hidden address--not an easy task, though it can be done.
WatchGuard pairs the SOHO device with its LiveSecurity service, which alerts you to potential threats and provides technical support to help ensure security. You get a year's worth of service with the router; it costs $95 a year thereafter.
Our recommendation? NAT protection should suffice for most home and small-office users. But if you're guarding trade secrets or your clients' financial files, then paying more for a packet-filtering firewall might make sense. Bear in mind, however, that going for such a heightened level of security does carry with it some additional cost. The WatchGuard SOHO permits you to connect no more than 10 users at the base price; an upgrade to connect as many as 25 users costs $199 more.
Despite their relatively low cost, the routers we reviewed offer several advanced features that improve their suitability for small-office use. All except the WatchGuard support Point-to-Point Tunneling Protocol (PPTP)--aka virtual private network (VPN) "passthrough" access--which allows computers on a network to access a company's VPN servers, but they cannot host a VPN server. The Asanté and NetGear products also support an even more secure VPN protocol, IPSec. In its basic configuration, the WatchGuard SOHO does not support VPN access, but you can purchase a $450 version of the router, the SOHOtc, that includes VPN; or you can add such support as an option to the base model. For more information on how VPN works, consult our how-to, " Virtual Private Network."
The Asanté FriendlyNet FR3004LC offers a built-in print server: Connect a printer to the router's parallel port, and you should be able to print from any Windows-compatible printer on the network (Mac and Unix boxes can't use this feature). Unfortunately, we couldn't get the feature to work with an Epson Stylus 800 printer. Neither the router's packaging nor its documentation mentions any limitations on the type of printer, but the company has revealed that the feature works only with unidirectional printers. Some printers do allow you to disable bidirectional printing, but the Epson printer I tested would not. Furthermore, if you do turn bidirectionality off, you may lose ink-level reporting, out-of-paper warnings, and other information that the printer returns to the computer. Asanté says a future firmware update (a software download that you can use to upgrade the router's capabilities) will fix the problem. The FR3004LC also lets you hook up a modem to use as a backup in case your DSL or cable line goes down.
All of the products can create access logs to help you troubleshoot your connection or show if you've become a hacker target. WatchGuard's router permits you to upload the log to a remote server, which makes the log more secure. SOHOware's NBG600 logs Web sites--not IP addresses--so you can check on the kids' browsing habits. But the log is limited to 100 entries, and ours was clogged with entries for banner ads, not just for the pages themselves. WatchGuard offers a similar but stronger tool, WebBlocker, for an extra $49.
These routers offer a great deal of value for their relatively low cost. In coming months, look for broadband routers that incorporate wireless, USB, and/or HomePNA phone-line networking.
Alan Stafford is a senior editor for PC World.
Internet Routers: Features Comparison (chart)
|Router/Gateway||Street price (10/15/00)||Ethernet ports||Internal architecture||VPN capability||Port forwarding||Support (hours/days, charge)||Comments |
|Best Buy Asanté FriendlyNet FR3004LC|
|$208||4||10/100Base-T switch||Yes||Yes||9/5, toll-free||Print server (limited to unidrectional printers1), and backup modem port; $175 model omits both.|
|Farallon NetLine Broadband Gateway|
|$154||1||10/100Base-T switch||Yes||Yes||8.5/5, toll-free||Requires separate switch or hub to serve multiple users--$70 extra from Farallon.|
|$161||4||10/100Base-T switch||Yes||Yes||24/7, toll-free||Basic configuration via Web browser; text-based Telnet required for most advanced settings.|
|$166||4||10Base-T hub||Yes||No||16/7, toll-free||Home focus; includes parental controls; lacks port- forwarding capabilities.|
|$340||4||10Base-T hub||Optional||Yes||24/7, toll call||Best choice for business; dynamic packet filtering; notification of security threats and software updates.|