UTM, or Unified Threat Management, is one of today's trendy three-letter abbreviations. It basically means dealing with multiple types of threat to your organisation's network – viruses, spam, denial of service attacks, attempted intrusions, and so on – on a single platform (or even on a single box). The FVS338 and FVX538 are NetGear's UTM offerings for the SME market.

NetGear's Big Story – the reason we chose to look at these two products – is that as of mid-September 2005, the devices (which are both VPN-enabled firewalls) support Trend Micro's Client/Server/Messaging suite. That is, if you have the appropriate Trend server software running on your LAN, the firewalls can interface to the Trend server(s) in order to eradicate viruses and identify spam in transmissions going in and out of the network.

Before we get into the content analysis side of life, though, let's have a look at the devices in a more general sense.

First the FVS338: this is a desktop- or wall-mount unit with an external transformer, eight 10/100 LAN ports, one 10/100 WAN port, and a serial connector into which you can plug an external modem to act either as a backup link (in the event of an Internet failure) or a single-user remote access server.

The FVX538 is wider (and rack-mountable), with eight 10/100 LAN ports, one Gigabit LAN port, and a pair of 10/100 WAN ports. There is a serial connector, but on this model it's for last-resort command-line admin and console output monitoring (the unit runs on a Unix-style core) rather than modem dial-up.

Both units are sufficiently meaty for medium-size organisations (50Mbit/sec throughput and 2,000 concurrent sessions on the FVS338; 90Mbit/sec and 10,000 sessions on the FVX538), there are no limits on the number of concurrent users, and the FVX538 (though not the FVS338) can have multiple WAN-side IP addresses.

The admin interface is similar to most NetGear routers and firewalls, in that it's Web-based and simple to comprehend. By default you can only manage it from "inside" the LAN, though if you wish you can turn on remote monitoring and limit connections to a specific address or address range. The two units are nigh on identical when it comes to management, the only significant difference being that you have more choice on the FVX538 because of its multiple WAN interfaces and multiple external addresses.

As with most firewalls you define your filtering rules based on both built-in "standard" services (SMTP, FTP, etc) and user-defined "custom" services. In addition to this standard packet-filtering stuff, you also get DoS protection and the ability to block communications based on site, payload type (e.g. Java or ActiveX components), and even keywords in content.

Your internal workstations can be grouped together (the system permits up to eight groups to be defined) and filters can be defined as "always allow", "always block" or "allow/block based on this schedule". The logging function's pretty configurable too, though as with most devices like this you'll need to run up a Syslog server if you want to make life easier for yourself (I usually use the one from Kiwi Enterprises).

The VPN functions are no easier to configure than any other firewall, but they're no harder either. As I always say, much of the difficulty with VPN configuration is due not to bad GUI design but to the simple fact that it's a complex concept so you have to work through a lot of steps. (To NetGear's credit they've tried to simplify the process of setting up a basic VPN policy by making it wizard-based). The devices have internal user databases, but can use external RADIUS servers where they're available.

The diagnostic side of life is better than average, too. Firmware updates are done through a file upload through the GUI, and the Diagnostics screens of both units have not just the usual stuff such as "ping" and "traceroute" but also a packet capture utility, which is a nice touch.

So, on to the UTM side – the Trend integration. It's simple to use (you just point the firewall at the Trend server and you're done) and I suppose if it blocks something at the border of the network instead of letting it into the corporate LAN, then that's a good thing. In that sense, then, it's useful. My feeling is, however, that the marketing people decided to promote the whole UTM thing when someone said: "Hey, we need to be in the UTM market" over a few beer shandies one lunchtime, which perhaps detracts from the excellence of these devices as inexpensive, advanced "traditional" firewalls.

In summary, then, if you want a basic firewall that does both state-aware packet filtering plus other nice stuff such as elimination of DoS and TCP flood attacks, and which can even activate a back-up analogue or ISDN dial-up connection when the Internet connection dies, don't muck about looking around – just buy an FVS338.

If you need multiple external IP addresses or you like something more robust with a terminal connection on which you can watch low-level diagnostics, buy an FVX538. I did the latter for one of my clients some time ago, in fact, and it's the best investment he's made this year.

If you happen to have a Trend server, tick the box on the NetGear GUI and point it at the Trend box. Just bear in mind that these are both cracking products in their own right – so just because you're not a Trend user, don't be put off.


I've said it already, but I'll say it again: the UTM label (specifically the Trend integration) is merely a nice-to-have; these are excellent units even if you don't turn on the spam/AV stuff.