Wireless routers, network storages, IP-cameras, switches, thin clients and even anti-vandal enclosures have all been the subject of our reviews. However this is the first time we’ve had a specialized network protection devices in our testing lab. Certainly, network hardware vendors are greatly concerned about their devices resistance against hacking and they even sometimes relay to their routers and switches the functions of a firewall. Today in our lab there’s a specialized network device that allows you to protect nodes behind it, to balance load and to provide fault-tolerant access to the internet. NETGEAR SRX5308 – is a firewall with four LAN-ports and four WAN-ports for connecting to ISPs. Let’s have a closer look at it.
NETGEAR SRX5308 is performed in a metal case whose dimensions are 330*43*209 mm. The firewall can be mounted onto a rack or put on a table.
There are ventilation grates on one of the side panels and a fan on the other.
The upper lid only has an embossed vendor’s name; on the bottom there’s a sticker with brief information about the device and places for rubber stands.
The rear panel has a power slot with a switch, a Kensington lock, a DB-9 port for console administration and a sunk Factory Defaults button for returning all settings to default.
On the front panel there’re eight Gigabit Ethernet interfaces: four LAN and four WAN ones with light indicators of their status. SRX5308 general status is depicted with the help of two LEDs: Power and Test. Also the front panel displays the device model and its vendor.
Now let’s peep inside the device.
SRX5308 electronic filling consists of three textolite boards. One of them is supplementary and is intended for pinouting light indication to the device front panel.
The second board performs the functions of a power supply.
From the scheme above its obvious that SRX5308 can’t boast routing speeds over 1 Gbps because for this it has to channel traffic though the CPU whose interface capacity is only 1 Gbps. In duplex transmission 1 Gbps is the maximum overall transmission speed in both directions.
Here we’re though with our brief review of SRX5308 hardware; let’s move on to its software.
To upgrade NETGEAR SRX5308 firmware one has to turn to the Settings Backup & Upgrade point of the Administration menu in the web-interface. There you have to choose the file with a new firmware version and click on Upgrade.
The whole process takes about four minutes.
Unfortunately, at the moment the NETGEAR NMS200 network equipment management system doesn’t support SRX5308, consequently, centralized firmware upgrade in firewalls at hand is difficult.
NETGEAR SRX5308 web-interface can be accessed with the help of most modern browsers; however, for some of them you’ll have to turn on support of out-of-date encryption schemes. For instance in Firefox, one will have to go to a special page about:config and to click OK in the pop-up window. Among the settings choose security.ssl3.dhe_rsa_des_sha and change it to true. This peculiarity exists only in devices imported into Russia and is connected with the fact that by default, the function of data encryption with the help of cryptosecure algorithms is disabled. After firmware upgrade that requires the use of standard encryption algorithms (including SSL), it’s possible to connect without these gimmicks.
To enter, one has to specify his/her login and password which are by default login and password, respectively.
We’ve already seen a similar colour scheme in other NETGEAR products like in the GS108PE switch. After entering account data the user gets to the Monitoring-Router Status-Router Status page. All menu points and items are located at the top of the page.
Now let’s study the most interesting features of the SRX5308 web-interface.
The WAN Settings point of the Network Configuration menu contains the WAN tab – with its help the administrator can configure each of the four WAN-interfaces of the firewall. Static IP-addresses, dynamic configuration via DHCP, PPPoE and PPTP are all supported. According to the vendor’s claims, L2TP that is so popular in Russia will be also added. Besides the parameters above, several secondary IP-addresses can be configured in the interface.
The WAN Mode tab allows turning NAT on and off as well as choosing the mode of using one or several WAN-interfaces – for balancing or fault-tolerance.
Balancing based on the traffic type can be configured with the help of the Protocol Binding menu point. For example, voice traffic can be transmitted through WAN1 whereas all other types of traffic will go through WAN2.
For each WAN interface it’s possible to configure dynamic DNS registration on servers for Dynamic DNS, DNS TZO, DNS Oray and 3322 DNS services.
The tabs of the LAN Settings item allow the user to manage virtual networks and IP-addresses of SVI-interfaces and to administrate DHCP-server parameters for nodes connected to LAN-interfaces and node groups. Besides these features LAN Settings allows the administrator to count traffic to/from certain nodes.
If necessary, the administrator can place a certain node in the demilitarized zone for which he will have to turn to the DMZ Setup point and specify additional parameters of the server in question.
The settings of static and dynamic routing are collected in the Routing point. We find it very surprising that other protocols of dynamic routing like OSPF are not supported in such a device.
The quality of service can be managed in the QoS point.
Now let’s see what the points and tabs of the Security menu are capable of.
You can specify services, QoS profiles and IP-groups with the help of the Services item tabs. This specification is required for easy firewall configuration. Also SRX5308 allows setting up to three different schedules according to which certain rules will be applied. The settings in question are available in the Schedule point.
To administer the rules of accessing LAN, WAN and DMZ segments, one will have to turn to the first three tabs of the Firewall point.
Additional filtering parameters and session limitations for transport protocols are available to administrators in the Attack Checks, Session Limit and Advanced tabs.
MAC-address-based filtering is enabled in the Address Filter point. Also here you’ll see the ability to statically bind MAC and IP-addresses.
Bandwidth limits for certain profiles are configured in the Bandwidth Profile point.
Rules of content filtering are available in the same-name point.
Creation, edition and deletion of IPSec and SSL tunnels is performed with the help of items and tabs of the VPN point. It’s worth noting that for IPSec tunnels SRX5308 supports both the client mode and site-to-site connections. Besides, the firewall can address a remote RADIUS-server for authentication of connecting users.
Local users and groups are administered with the help of the Users point.
With the help of the Administration group one can manage access to the device via HTTPS, telnet and SNMP, save and recover user settings, upgrade firmware as well as synchronize time with remote NTP-servers.
The Router Status item of the Monitoring menu depicts brief information about the device itself, details about physical ports and virtual network interfaces.
For each of the four WAN-interfaces it’s possible to configure monthly traffic limiting and counting. The corresponding settings are available in the Traffic Meter point.
Whenever a network problem comes up the administrator can turn to the Diagnostics point to perform a number of diagnostic actions.
The Web Support menu gives us access to the documentation and the knowledge base for the device at hand.
Here we finish the web-interface review.
Command line interface review
From LAN-interfaces the command line is always available via Telnet; access can’t be prohibited in the web-interface. From the browser one can only manage access from WAN-interfaces. So, let’s start. The login and password are the same as for the web-interface.
SRX5308 login: admin
Welcome To The Netgear SRX5308 Command Line Interface
Invalid number of arguments(less)
Unfortunately, the vendor doesn’t provide any manual for the SRX5308 command line; meanwhile its construction is peculiar at the very least – anyone used to Cisco-like command lines will have to learn afresh. With the help of the ls command the administrator can get the list of commands and their groups.
SRX5308$ help ls
Lists the available commands and groups in the current heirarchy
admin/ netConf/ cliErrno help verbose saveConfig
bwLimit/ vpn/ cls ls ping
fw/ alias exit pwd reboot
monitor/ cd fileExec script resetConfig
You can jump from group to group by executing cd.
SRX5308$ cd admin
ExternDbStatus/ remoteMgmt/ firmStatus
ExternalAuth/ snmp/ loginTimeoutGet
externUserDb/ sslLocalUserdbStatus/ loginTimeoutSet
language/ sslvpn/ resetConfig
localDbStatus/ timezone/ saveConfig
The admin group allows managing users and their groups, authentication procedures and control sessions idle time, access via HTTP(s), telnet, SNMP; time synchronization; getting information about the current firmware as well as saving all changes performed.
admin$ cd remoteMgmt/
config show tr69ConfSet tr69Show
<shttpStatus> <shttpAccessType> <shttpStartAddr> <shttpEndAddr> <shttpPort> <act
iveWan> <telnetStatus> <telnetAccessType> <telnetStartAddr> <telnetEndAddr>
1 0 0.0.0.0 0.0.0.0 443 - 0 0 0.0.0.0 0.0.0.0
0 - - - tr-069 tr-069 dps dps 0 127.0.0.1 user passwd
admin$ cd snmp/sysInfo/
admin netgear SRX5308
admin$ cd timezone/
config get rebootTimeSet
<status> <timezone> <daylight> <ntpmode> <manualtimeset> <hour> <minutes> <secon
ds> <day> <month> <year> <useDefServers> <primaryServer> <secondaryServer> <stra
tum> <vpnpolicy> <reSyncNtpVal> <reboottime> <time>
1 33 0 0 0 0 0 0
0 0 0 1 time-f.netgear.com time-g.netg
ear.com 10 0 120 946877041
Current Time: Mon Jan 03 08:23:21 GMT+0300 2000
admin$ loginTimeoutSet timeout 10 domainName geardomain
The bwLimit group is intended for managing available bandwidth.
SRX5308$ cd bwLimit/
add edit pktDrpCntShow status
delete pktDrpCntShow show statusGet
Bandwidth Profiling Status
bwLimit$ add test
invalid input argument - test
add <bwProfName - STRING>
<bwMinBw0 - INT>
<bwMaxBw0 - INT>
<bwMinBw1 - INT>
<bwMaxBw1 - INT>
<bwType - INT>
<bwInst - INT>
<bwDirection - INT>
Firewall rules, MAC and IP-address binding, attack detection parameters as well as quality of service and UPnP are all administered with the help of the commands in the fw group.
SRX5308$ cd fw
alg/ ipGrp/ mac/ qos/ sched/ upnp/
groups/ ipMacBind/ ptrgr/ rules/ svc/ web/
fw$ cd alg
fw$ cd ipMacBind/
add edit enable
delete emailLogStatusGet ipMacTblGet
disable emailLogStatusSet pktDropCountGet
error: Invalid argument
ipMacBind$ add test
invalid input argument - test
add <ipMacBindName - STRING>
<status - INT>
<ipAddr - IPV4ADDR>
<mac - STRING>
<logEnable - INT>
fw$ cd rules/
attackChecks/ conntrack/ dmzWan/ lanDmz/ lanWan/
fw$ cd upnp
confSet confShow portMapShow
UPnP Configuration Settings
Status | ADV Period | TTL
0 | 30 | 4
fw$ cd web/
keyword/ trustedDomain/ blockWebComp status
Display the status of web components blocking
Block Web proxy : 0
Block Java : 0
Block Activex : 0
Block cookies : 0
The monitor group gives the administrator access to the log and the data on the built-in traffic meter as well as a number diagnostic commands among which there’re tcpdumpStart and tcpdumpStop for traffic capturing.
SRX5308$ cd monitor/
diag/ firewallLogs/ trafficMtr/ vpnLogs/
monitor$ cd diag/
arpDel nsLookup reboot tcpdumpStart traceRoute
arpShow ping routeDisplay tcpdumpStop
<interface> <dst> <mask> <gw> <metric>
defaultVlan 192.168.1.0 255.255.255.0 0.0.0.0 0
SRX5308 network interfaces’ settings are presented in the netConf group; virtual private networks are managed with the help of the vpn group.
dmzSetup/ lanGrps/ netQos/ vlan/
duplex/ lanSetup/ routing/ wan/
netConf$ cd lanSetup/
lanSetup$ cd lanStatic/
ifConf ifLShow ipAConf ipAEdit ipAShow
ifDel ifShow ipADel ipALShow
2 1 192.168.1.1 255.255.255.0
0 0 10.1.1.2 255.255.255.0
netConf$ cd vlan/
lanmeter/ vDefaultPortConf vlanDel
macPool/ vProfDisable vlanListShow
vConf vProfEnable vlanShow
<profileId> <vlanProfName> <port1Status> <port2Status> <port3Status> <port4Statu
s> <port5Status> <port6Status> <vlanProfstatus> <macAddr>
1 defaultVlan 1 1 1 1 - - 1 c4:3d:c7:7f:18:4d
netConf$ cd /vpn
certificate/ modeConfig/ policies/ xauth/
The firewall can also be connected to via the console port whose functionality is the same as when you access it via telnet.
When the device is booting the administrator can access the loader, however, we’re not going to describe its features.
U-Boot 1.1.1 (Development build, svnversion: exported) (Build time: Jan 6 2011 - 16:15:26)
Warning: Board descriptor tuple not found in eeprom, using defaults
CUST_SRX5308 board revision major:2, minor:0, serial #: unknown
OCTEON CN5010-SCP pass 1.1, Core clock: 700 MHz, DDR clock: 200 MHz (400 Mhz data rate)
DRAM: 512 MB
Flash: 64 MB
*** Warning - bad CRC, using default environment
Clearing DRAM....... done
BIST check passed.
== Executing bootcmd in 5 seconds - enter ctrl+c to abort 0
Full booting log is presented in the boot.log file.
Here we’re through with the review of NETGEAR SRX5308 command line features. The only thing we’d like to mention is that this firewall commands and groups are very much like those used in the FR538G model; the latter’s documentation contains the description of working with the command line.
The first test we ran on SRX5308 was determining its booting time under which we mean the time interval between switching power on and receiving the first echo-reply via ICMP. NETGEAR SRX5308 boots in 45 seconds. We think it to be a normal result.
Then we decided to check the device security for which we took a Positive Technologies XSpider 7.7 network security scanner (Demo build 3100). We ran the scanning from the LAN-segment of the net. Altogether we detected five open ports: TCP-23 (Telnet), UDP-53 (DNS), TCP-80 (HTTP), UDP-123 (NTP), TCP-443 (HTTP SSL). We didn’t find any serious vulnerability.
Now let’s determine what routing speeds will be available to the user. As we remember from the section devoted to hardware, SRX5308 will not be able to boast routing rates higher than 1 Gbps; so, for testing we used the device two LAN and WAN interfaces, one connection to each. For testing we took a JPerf 2.0.2 utility which created one, five and fifteen simultaneous TCP-connections. The obtained speeds are presented below.
PPTP routing speeds were disappointing at the very least. We certainly understand that in the corporate segment internet access will be provided without using PPTP; however, such low speeds in tunnels are the device weakness. Naturally, we reported this to the vendor. It turned out that NETGEAR are already working on this issue and promised that in the new firmware version it will be solved and transmission speeds via PPTP will substantially increase.
We can’t but mention the main characteristics of our testing stand.
|Motherboard||ASUS Maximus IV Extreme-Z||ASUS M60J|
|CPU||Intel Core i7 2600K 3.4 GHz||Intel Core i7 720QM 1.6 GHz|
|RAM||DDR3 PC3-10700 Corsair 16 Gbyte||DDR3 PC3-10700 Kingston 8 Gbyte|
|Operating system||Windows 7 x64 SP1 Rus||Windows 7 x64 SP1 Rus|
As NETGEAR SRX5308 allows remote users to connect using SSL-VPN and IPSec-VPN we couldn’t come by this option. Naturally, we measured the speeds of remote users’ access to the resources of the protected local net. The results of the test are presented on the diagram below.
Here the testing section comes to its end. Let’s draw conclusions.
We were quite happy with the flexibility of NETGEAR SRX5308 settings, but some speed characteristics were rather perplexing. The use of this model will allow the administrator to readily connect a protected moderate-sized local net to the internet with the ability for remote users to access local resources. The advantages of the firewall are listed below.
Resistance against network attacks
The ability to organize balancing in WAN-channels
Considerable IPSec-VPN and routing speeds
Virtual networks support
Unfortunately, we can’t but mention the device disadvantages.
The web-interface is available only in the English language
Support of a single dynamic routing protocol – RIP
Slight tardiness of the web-interface
Lack of documentation for the command line
Medium SSL-VPN speeds and unacceptably low PPTP speeds
When the article was being written, the price for NETGEAR SRX5308 in Moscow online shops was 15500 RUB.
After the review had been written, the NETGEAR Company released a new – 4th – firmware version. Among new things in this release there is IPv6 and PPTP/L2TP server support. Naturally, we decided to test this new functionality and started with IPv6 support.
Unfortunately, NETGEAR SRX5308 doesn’t allow balancing traffic in WAN-channels when using IPv6. Also, we didn’t forget routing speeds for this protocol.
Then we turned to the embedded PPTP/L2TP server and measured access speeds to the LAN via PPTP.
The obtained speeds are far from high. Also we found a peculiarity in the implementation of the server at hand. If the NAT mode is chosen instead of Classical Routing in the WAN-interface settings, then all remote users connecting to the LAN via PPTP will be seen to local host as all having one IP-address – the address of the device LAN-interface – and it’s impossible to tell them apart. We hope that in further firmware versions the logic of SRX5308 firewall operation will be changed.