The 200R comes bundled in the Symantec VPN client with integrated personal firewall. It has no maximum limit on the number of simultaneous VPN connections, though Symantec says the device can only handle 4 Mbps of traffic with 3DES, 8 Mbps with no encryption. I tested a beta release of the Firewall/VPN 100 and 200 at our Real-World Labs® at Syracuse University.

Installation a Breeze

I plugged the products into a Cisco Systems 4700 router and created three different ISP 10-Mbps connections. The devices can act as DHCP clients on the WAN interface and can serve DHCP on the LAN side. The DHCP table clearly showed which addresses were in lease and by which machine. You can also specify a different MAC (Media Access Control) address on the WAN interface if necessary.

The 200 series allows for outbound failover and load-balancing, even between different ISPs and broadband technologies. Unfortunately, incoming load-balancing doesn't exist with multiple WAN links.

The outbound load-balancing capabilities of the 200 series are primitive. If you're balancing 75 percent/25 percent of traffic between the WAN links, the first three connections go out of WAN1 and the fourth goes out of WAN2. If you have an FTP transfer going out of WAN1 and WAN1 fails, your FTP transfer will be aborted but you will still have network connectivity.

For failover, I set up WAN2 as a backup and started a continuous ping. I unplugged the primary port, and the second link took over after a few seconds.

These products do not support stateful failover, a typical lack in this price range. Both the 100 and the 200 support failover to an external dial-up modem or ISDN line. When I failed the WAN connection, the modem dialed within five seconds. The modem connection drops when the WAN link comes back online. This is an excellent low-cost connection-redundancy idea, especially for smaller remote/home offices. The only catch is it won't work with PPP connections that require specialized login software, such as an AOL account. The 200 failed over to modem only when I unplugged both WAN links.

Safety Features

The devices' built-in stateful firewall is primitive but effective. It lets you specify which TCP and UDP (User Datagram Protocol) ports you want to allow, and it blocks in either direction.

I liked the group filter settings: You can put up to 254 computers identified by MAC address into one of four groups. You can also set up DHCP-issued static IPs. Access rules that apply to each group can be created, and another rule file can be created for computers not defined in the host list. However, you must reboot for any newly added hosts to take effect.

Vendor Information Symantec Firewall/VPN, Model 100, $499; Model 200, $899; Model 200R, $1,199. Available: Now. Symantec Corp., (800) 441-7234, (408) 517-8000; fax (408) 517-8152. www.symantec.com

Both models support port forwarding, and you can give one machine unrestricted inbound and outbound traffic. NAPT (Network Address Port Translation) is enabled by default but can be turned off. Outbound communication on a certain port also can be set to open up incoming communication on another port or range of ports; this can be used for games or videoconferencing software that normally doesn't work behind NAPT.

These boxes do some limited intrusion detection, though they don't yet have a live-update capability. Updating the IDS (intrusion-detection system) signatures involves a firmware upgrade via TFTP (Trivial File Transfer Protocol).

VPN connections can be set up with a shared secret or a preshared secret IKE (Internet Key Exchange). AH, ESP, DES, 3DES, MD5 and SHA1 algorithms are supported.

I set up a site-to-site tunnel between the two Firewall/VPN appliances, forcing rekeying to occur every 120 minutes, after 50 MB of data are transferred or after one hour of inactivity. You can bind a tunnel to as many as five remote subnets. You also can use the 200-series devices for basic VPN redundancy, but this requires the use of dynamic DNS.

The only VPN clients supported by the 200R are Symantec products. I did not have a 200R for testing.

The only complaint I have is with the lack of centralized management. Configuration is done via a Web browser interface, or remotely through the VPN or by a specified IP range. Symantec recommends the VPN for remote administration.

There is no way to administer multiple devices at the same time, but Symantec says it is working on this. Centralized logging capabilities are accessed by using a syslog server, and the time stamp can be synchronized with a time server.

The Firewall/VPN line is well-designed and offers many configuration options and overrides. The ability to create filters for multiple groups is helpful, though this is based on MAC addresses, which are easy to fake.

The integrated 10/100 switch ports are also useful, and the interface is simple to use yet flexible enough not to hamper the more advanced administrator.