Firewall / Security
The RV042's firewall feature set remains fairly standard, with the expected options for customization, displayed in Figure 11.
Figure 11: Firewall options
Additional firewall functionality includes designating a single host on the LAN in a DMZ, port forwarding and port triggering, rule-based firewall permissions, website black listing, and URL keyword blocking.
Setting up a single host on the LAN in a DMZ is different than designating the WAN2 interface as a DMZ port. Setting up a single host on the LAN in a DMZ essentially applies a port forwarding rule to send all unrecognized inbound traffic to the specified host. Designating the WAN2 interface as a DMZ port creates a different zone completely outside the firewall.
The RV042's port forwarding and port triggering are also pretty standard. One note, the forwarding and triggering configuration pages seem like they should be under the Firewall menu instead of the Setup menu.
The Firewall menu has three options, the general page shown in Figure 10, the ability to create access rules, and a simple Content Filter. The RV042's access rule functionality allows or denies traffic based on source interface, traffic type, source and destination IP address and by a user defined schedule. There are 20 pre-defined traffic types (HTTP, FTP, SMTP,etc..), more can be added based on protocol (UDP/TCP) and destination port number.
There is a non-subscription based Content Filter in the Firewall menu that allows for creating a black list of specific URLs, as well as URL keyword blocking. Both of these lists can be applied on a user-defined schedule. If a user on the LAN browses to a listed URL or one containing a listed keyword, they will receive the below message. I added google.com to a URL black list and was presented with this message when I tried to browse to Google.
“This URLs or Page has been blocked.”
New to the 2011 RV042 is a more advanced subscription based Content Filter available via the ProtectLink feature. This feature enables website content filtering and web-reputation assessment to block web-based attacks and control web access. Website and web-reputation filtering is done through a partnership with TrendMicro.
The ProtectLink feature on the RV042 is similar to the feature I described on the RV220W, but without the email protection. On the RV042, the feature is called ProtectLink Web, while on the RV220W the feature is called ProtectLink Gateway.
Cisco provides a 30 day free trial of ProtectLink Web with the RV042. 1 year and 3 year licenses of ProtectLink Web are available via Cisco resellers. CDW lists a 1 year license for ProtectLink Web at $132.99 and a 3 year license at $194.99. Both licenses allow for unlimited users.
The ProtectLink Web Content Filter defines seveb web site categories, each with 7-19 sub-categories for a total of 83 different types of traffic. You can block one to all of these categories all the time or based on customizable schedules. Users browsing to any of the blocked categories will receive the message:
“The URL you are attempting to access has been blocked. Your organization's policy prohibits accessing this web site.”
Another aspect of the ProtectLink Content Filter is web-reputation assessment, which blocks potentially malicious websites based on data collected by TrendMicro. You select whether to apply a security level of High, Medium or Low.
A security level of High will block most websites with questionable reputations, but also may have some false-positives, meaning it may block some acceptable websites. A security level of Low will block fewer websites with questionable reputations, but may have some false-negatives, meaning it will not block some malicious websites. The default setting is Medium.
The RV042 firewall also has the ability to create a white list of websites for those you want permanently approved and not subject to filtering. Similarly, you can create a list of "trusted" host IP addresses on the LAN that will not be subjected to filtering.
The RV042 is a Dual WAN gateway router, so I grabbed data from our charts for other Dual WAN gateway routers. Interestingly, there are not many other non-wireless Dual WAN routers with 10/100 ports in our charts. However, the RV042 matches up closely to the Draytek 2920 and Netgear FVS336G, even though both have Gigabit ports.
Table 2 below shows the throughput numbers, IPSec Tunnel capacity and pricing. As you can see, the v3 RV042's throughput is near line speed at about 90 Mbps in both WAN-LAN and LAN-WAN on 10/100 Ethernet ports. There is a significant throughput improvement over the original version, especially for WAN-LAN throughput.
The Gigabit NETGEAR FVS336G at about 59 Mbps WAN-LAN and LAN-WAN is actually slower than the RV042. However, the Draytek 2920 takes advantage of its Gigabit ports and produces higher throughput at 147 Mbps WAN-LAN and 136 Mbps LAN-WAN. The lack of Gigabit Ethernet, in my opinion, is a weakness of the RV042.
|WAN - LAN
|LAN > WAN
|# IPsec tunnels||Lowest Price|
|Draytek Vigor 2920||147.5||136.5||147.3||40||$190|
Table 2: Router Performance comparison
On the plus side, the RV042's VPN tunnel capacity is highest of any VPN routers we've tested to date. The RV042 supports up to 50 IPSec Site-to-Site tunnels, plus 50 IPSec Client-to-Site and 5 PPTP Client-to-Site tunnels. And you'll be able to take advantage of all those tunnels without worrying about breaking the bank. Because QuickVPN software and licensing for up to 50 users is now free on the RV042, where in 2007 it was $119, another nice change.
Another strength of the RV042 is its flexible Dual WAN functionality. A business or home dependent on connectivity cannot afford to have its Internet connection down for a significant period of time. The RV042 solves that problem. It can send and receive traffic over two ISP connections simultaneously, and provides multiple options for managing traffic flows over those connections.
The main disadvantages of the RV are its lack of Gigabit Ethernet ports and current admin interface problems with Firefox / Windows. The latter should get straightened out via new firmware at some point. But if you want Gigabit ports, you'll need to add a switch or pick another product.
Overall, the RV042 v3 is a solid improvement over the original. The updated hardware design has improved both its VPN and Routing performance. And the addition of Cisco Protectlink for Content Filtering is also a plus.
I gave the original RV042 a thumbs up because it was extremely stable and reliable for me. I give the RV042 v3 a thumbs up as well. It's faster, has more features and capacity, and retains the same ease of use I enjoyed in the original version.