OfficeConnect
Secure Router and OfficeConnect VPN Firewall - Screening Router and Firewall from
3Com
Contents
- Overview
- 3CR860
and 3CR870 circuitry
- Comparative
table of device specifications
- Excursus
to settings
- Performance
tests
- Performance
of the LAN-WAN segment, NetIQ Chariot
- Performance
of the LAN-WAN segment, NetPIPE
- IPSec
performance, DES encryption
- IPSec
performance, 3DES encryption
- IPSec
performance, tunnel scaling, 3DES encryption, two tunnels
- IPSec
performance, tunnel scaling, 3DES encryption, three tunnels
- IPSec
performance, AES-128 encryption
- Traffic
shaping tests
- Limiting
the entire band of outgoing traffic
- Limiting
the entire band of incoming traffic
- Limiting
the outgoing traffic by ports (creating queue groups)
- Limiting
the incoming traffic by ports (creating queue groups)
- 3CR860
and 3CR870 security tests
- Availability
- Conclusions
The 3Com company
has launched new network security products:
- Screening
router
3Com
OfficeConnect Secure Router (3CR860-95); - Firewall
3Com
OfficeConnect VPN Firewall (3CR870-95)
OfficeConnect
Secure Router is positioned by the company as a device providing protected, high-speed
Internet access for multiple users in home and small or branch office environments.
The router has an embedded VPN server, which allows to establish up to two IPSec
VPN tunnels (tunneling modes supported: server-server and server-host). It also supports
termination for up to L2TP over IPSec or PPTP tunnels. The firewall contains special
algorithms, which allow to detect (by patterns) and block hacker and DoS attacks.
This device can filter traffic using specified or preset rules based on IP addresses
or content/url. Besides, the device has a logging service for a wide range of events.
OfficeConnect
VPN Firewall is an "elder brother" of the previous device. The number of
VPN tunnels supported is extended to 50, it has a new traffic shaping function -
that is controlling the data transfer speed on the whole and by the specified set
of protocols.
Both
devices have the same case, and at the first glance their only difference is in the
label on the right of the front panel. Apart from this label, the panel contains
4 LEDs for LAN-ports indicating with color the connection speed and with blinking
- data transfer. Cable/DSL LED
is similar to the previous four LEDs, but it indicates the WAN port of the device.
There remain obvious LEDs - Power
and Alert.
The latter blinks when the device starts up and in case of malfunctions (software
and hardware). Besides it lights up when an attack is detected (at the same time
the intruder is blocked by the built-in firewall).
All
the ports (four LAN and one WAN) are located on the back panel. The power connector
is also located there. On the bottom side of the device you can see brackets to mount
the device on vertical surfaces. To put the device on a horizontal surface, it will
be sufficient to attach four rubber feet (included into the bundle) to the bottom
of the device.
You
can also pile the devices in a "stack" using the plastic clip shipping
with the device. Note that this stack can grow upwards and include arbitrary number
of the devices.
The
bundle of the both routers contains (apart from the device and its power adapter):
- Install
and quick setup guide (in English)
- CD
ROM containing the complete documentation, the Gateway Discovery Program for quick
search of the device in the network
- Four
plastic feet to put the case horizontally
- Ethernet
patch cord
- Plastic
clip to assemble several devices in a stack
3CR860
and 3CR870 circuitry... or the "find ten differences" puzzle
-
Do you see a gopher?
-
No.
-
I don't see it either... But it's out there!
In other words, I didn't manage to find any differences. 3CR860-95 photo is
on the left, on the right - 3CR870-95. These devices most likely differ
only by their firmware. A label on the bottom of the PCB "OfficeConnect
Cable Secure/DSL Gateway" reminded me of the similar device reviewed
in this
article. The circuitry has not change much since then. At least
the microcontroller and the chip of the embedded Broadcom switch remained
the same.
There are still no detailed specifications on the main processor
of the device - BCM6350 microcontroller and BCM5325 controller operating
as a 100Mbit Ethernet switch (properly speaking, we didn't manage
to find the specifications at all), so I don't see the point in repeating
the information already provided in the article 3Com
OfficeConnect Cable/DSL Secure Gateway.
Another
big chip on the PCB is Pulse H1184, which (probably) serves as AUTO MDI/MDI-X (cable
type detection) and also as a galvanic isolation to protect the embedded switch controller
from high voltages. Two HY57V641620HGT-H chips
are 64 Mbit (4 Banks x 1M x 16Bit) SDRAM by Hynix. Their nominal operation frequency
is 133MHz.
The
PCB also contains two Flash-memory chips 8MB each (presumably). Why two? Perhaps
the device has a fault-tolerant firmware - one of the chips contains a backup version
of firmware, which is activated when the main firmware gets corrupted. We can't really
say about it for sure, but the firmware size in both devices does not exceed 6MB.
I
faced the "emergency system" personally: when I upgraded the firmware in
3CR870, there occurred some procedural failure - the Alert LED
continued blinking long after the file should have been uploaded to the device. I
had to reboot the device, following which the device disappeared (that is it couldn't
be detected neither over the network nor by the Discovery utility even after 3CR870
had been reset to factory defaults), and the Alert LED
went on blinking evoking gloomy thoughts. What should I do? I had to remind myself
of the wisdom "If you are getting nowhere fast, RTFM!". It really helped
- it appeared that the device was responding to the web interface at the fixed address
(within the range 192.168.x.x) but it displayed a screen with the notice that "you
have some problems with the firmware, upload it once again". I re-uploaded it
(this time successfully), rebooted the device and everything started working all
right. By the way, at first I accidentally selected to upload the firmware version
for 3CR860 (in safe mode). The file was successfully uploaded, but then the device
gave a message that the firmware version was wrong and 3CR870 refused to use it.
I wrote about it to inform you that it would hardly be possible to upgrade 3CR860
to 3CR870.
Specifications
on 3CR860 and 3CR870
Specs
on both devices are similar, so I united them into one table (the differences between
the devices are specified in this table).
| Case |
plastic, allows both horizontal and vertical
positions as well as "stacking" several devices into
a pile |
| Block interfaces manually |
no |
| Wireline segment |
| LAN |
number of ports |
4 |
| auto MDI/MDI-X |
yes |
| WAN |
number of ports |
1 |
| auto MDI/MDI-X |
yes |
| connection types supported |
static IP address |
yes |
| dynamic IP address |
yes |
| PPTP |
yes |
| PPPoE |
yes |
| main functions |
| Access arrangement method |
Network Address Translation (NAT) |
| NAT features |
one-to-many NAT (standard) |
yes |
| one-to-one NAT |
yes |
| NAT disable option (router mode) |
no |
| Device configuration and client setup |
administration |
web interface |
yes |
| native control utility in Windows |
it only allows to find the device over network
(at any address) and set the address from the current subnetwork |
| telnet |
no |
| COM-port |
no |
| SNMP |
no |
| save and load configurations |
yes |
| embedded DHCP server |
yes |
| UPnP support |
no |
| Internal clock |
yes |
| time synchronization |
NTP, but the preset servers cannot be
modified |
| Built-in utilities |
ICMP Ping |
yes |
| Traceroute |
yes |
| Resolving |
yes |
| Logging events |
yes, customizable: LAN, ISP Connection
Events, VPN Detailed logging, Dropped Packets, Attack Detection |
| logging firewall rule execution |
yes, but all at once (dropped packets) |
| storage |
in the device |
yes |
| in the external Syslog server |
yes |
| sending to email |
no |
| SNMP |
SNMP Read support |
no |
| SNMP Write support |
no |
| SNMP Traps support |
no |
| Features of the embedded filters
and the firewall |
| Filter types |
by MAC address |
no |
| by IP address |
yes |
| by protocol/port |
by dst port, irregardless of protocol |
| by URL |
yes |
| by domain |
yes (combined with URL) |
| content filtering services |
yes, via subscription |
| Virtual servers |
create |
yes |
| setting different public/private ports for a virtual
server |
no |
| setting DMZ |
yes |
| Embedded firewall |
yes, but not very convenient, basically
preset rules |
| SPI support (Sateful Packet Inspection) |
yes, but cannot be used in rules |
| application support (netmeeting, quicktime, etc) |
yes |
| action types |
allow |
yes |
| deny |
yes |
| log |
no (you can only log dropped packets globally,
for all the rules) |
| rule criteria |
src interface lan/wan |
no |
| dst interface lan/wan |
no |
| src ip/range |
only ip |
| dst ip/range |
no |
| src protocol |
no |
| dst protocol |
no |
| src port/range |
no |
| dst port/range |
yes, including lists and ranges |
| timing |
no |
| VPN features |
| IPSec server |
tunnel types |
Gateway--Gateway |
yes, up to 2 in 3CR860 and up to 50 in 3CR870 |
| remote user access |
yes, up to 2 in 3CR860 and up to 50 in 3CR870 |
| authentication types |
pre shared key |
yes |
| certificates |
no |
| hashing algorithms |
SHA1 |
yes |
| MD5 |
yes |
| encryption algorithms |
DES |
yes |
| 3DES |
yes |
| AES |
yes, 128bit |
| add records to the routing table of the IPSec tunnel |
yes, up to 10 records |
| L2TP server (over IPSec) |
authentication types |
pre shared key |
yes |
| certificates |
no |
| hashing algorithms |
SHA1 |
yes |
| MD5 |
yes |
| encryption algorithms |
DES |
yes |
| 3DES |
yes |
| PPTP server |
yes |
| VPN pass through |
IPSec |
yes, if the IPSec/L2TP server is disabled |
| L2TP |
yes, if the IPSec/L2TP server is disabled |
| PPTP |
yes, if the PPTP server is disabled |
| Traffic shaping |
Shaping types
(available only in 3CR870) |
limit the general outgoing traffic |
yes |
| limit the general incoming traffic |
yes |
| limit the incoming traffic by criteria |
yes |
| limit the outgoing traffic by criteria |
yes |
Limit criteria for the rules
(available only in 3CR870) |
src interface lan/wan |
no |
| dst interface lan/wan |
no |
| src ip/range |
no |
| dst ip/range |
no |
| src protocol |
just the protocol (globally for src/dst)
TCP,UDP, TCP&UDP |
| dst protocol |
just the protocol (globally for src/dst)
TCP,UDP, TCP&UDP |
| src port/range |
just the port (globally for src/dst) |
| dst port/range |
just the port (globally for src/dst) |
| timing |
no |
Limit types
(available only in 3CR870) |
quantitative limitations for the band in bytes |
no (there is only a global limitation
for the entire incoming/outgoing traffic) |
| percentage |
no |
| prioritization |
yes, but there are only two priorities
(High & Normal) |
| Routing |
| Manual records |
WAN interface |
yes |
| LAN interface |
yes |
| Dynamic routing |
WAN interface |
disabling |
yes |
| RIPv1 |
yes, send and/or receive |
| RIPv2 |
yes, send and/or receive |
| LAN interface |
disabling |
yes |
| RIPv1 |
yes, send and/or receive |
| RIPv2 |
yes, send and/or receive |
| Additional information |
| Firmware version |
3CR860: 1.03-168
3CR870: 2.0-168 |
| Power supply |
external power adapter |
Navigation:
