U.S.Robotics Secure Storage Router Pro (USR8200)
Contents
- Overview
- Circuitry
- Summary table of device specifications
- Excursus to settings
- Performance tests
- LAN-WAN segment performance, NetIQ Chariot
- LAN-WAN segment performance, NetPIPE
- IPSec performance, DES encryption
- IPSec performance, 3DES encryption
- IPSec performance, tunnel scaling, 3DES encryption, two tunnels
- IPSec performance, tunnel scaling, 3DES encryption, three tunnels
- PPTP performance
- PPTP performance, tunnel scaling, two tunnels
- PPTP performance, tunnel scaling, three tunnels
- File-server feature
- 3CR860 and 3CR870 security tests
- Availability
- Conclusions
Some time ago our lab got hold of a new model from U.S.Robotics – Secure Storage Router Pro. This device is a multifunctional router with the VPN server and client support as well as with integrated functions of a network database. USR8200 also has an embedded print-server (for USB printers).
So many functions in this device protracted the tests, but nothing lasts forever and so I'm pleased to share the results of these tests. The most impatient readers may skip the body (the most informative part) of this article and jump right to the conclusions section. For the rest of you we shall tell everything like it is.
The device is assembled in a stylish plastic black case (traditional color for U.S.Robotics). The front panel hosts 4 green LEDs indicating LAN ports, one LED for WAN port, IEEE1394(Firewire) indicator, and two USB indicators, plus a two-color Power LED.
All interfaces are on the rear panel of USR8200. Except for the traditional 4 x LAN, 1 x WAN, the Reset button and a power connector, you can see 2 x USB 2.0 and 1 x FireWire. They serve to connect external storage systems (NAS, network attached storage) with corresponding interfaces, e.g. U.S.Robotics 250GB USB 2.0 + FireWire Storage Drive.
You can also connect USB-Flash disks to the USB port. They obviously cannot be compared with NAS system capacities, nevertheless there already exist Flash disks of several gigabytes.
Having been connected to USR8200, any storage device will be accessible from LAN via SMB protocol (that is via network environment, as in Windows File Sharing) and via FTP server, which is also supported by USR8200.
Besides a storage device, you can also connect a printer to the USB port (if your printer supports USB connection, of course). In this case the print-server imbedded into USR8200 will provide access to this printer for the entire LAN.
The bottom of the device has four lugs with rubber feet to put the device horizontally, but it lacks any holes to fix it on vertical surfaces.
By the way, these feet have another function – they allow to stack the devices in a pile (the resulting construction is quite stable). In the same manner you can place 802.11g Wireless Turbo Multi-Function Access Point (this access point has a smaller case) on USR8200.
Thus you may get quite a high tower :).
The bundle includes a power unit, a quick installation guide, a patch cord, and a CD with detailed documentation (in English) and additional software - Norton Internet Security 2003 (NIS), Norton Personal Firewall 2003 (NPF) and USR iBand.
The latter docks as another toolbar and displays the real time load of the network interface.
VPN server embedded into USR8200 supports IPSec (tunnel and transport modes, with DES/3DES encryption) and PPTP protocols, the latter can be in the server as well as in the client mode. Besides, it can pass corresponding sessions through the router. Such features allow USR8200 to organize distributed networks and connect their segments with encrypted tunnels (via Internet). For example, you can connect several remote offices into a single local network or you can connect remote users (working at home or on business trip) to a company's local network.
It goes without saying that the device has a traffic filtering control interface (filtering by IP addresses/protocols and WEB filtering).
USR8200 Circuitry
As is the case with USR5450, you cannot disassemble the router without damaging its surface appearance – one of the screws is hidden under a sticker on the bottom of the case. And nodoby allowed us to damage the device appearance.
But, according to the information from U.S.Robotics web site, the heart of the system is the Intel IXP422 network processor based on XScale technology. Its XScale core operates at 266 MHz, this processor contains the following embedded controllers: PCI 2.2 bus controller, SDRAM controller, USB 1.1 controller, and two independent 10/100 Base-T Ethernet MAC controllers. Note that USR8200 has two USB 2.0 ports, they are obviously based (like IEEE1394 port) on some external controllers.
Besides the above-mentioned, the network processor incorporates IPsec-enabled Network Processor Engine (NPE) supporting DES/3DES, AES, SHA-1/MD5. According to the datasheet on this processor, the architecture of Intel IXP422 network processor allows encryption/decryption at up to 70 Mbit/sec speed. We are particularly interested how exact this figure is in terms of AES encryption, which is the "heaviest" mode.
USR8200 has 16Mb flash and 64Mb SDRAM, it operates under Jungo's OpenRG, which in its turn is based on Linux kernel (presumably its 2.4.x branch).
USR8200 Specification
Specs for both devices are similar, that's why we publish them in one summary table (differences between the devices are noted in the table).
| Case |
plastic, allows only a horizontal position
of the device as well as stacking several devices into a pile |
| Wireline segment |
| LAN |
number of ports |
4 |
| auto MDI/MDI-X |
yes |
| Block interfaces manually |
yes, all LAN ports simultaneously |
| Set MTU size manually |
yes |
| WAN |
number of ports |
1 |
| auto MDI/MDI-X |
yes |
| Block the interface manually |
yes |
| Set MTU size manually |
yes |
| connection types supported |
static IP address |
yes |
| dynamic IP address |
yes |
| PPTP |
yes |
| PPPoE |
yes |
| main functions |
| Access arrangement method |
Network Address Translation (NAT) and
NAPT |
| NA[P]T features |
one-to-many NAT (standard) |
yes |
| one-to-one NAT |
unknown, though you can specify several
WAN addresses |
| NAT disable option (router mode) |
yes, as well as a bridge mode |
| Device configuration and setup |
administration |
web interface |
yes |
| native control utility in Windows |
no |
| telnet |
yes |
| COM port |
no |
| SSH |
no |
| SNMP |
no |
| save and load configurations |
yes |
| embedded DHCP server |
yes |
| UPnP support |
yes |
| Internal clock |
yes |
| time synchronization |
NTP, TOD |
| Built-in utilities |
ICMP ping |
yes |
| traceroute |
no |
| address resolving |
no |
| Logging events |
yes, very detailed |
| logging firewall rule execution |
yes, but all at once (dropped packets) |
| storage |
in the device |
yes |
| in the external Syslog server |
no |
| sending to email |
yes |
| SNMP |
SNMP Read support |
yes |
| SNMP Write support |
? |
| SNMP Traps support |
no |
| Features of the embedded filters
and the firewall |
| Filter types |
by MAC address |
no |
| by IP address |
src/dst, by range as well |
| by protocol/port |
protocol, src/dst port, by range as well |
| by URL |
no |
| by domain |
yes, but only exact matches (masks are
not supported) |
| content filtering services |
no |
| Virtual servers |
create |
yes |
| set different public/private ports for a virtual
server |
no |
| set DMZ |
yes |
| Embedded firewall |
yes, flexible and functional, you can
set up rules for IN and/or OUT traffic for any existing interface
(LAN, WAN, IPSec, PPTP) |
| SPI support (Sateful Packet Inspection) |
yes |
| application support (netmeeting, quicktime, etc) |
yes, (using rule presets or creating
custom rules) |
| action types |
allow |
yes, including "allow all packets for this
connection (using SPI)" |
| deny |
yes |
| log |
yes |
| rule criteria |
src interface lan/wan |
yes, as any other existing interface |
| dst interface lan/wan |
yes, as any other existing interface |
| src ip/range |
yes |
| dst ip/range |
yes |
| src protocol |
yes, TCP/UDP/ICMP type/GRE/ESP/AH or you may specify
the protocol number |
| dst protocol |
yes, TCP/UDP/ICMP type/GRE/ESP/AH or you may specify
the protocol number |
| src port/range |
yes |
| dst port/range |
yes |
| time reference |
no |
| VPN features |
| IPSec server |
Tunnel types |
Gateway--Gateway |
yes, theoretically up to 253 tunnels |
| remote user access |
yes, you cannot set up anonymous access (without
specifying IP address of a remote user) |
| authentication types |
pre shared key |
yes |
| certificates |
yes, locally stored only |
| hashing algorithms |
SHA1 |
yes |
| MD5 |
yes |
| encryption algorithms |
DES |
yes |
| 3DES |
yes |
| AES |
no |
| add records to the routing table of the IPSec tunnel |
yes, plus RIP support |
| IPSec tunnel filtering (firewall) |
yes |
| L2TP server |
no |
| PPTP server |
yes, using MPPE 40/128-bit encryption |
| VPN pass through |
IPSec |
yes (capability to operate simultaneously
with IPSec server is unknown) |
| L2TP |
no |
| PPTP |
yes (capability to operate simultaneously
with PPTP server is unknown) |
| traffic shaping |
| traffic shaping |
not available |
| Routing |
| Manual records |
WAN interface |
yes |
| LAN interface |
yes |
| extra |
manual records for any existing interface |
| Dynamic routing |
WAN interface |
disable |
yes |
| RIPv1 |
yes, send and/or receive |
| RIPv2 |
yes, send and/or receive |
| LAN interface |
disable |
yes |
| RIPv1 |
yes, send and/or receive |
| RIPv2 |
yes, send and/or receive |
| extra |
dynamic routing activation is possible
for any existing interface |
| Additional information |
| embedded print-server |
yes, for printers with USB interface |
| Additional features |
2 x USB2.0 and IEEE1394 interfaces to
connect external storage devices, data access via integrated ftp-server
or SMB protocol |
| Firmware version |
2.6.12 (dated Oct 1 2003 11:06:21) |
| Power supply |
external power adapter, 12VDC |
Navigation:
