With its bump-in-the-wire design, the STM600 is easy to slip in and out of small networks to protect end users and control Web usage. Web filtering on the STM600 includes antimalware scanning, category-based URL filtering, local block and allow lists, and some very basic content scanning, including blocking certain HTTP download file types and file extensions.
Although the Web security settings on the STM600 are system-wide, you do have the capability to apply some per-user rules which will override the basic settings. These can be done based on IP address or based on user authentication. We tested the STM600 by linking it to our corporate directory with RADIUS and Active Directory to verify that we could write rules so that some users could have full Internet access with minimal content filtering, while others were restricted to a subset of sites. The mechanisms in the STM600 are a good match for the small business market.
The STM600 can also inspect HTTPS traffic, a critical requirement for any Web security gateway. The STM600 does this by signing a new digital certificate for any Web site protected by SSL. (The STM600 comes with a generic signing certificate, or you can supply your own.) The STM600 splices together the two encrypted connections: one between the STM600 and the real Web site, and the other between the STM600 and the end user, enabling it to inspect the traffic as it passes by. Of course, this requires the end user to accept the STM600's signing certificate as authentic or the network manager to pre-load it into end user systems, a necessary inconvenience.
We tested the STM600's ability to identify recent viruses on Web pages, in encrypted traffic, and found it lived up to its billing. We also tested the category-based URL filtering, and found about the normal success rate at categorization and blocking.
An additional feature of the STM600, Application Control, didn't show up as well in our testing. These controls purport to give the network manager greater control over applications. With vendors such as Palo Alto Networks pushing this as a key feature in managing end-user access, we were interested to see how the SMB-focused Netgear would do. Answer: not very well.
On the STM600, Application Control includes four main categories of applications: messaging, media, peer-to-peer, and tools. Each category has between three and six applications. In theory, check the box and you turn off BitTorrent. We tested three of the four categories, but none of the applications we tested (BitTorrent, iTunes Music Store, Google Talk) were successfully blocked. Netgear needs to go back to the drawing board on that one.