Cisco RV340 & RV345 – are the licensed “advanced security features” worth it?

[Miner]

On advice from another thread I’m posting this question here in wired routers.

Cisco RV340/345 routers have optional annual licensing features, one of the two optional licenses is for “advanced security features” ... IPS, Antivirus, Web Security, App ID, and Client ID." The second license is for a Cisco Umbrella license described as you "have the advantage of detailed security reporting for all hosts behind the router."

For the record this is what the Cisco product page says about a licensing and out-of-the-box router operation: "Licensing - To operate the router no license is required. It will work with full performance and all VPN features are turned on." Reference for this.

I'm asking about the first license for “advanced security features.” Does anyone find this useful? In what context, home setting, home office, SO/commercial enterprise?

A new router allows a 90 day evaluation/trial of the features advanced security features – there is no free trial for the Cisco Umbrella license. I turned on the evaluation in a new RV345 and do not notice any slowdown in throughput. The cost seems to be in the $120 per year range for the advanced security features license, and I’m assuming: 1) this is probably not worthwhile for a home or HO, and 2) for a SO or small commercial enterprise it may be worthwhile but no overwhelming reasons for it.

I'm assuming the Cisco Umbrella license is over the top for both a home office and a SO or commercial office/enterprise.

Does anyone have any experience or opinions on either of the two licenses?

 

[coxhaus]

The Umbrella license looks interesting. I use QUAD9 which probably is not as good but it's free. The problem with the Antivirus license is most of the bad traffic has gone encrypted and no small device is going to be powerful enough to decrypt traffic at gig speeds. So, I think you are wasting your money. I think you are better off running a UTM device behind the Cisco router if you want advanced security features.

All of these features and configurations are way above any consumer gear. And Cisco's VPN software is way better than what you will find out there.

 

[Tech9]

All of these features and configurations are way above any consumer gear. And Cisco's VPN software is way better than what you will find out there.

Valid statement 5y ago. Not anymore. Broadcom BCM4906 SoC based consumer routers have hardware AES support and some offer lifetime free TrendMicro IDS engine + some offer true SQM. This SoC in it's 2/4-core variations can do >200Mbps on OpenVPN and >500Mbps on Wireguard connections. Far ahead of what RV34x routers from 2016 can do and for free, no license fees. Not to mention functions not available in RV34x at all.

 

[Tech9]

Does anyone have any experience or opinions on either of the two licenses?

I have 4x Cisco RV345P routers and I don't pay for extra licenses. I use them only because of good dual WAN fail-over, simplicity and perhaps better reliability. Everything else, with or without license, is old news in networking. Slow hardware by today's standards for anything else than simple routing.

 

[Bill Woodcock]

I use QUAD9 which probably is not as good but it's free.

If there are ways we can improve Quad9, we're all ears... You've looked at independent lab-tests of Quad9's malware blocking?

Comparing Malware-blocking DNS Resolvers, Redux - andryou

Inspired by this DNS malware-blocking comparison, I’ve slightly modified the script provided and added in CIRA’s Canadian Shield and re-ran it to see how it fares with others. Updates: 2020-06-02: important note – “Cisco does not claim that [OpenDNS] blocks threats but only filters content.” – I...

www.andryou.com

Malicious site filters on DNS in 2020 – Skadligkod.se

 

[coxhaus]

I think QUAD9 is the best. Cisco has a way to tailor its software for Cisco so Umbrella may mesh better with Cisco gear. I am going to stay with QUAD9.

 

[coxhaus]

Valid statement 5y ago. Not anymore. Broadcom BCM4906 SoC based consumer routers have hardware AES support and some offer lifetime free TrendMicro IDS engine + some offer true SQM. This SoC in it's 2/4-core variations can do >200Mbps on OpenVPN and >500Mbps on Wireguard connections. Far ahead of what RV34x routers from 2016 can do and for free, no license fees. Not to mention functions not available in RV34x at all.

There is no way a Broadcom consumer router will match the power x86 UTM device. I doubt the TrendMicro IDS can even run both directions checking both inbound and outbound traffic. And if you are going to decrypt traffic both directions, not going to happen on consumer routers. You need more horse power than a consumer router. More than likely, there is not even a way to decrypt traffic on a consumer router for IDS inspection.

I gauge this by gig internet speeds which now are the standard that internet devices are compared to.

 

[Tech9]

There is no way a Broadcom consumer router will match the power x86 UTM device.

OP is asking about RV34x routers. If he has x86 appliance available, he doesn't need RV34x router.

And Cisco's VPN software is way better than what you will find out there.

My comment was more about Cisco's VPN software on RV34x. It was good in 2016, perhaps. Very basic and limited in 2021.

 

[coxhaus]

Using a RV340 router with a UTM device like Untangle behind the router will beat any consumer router when it comes to firewalling so you can't side step your statement Tech9. Untangle for home use is $50 per year which may be cheaper than buying a Cisco license.

The setup above is about as good as it gets for home use. You are in the high dollar firewall land for cheap. Consumer routers need not apply as they cannot complete.

You connect the above to a Cisco L3 switch and you have one great network. A little hard to configure but untouchable by consumer gear as far as performance goes.

 

[Tech9]

Cisco gear is not needed at all in this case. Good specs x86 appliance running Untangle/Sophos/pfSense/OPNsense can do routing, security and VPN all in one device better than any RV34x router. L3 switch is optional, depending on how many busy clients use the network. For home/small office not needed.

 

[coxhaus]

Cisco gear is not needed at all in this case. Good specs x86 appliance running Untangle/Sophos/pfSense/OPNsense can do routing, security and VPN all in one device better than any RV34x router. L3 switch is optional, depending on how many busy clients use the network. For home/small office not needed.

The L3 switch is always good but if you move more traffic than a gig of traffic using VLANs then a Cisco L3 switch will help a lot.

I like running firewalls as UTM devices as I feel it gives you a little more protection rather than running them at the front door without router. I think it makes for a better overall network design.

The Cisco RV340 router series is a great little router internet front door device that is very reliable. Yes, it is old but it does gig internet with ACLs.

pfsense is a joke for updates. It runs fine but not as good of a firewall as Untangle but the updates break it and you need to start over when you update. The RV340 router has updates about ever 6 months and the updates just work.

 

[Tech9]

pfsense is a joke for updates.

Not in my experience, I run it on Netgate hardware. L3 switch on a small network is like going to the grocery store with a 40-ton capacity dump truck. It's better only if you need it and can use it. Otherwise it's only extra complication, hardware and electricity cost.

 

[coxhaus]

As soon as you go faster on your local network than your internet speed then the L3 switch will help you. If you have a NAS or server then an L3 switch will help as you have the potential to exceed your internet speed.

 

[Mark070]

I have been thinking about this very question now for awhile as well. My apologies in advance for adding to this rabbit trail/off topic.

If I have a router, and my internet speed is 200/10. My router has an internal switching bandwidth of 1 gig. If I then have multiple gig switches plugged into my router - this means I can max out at 1 GB at any one time. The limitation is at the router for switching speed.
Adding a L3 switch allows multiple GB at the same time, freeing up the Router to handle only Internet traffic.

The question is ... for a small network, your never (rarely) going to have multiple gig processes going at the same time.
If I got this right ... I have to agree with Tech9, adding a L3 switch seems inefficient - unless your managing many connections that are all using resources inside your network at multi gig speeds.

 

[coxhaus]

If you are small enough to run in 1 network then a L3 switch will not help you as there is no local routing. This is the case for a lot of homes. I use to hang around guys that played with big servers and switches and their local networks ran better like mine in the past using a L3 switch. I was a network guy that hung out with data people and other network guys. I guess you guys are data wimps.

 

[Tech9]

I was a network guy that hung out with data people and other network guys.

That was 20+ years ago. Now some home routers are faster than the big servers and switches you have seen, combined. Gigabit Ethernet came into use few years before you retired. That explains your frequent guessing.

 

[degrub]

the principles have not changed in 40+ years though.
Nor have the discussions, apparently. ;-)

 

[Tech9]

Networking gear size and performance changed. A rack of 20+ years old servers and switches now fits on top of our living room shelf.

 

[coxhaus]

You are just jealous Tech9.

I doubt you can even trouble shoot a L3 switch.