To someone responsible for the network security of an SMB (small to midsize business), a one-box solution that handles every enterprise security function is a hot commodity. Naturally, the all-in-one security appliance aims to provide the required level of effectiveness without the complexity and expense of layered security products and dedicated staff. And that’s a hugely attractive prospect in today’s Wild Wild Web, where worm infections, Trojan horse invasions, and exploits of security holes are constant threats.

	ADVERTISEMENT

To assess their success, we arrayed six all-in-one security appliances in our Advanced Network Computing Laboratory testing facility at the University of Hawaii. All six of the products reviewed here go by the moniker “appliance,” but consider yourself warned: These are not foolproof, plug-and-play devices.

We invited eight firewall manufacturers to send their newest appliance offerings. Going to the mat were six brave contenders: the Check Point Safe@Office 225, the Juniper Netscreen-5GT Enhanced, the NetGear VPN Firewall FVS328, the ServGate EdgeForce Plus, the SonicWall Pro 2040, and the WatchGuard Firebox X1000. As for the two invitees who sat out the contest, Symantec couldn’t produce a production-level unit in time, and iPolicy’s product didn’t qualify as an appliance.

Our tests taught us that vendors not only have different definitions of all-encompassing security, but they also have widely varying ideas about what constitutes an appliance.

Check Point Safe@Office 225

Descending from a long line of big-iron security products with high prices and complex OSes, Check Point’s appliance turned out to be plagued only by an awkward name. The Safe@Office is an excellent contender for the SOHO firewall space.

The fact that it was the easiest of the six to configure is even more impressive when you find out that its guts are based on Check Point’s industrial-strength, best-selling Firewall 1 platform. The power of Firewall 1 is in the Safe@Office, but not the complexity, thanks to a highly intuitive front-end interface. The Services tab allows easy administration of the Safe@Office, providing a one-stop shop to configure almost every device feature, including dynamic DNS, dynamic VPN, and e-mail AV. Each is handled via an Internet connection to Check Point’s corporate servers for automatic updates and configuration help.

Although the device probably has enough muscle to protect a larger business, Safe@Office truly is a SOHO product. Check Point limits the unit to 10 simultaneous firewall connections. It’s also limited to 10 simultaneous VPN connections; however, these can be of any combination, including client-to-LAN or LAN-to-LAN. But in small, SOHO environments, the Safe@Office makes managing network security an easy and accessible task.

Typical of Check Point, the engine behind these few connections is surprisingly robust. Client VPN connections can be IPSec — a free download from Check Point — or PPTP (Point to Point Tunneling Protocol) to support the Microsoft VPN client. Additionally, clients can be authenticated against an internal database or a back-end Radius server. And the box allows for static routes, meaning you can have additional subnets behind the firewall also doing routing.

The Safe@Office proved to be a very effective firewall in our tests. The box thwarted our simulated attack sequence and rebuffed all attempts to sneak pings from the WAN to either the DMZ (demilitarized zone) or LAN.

The Safe@Office has a unique way of handling AV, so we adjusted our test accordingly. The appliance redirects e-mail traffic to a server at Check Point, which scans then forwards it to its destination. This explains why such a small CPU can handle so many services at once, but it also means that, unlike some anti-virus solutions, Safe@Office can’t check for viruses downloaded before installation.

The bottom line? Check Point stripped its much-vaunted Firewall 1 down to its bare bones to build this appliance. Fronted by a friendly user interface and using Check Point-hosted services to handle advanced functions such as AV, Web filtering, and dynamic DNS, the Safe@Office offers complex features at a low cost, but locks customers into the vendor’s services.

Juniper NetScreen-5GT Enhanced

The NetScreen-5GT Enhanced packs a load of good impressions into a tiny box, combining everything you could ask for from an all-in-one security box, including firewall, VPN, intrusion detection, and AV. The NetScreen-5GT Enhanced sports an attractive $495 price tag for 10 VPN clients.

The NetScreen-5GT presents a logical home screen on its Web interface. It doesn’t require you to dig any deeper if you’re just looking for a general status of firewall health, which is handy in an emergency — and this box can react to emergencies. The NetScreen goes beyond the basic functionality of similar boxes with specific defenses for a host of popular attacks, including WinNuke, ICMP/UDP and SYN floods, malware based on Java or ActiveX, and much more.

Displaying responses to specific attacks in a menu-like fashion, this box allows you to configure its defenses to simply sound an alarm or to start dropping malicious packets. Configured in the latter manner, it stopped everything we threw at it, allowing us to go above and beyond our normal attack suite.

We were similarly impressed with its AV capabilities. As does Check Point’s Safe@Office, the NetScreen handles AV via a subscription-based service for which Juniper partnered with Trend Micro. The device differentiates AV settings between Webmail and POP3/SMTP mail services, so we were surprised to see no AV features supported for IMAP users.