Check Point, SonicWall beef up all-in-one boxes for branch offices
The evolution of the SOBO (Small Office/Branch Office)-oriented, all-in-one box is a continuing process, bent on improving speed and convenience. The latest fish to walk their way out of the SOBO ocean include not only highly sophisticated firewalls, but also advanced LAN-switching software, solid management utilities, and 802.11a/b/g wireless connectivity and management.
Although we found a few dings, a pair of small contenders -- Check Point Safe@Office 425w and the SonicWall TZ170w -- pack a powerful security punch for individual or branch offices.
Check Point Safe@Office 425w
Those seeking all-in-one functionality with a little depth might want to take a close look at Check Point’s bright orange box. The box combines an inspection firewall router with single WAN port, a DMZ port, a console port, a four-port switch, and two USB 2.0 ports to feed the built-in print server. It also tacks on a slew of additional service-based protections and a wireless bridge that’s compatible with all the latest protocols.
Installing the 425w really should include a functioning broadband connection of some kind. With some tweaking, though, you can get it to serve as the central routing point for an air-gapped LAN. Fortunately, Check Point’s obvious attention to detail in 425w’s Web-based management interface makes this tweaking easier.
Although the SonicWall TZ170w has a functional Web interface, the Check Point folks really went all out in their quest for ease of use and intuitiveness in the management GUI. Creating baseline connectivity is less wizard-based than with the SonicWall, but the process is just as easy.
The only downside to the interface might be that the GUI continually wants to steer you toward Check Point’s large number of additional-cost security services to squeeze a little more from your wallet.
As it turns out, to get the full benefits of the 425w, you will have to pony up. Luckily, the services are worth the money and include anti-virus, anti-spam, content filtering, and Dynamic DNS. All of these are available via subscription licensing to Check Point, but you’ll need to maintain your broadband connection in order to access the services.
Dynamic DNS is especially interesting, as it mirrors the functionality of Microsoft’s new NAP (Network Access Protection) technology and Cisco’s competing NAC (Network Access Control). These access control technologies scan clients as they reconnect to the network to ensure that each client is in compliance with an administrator-defined security policy (appropriate anti-virus updates, all necessary OS security patches, etc.)
If the client passes the policy requirements, they’re in; if not, they’re in quarantine until they become compliant. That’s an especially valuable service for SOBOs, as it can cut down on having to hire a consultant to quash virus outbreaks every time a new attack rears its ugly head.
Going Beyond the Norm
Despite the push toward the add-on services, when you start digging into the 425w’s internal features, you’ll be pleasantly surprised by how much enterprise-class functionality it has. For example, the 425w automatically manages a DNS cache, allowing you to reference the unit through “My Firewall” regardless of what DNS Server your ISP is using. You can also provide DHCP on different VLANs (port- or tag-based), which is helpful when implementing things such as VoIP.
You can get into traffic shaping with the 425w, applying rate limiters in the same way you apply firewall rules. And naturally, you’ve got full support for Check Point’s IPSec VPN features, both point-to-point and remote access variations, as well as access to a Dynamic VPN subscription service. The Dynamic VPN service provides roaming from ISP to ISP without having to modify the IPSec VPN rules for each new location.
Even the 425w’s router’s physical capabilities are a bit beyond the norm for the SOBO set. The box’s ability to fail over to a secondary ISP is good, but its ability to do so over either a broadband or modem connection is excellent.
It can build a VLAN trunk, too -- another feature usually found only on enterprise-class firewalls. VLAN trunking allows multiple VLANs to be configured off the WAN port, each with its own virtual port.
The box’s wireless capabilities are very similar to SonicWall’s, with support for AP or bridge configuration (though not both, which is disappointing), compatibility with WPA security, and Super-G throughput. The 425w, however, lacks the WLAN Guest Services feature that SonicWall provides. Strangely, both boxes support only a single SSID (service set identifier) -- something that’s usually a no-no in business-oriented Wi-Fi products.
Another ding is that the Check Point will only talk to legacy APs if these are placed into a DMZ. This function may not be a huge handicap in its intended working space, but it does limit its flexibility.
The Check Point is definitely the higher priced of our two all-in-one wireless security gateways, but we found its intuitive interface, excellent native feature set, and extensive subscription feature set to be worth the big bucks.
SonicWall has taken the effort to make its first SOBO market foray palatable to the branch office environment. Housed in a small two-tone case, the TZ170w bundles five 10/100 switch ports, one WAN port, one console port and two 802.11a/b/g antennas into its physical configuration and still manages to look sleek.
On the software side, the TZ170w packs all the functionality of a deep-inspection firewall, full Internet connection management (including DHCP, NAT, and IPSec VPN capability), and fairly sophisticated wireless connection management.
After passing the setup wizard, administrators are free to enjoy the advanced features of the SonicOS, including policy-based NAT, object-based management, ISP fail-over, and even ISP load balancing through either a second WAN port or an external modem.
The TZ170w’s installation process won’t win any human-computer interface awards, but to make up for it, SonicWall generously sprinkles in setup wizards for all the product’s functions, including gateway (DMZ or LAN servers), firewall, and wireless.
You begin with the familiar Web-based installation utility, including left-pane navigation that allows quick access to specific functions and complete status screens for each function. It’s important to note that those folks running SonicWall’s Global Management System software can count on full compatibility with the TZ170w.
An initial setup wizard configures the firewall and router, including wired DHCP and NAT. Based on the fifth generation of SonicWall’s security software, the firewall can protect against a wide variety of attacks, including zero-day attacks.
Because the firewall is embedded, its protection will work even if your ISP’s feed dies and fellow users on the ISP attack you. That’s handy if your branch office relies on its Web connection to conduct business; it’s also something Check Point doesn’t do.
You can also flesh out your protective services with SonicWall’s online services, including anti-virus, anti-spyware, advanced content filtering, and IDS. These are all add-on services priced by subscription, but the combination makes for an effective defense for the average small office. The online options are less pricey than Check Point’s add-on services, but SonicWall offers fewer services in total.
After the firewall is configured, you may move to the wireless wizard. The TZ170w supports Wi-Fi Protected Access (including Temporal Key Integrity Protocol) but SonicWall adds its own security option by suggesting that full wireless users adopt the company’s Global VPN Client, and even provides a download link and configuration wizard.
The useful WGS (Wireless Guest Services), which manages connections by non-full time users (such as company guests), can be outfitted with an HTML log-in page (captive portal) to ensure authentication.
WGS is based largely on DAT (Dynamic Address Translation); it allows wireless users to authenticate and associate, and obtain IP addressing via DHCP. DAT ensures that if a user has a static IP address incompatible with the TZ170w, that user is prevented from connecting to the network until his settings change to compatible values.
Quibbles and Queries
Even though the TZ170w is aimed at the branch-office market, it (like Check Point) supports only a single SSID, a fact we found puzzling.
SonicWall’s opinion is that its VPN client has the ability to limit access through the firewall on a role basis, so separate SSIDs aren’t necessary. We tend to disagree with that view, as even branch offices occasionally have need for role separation -- meaning they will need more than one SSID.
Another quibble is that the TZ170w can’t act as a bridge and AP simultaneously. Given that the device demonstrated the usual range limitations when confronted with office walls and floors, this dual capability could have proven useful. However, you can optionally configure one of the ports to link up to eight additional APs, providing additional coverage without sacrificing wireless security or services.
Overall, we found the SonicWall TZ170w to be a highly useful machine -- as long as it gets to play the primary routing and wireless role in a branch office network. The device will work with legacy APs, but you lose advanced features such as rogue detection at each AP if you’re not using SonicWall’s own SonicPoint APs.
Although the lack of multiple SSID support is just as disappointing as with Check Point’s 425w, SonicWall’s VPN approach is an interesting solution for forcing all your wireless traffic through the deep inspection firewall engine. It does sport an attractive price, and unless you have some serious need for specialized services, the TZ170w will suit your SOBO just fine.
Overall Score (100%)
|Check Point Safe@Office 425w||8.0||9.0||8.0||7.0||7.0||8.0|
Looking for the missing free copy icon? It's been replaced. There's a new direct link that works like a...
Supreme Court's decision is bad news for developers targeting the U.S. market, who will now have to...
The transition from command line to line-of-command requires a new mind-set -- and a thick skin
Microsoft’s latest OS shows polish, promise, and pain almost everywhere you look
Dealing with telcos and carriers for enterprise circuit installation is still a royal pain. Haven't we...
Did Microsoft go to school on InfoWorld's proposal for an improved version of Windows 8 as it developed...
With licensing restrictions that favor individual users and open source developers, the free-to-use...