Security appliances wrestle with blanket coverage

To someone responsible for the network security of an SMB (small to midsize business), a one-box solution that handles every enterprise security function is a hot commodity. Naturally, the all-in-one security appliance aims to provide the required level of effectiveness without the complexity and expense of layered security products and dedicated staff. And that’s a hugely attractive prospect in today’s Wild Wild Web, where worm infections, Trojan horse invasions, and exploits of security holes are constant threats.

To assess their success, we arrayed six all-in-one security appliances in our Advanced Network Computing Laboratory testing facility at the University of Hawaii. All six of the products reviewed here go by the moniker “appliance,” but consider yourself warned: These are not foolproof, plug-and-play devices.

We invited eight firewall manufacturers to send their newest appliance offerings. Going to the mat were six brave contenders: the Check Point Safe@Office 225, the Juniper Netscreen-5GT Enhanced, the NetGear VPN Firewall FVS328, the ServGate EdgeForce Plus, the SonicWall Pro 2040, and the WatchGuard Firebox X1000. As for the two invitees who sat out the contest, Symantec couldn’t produce a production-level unit in time, and iPolicy’s product didn’t qualify as an appliance.

Our tests taught us that vendors not only have different definitions of all-encompassing security, but they also have widely varying ideas about what constitutes an appliance.

Check Point Safe@Office 225

Descending from a long line of big-iron security products with high prices and complex OSes, Check Point’s appliance turned out to be plagued only by an awkward name. The Safe@Office is an excellent contender for the SOHO firewall space.

The fact that it was the easiest of the six to configure is even more impressive when you find out that its guts are based on Check Point’s industrial-strength, best-selling Firewall 1 platform. The power of Firewall 1 is in the Safe@Office, but not the complexity, thanks to a highly intuitive front-end interface. The Services tab allows easy administration of the Safe@Office, providing a one-stop shop to configure almost every device feature, including dynamic DNS, dynamic VPN, and e-mail AV. Each is handled via an Internet connection to Check Point’s corporate servers for automatic updates and configuration help.

Although the device probably has enough muscle to protect a larger business, Safe@Office truly is a SOHO product. Check Point limits the unit to 10 simultaneous firewall connections. It’s also limited to 10 simultaneous VPN connections; however, these can be of any combination, including client-to-LAN or LAN-to-LAN. But in small, SOHO environments, the Safe@Office makes managing network security an easy and accessible task.

Typical of Check Point, the engine behind these few connections is surprisingly robust. Client VPN connections can be IPSec — a free download from Check Point — or PPTP (Point to Point Tunneling Protocol) to support the Microsoft VPN client. Additionally, clients can be authenticated against an internal database or a back-end Radius server. And the box allows for static routes, meaning you can have additional subnets behind the firewall also doing routing.

The Safe@Office proved to be a very effective firewall in our tests. The box thwarted our simulated attack sequence and rebuffed all attempts to sneak pings from the WAN to either the DMZ (demilitarized zone) or LAN.