SnapGear packs big firewall into small package
Filtering, tunneling, and more make SME550 shine
As broadband connections become nearly ubiquitous, so too are paperback-sized firewalls. At first glance, SnapGear’s SME550 appears to be another, albeit smaller than most.
This impression is shattered once you get a look at the Web administration interface and the spec sheet. The SME550 offers everything you’ll need to protect a branch office or SMB (small and midsize businesses) from Internet attacks, connect securely to the main office over the Internet, and allow remote users to connect securely.
The SME550’s functionality is far above average, including features such as VPN tunneling for secure remote access and LAN-to-LAN tunneling, URL filtering, DNS proxy, content filtering, traffic shaping, intrusion detection, and more. It’s ideal for remote office applications and has the capacity to support main offices as well, since the SME550 provides 10Mbps of VPN tunneling, 25Mbps of traffic through the firewall, and up to 400 IPSec tunnels, which easily will support enough users and traffic for an office of 25 to 50 users. And here’s the kicker -- you get all this at the very competitive list price of $499.
Competitors in this firewall market segment, such as WatchGuard and SonicWall, typically have a fairly low limit on the number of users their product supports in this price range. The SME550, on the other hand, supports an unlimited number of users with no additional cost for VPN or other capabilities. SnapGear also promises free software upgrades for life, a nice bonus at no additional expense.
Setting up the SME550 is simple. It has two Ethernet ports, one for the internal network and one for the external network, and a serial port connected to a modem that acts as a fail-over backup Internet connection. Once connected to the network, the supplied Windows-based configuration utility will find the SME550 and let you configure the basic TCP/IP information (the manual also details basic configuration from Linux).
From that point, all further configurations can be done through the browser interface or Telnet. Setup and configuration of protocol filtering and intrusion detection is particularly easy, with a wide variety of available, preconfigured attacks.
The SME550 supports a direct connection to an Internet router as well as cable modem and DSL connections, including PPPoE (Point-to-Point Protocol over Ethernet) support. It can also use a dial-up ISP connection via external modem or ISDN through the serial port as a primary rather than backup connection. Setting up a modem or ISDN connection with the SME550 is no more difficult than configuring a standard PC for the same connection.
The fail-over connection is configured by specifying a TCP/IP address to ping on regular intervals. If the SME550 loses touch with that address, it will connect via the modem or ISDN terminal adapter to provide continuous Internet access. When the primary connection becomes available again, the fail-over link falls back to that.
To secure incoming traffic, access to specified services can be restricted to specific IP addresses, adding security measures above and beyond the VPN protocols. The SME550 supports PAP, CHAP, MSCHAPv2, RADIUS and TACACS+ for dial-in user authentication, and PPTP (Point-to-Point Tunneling Protocol) and IPSec for securing VPN traffic, which should allow sufficient flexibility to meet any existing standards and support any client OS. Outgoing traffic can be restricted by blocking particular IP address ranges or services such as mail or HTTP to different groups of users. Traffic can also be blocked by the admin, with restrictions set by content type.