WatchGuard delivers a big firewall for small businesses
WatchGuard Firebox X2500 packs enterprise-level features, but be ready for complex administration
Geared to the SMB market, WatchGuard’s Firebox X series offers a feature set comparable to more expensive firewalls -- along with some of the accompanying setup and administration complexities of enterprise firewalls.
In addition to extra-strength network protection -- including application layer security, intrusion detection, and intrusion prevention -- the Firebox provides central management of remote office and remote user VPNs, spam blocking, URL filtering, and the ability to add as many as three extra 10/100 ports for additional throughput and/or high availability with only a software license upgrade.
The only significant difference between the 1000 and 2500 models is the number of users supported -- as many as 500 for the X1000 and more than 500 for the X2500. The hardware is the same, the optional features are the same -- only the system’s capacity changes. You boost a 1000 to a 2500 via a software upgrade.
The Firebox X line is designed with enterprise-class features. Aliases allow you to define all traffic that meets specific criteria, such as all traffic on a particular Ethernet port or on a specific TCP/IP port number. Groups make it easy to apply security policies to a broad range of users, and the management console manages multiple units on the local network or at remote sites.
The firewall supports remote logging on a log server, which consolidates logs from multiple Fireboxes. Authentication is provided by the Firebox via a Windows NT domain or a RADIUS server -- a good range of options.
I tested the X2500 by using it to replace my usual firewall, then running a firewall test application from the outside. I added several of the optional upgrades: the three-port upgrade, the VPN upgrade, and the spam filtering upgrade.
Strong security is enabled by default, so you must create exceptions for any service you want to allow through, including HTTP, FTP, and SMTP. This provides the highest possible level of security but may prove confusing for less-experienced administrators. A wizard to walk the user through the steps necessary to enable a VPN connection, for instance, would be welcome.
The management application is another high-security part of the system. There’s no HTTP interface -- the specific management app must be installed on a workstation on the trusted network. (The Firebox has an external interface, a trusted interface, and an optional interface, each on a separate subnet.)
The management application installs on a Windows workstation, but VPN users must download the upgraded version from the WatchGuard Web site. The version distributed with the system has VPN features disabled due to federal export restrictions on encryption technologies. Some manufacturers address this issue by having separate SKUs for domestic and foreign shipments, which is easier for end-users.
Another annoyance: It’s often necessary to make changes in several places in the interface to enable one service. For example, I had to create a VPN user, create a default packet-handling filter for the VPN user’s IP address and for the PPTP (Point-to-Point Tunneling Protocol) group, remove the VPN user’s IP address range from the blocked-sites list, save the configuration, and, finally, install VPN software on the client. This is a two- to three-step process with many other firewalls.