Category: Unified Threat Management
Product: Firebox X 1250e
Vendor:WatchGuard Technologies
Price: Ranges from $2,290 (plus $4,420 for UTM bundle for
the Firebox X550e) to $3,790 (plus $7,400 for the UTM bundle for
the 1250e)
WatchGuard's unified threat management (UTM) appliances are a
one-stop shop for border security needs, especially for a small- to
medium-sized business.
We evaluated the Firebox X1250e, which features eight 10/100
interfaces, stateful packet inspection, application proxies,
remote-user and site-to-site VPN, and optional modules for gateway
antivirus, antispyware and antispam protection, plus URL
filtering.
Configuration/Management: A
is straightforward. We followed the included quick- start guide to
get the device working in less than an hour.
The management interface is one of the best we've seen. The
rules setup is logical and does not require knowing any cryptic
languages. The proxies and other features are well integrated, and
can be configured and enabled/disabled easily for each rule.
Effectiveness: B+
The firewall immediately stood out on its own, thanks to the ease
of setting up rules. Rules are granular, and you don't have to
worry about putting them in the correct order--Firebox takes care
of that for you.
Application proxies for HTTP, FTP, SMTP and DNS, and a generic
TCP proxy allow the firewall to inspect traffic and deny or allow
the request based on your policy. For example, we set up a rule in
the FTP proxy to deny "get" requests. The rule worked as intended
and wouldn't allow any file downloads. The controls are granular;
you can, for example, block the download of certain extensions, and
block or allow HTTP requests or content types in the HTTP
proxy.
Firebox's IPS capabilities are strong. By default, it will block
anyone trying to port-scan or send suspicious packets through the
device; our port scans got us quickly blacklisted. We set up a Web
site behind the Firebox and attacked it using Metasploit, but all
our attacks were stopped.
The antivirus module is based on open-source ClamAV, which we've
found to be a competent antivirus. One issue here is that you can
only use the antivirus through the HTTP and SMTP proxies, so, for
instance, there is no way to scan files going through the FTP
proxy.
The VPN uses IPSec and PPTP, supporting remote user and branch
connections. Back-end authentication can be implemented through
Firebox itself, RADIUS, Active Directory, LDAP or RSA Security's
SecurID.
The VPN client only works with Windows--a restriction for some
shops, which can use the less secure PPTP option.
The antispam filtering, provided by Commtouch, picked up spam
that even our tuned SpamAssassin filter missed.
While Firebox's URL filtering module features many categories
and blacklisted sites, it was possible to get around some by using
the IP address.
Reporting: B+
Reporting capabilities are good, but you can only export the
results in HTML and NetIQ formats (but it derives the reports from
XML data, so importing it elsewhere is not out of the
question).
However, the reporting gives you an excellent breakdown of
device statistics, traffic stats, and IPS alerts, and a report of
hits on any rules you have in place (such as users trying to visit
blocked Web sites.
There are also extensive real-time monitoring capabilities
including traffic and bandwidth monitors, device statistics (memory
usage, processes running) and a list of authenticated users.
Verdict
Despite some minor flaws, the Firebox X series is an excellent UTM
deal, with its low entry price, terrific firewall and routing
capabilities, and top-notch filtering services.
Testing methodology
We tested the Firebox X 1250e protecting two internal networks and
a DMZ that included a Web server, FTP server, SMPT and POP
server.
This product review originally appeared in the January 2007
edition of Information Security magazine.