WatchGuard's UTM product under the spotlight

Despite minor flaws, the Firebox X series is an excellent UTM deal

Category: Unified Threat Management
Product: Firebox X 1250e
Vendor: WatchGuard Technologies
Price: Ranges from $2,290 (plus $4,420 for UTM bundle for the Firebox X550e) to $3,790 (plus $7,400 for the UTM bundle for the 1250e)

WatchGuard's unified threat management (UTM) appliances are a one-stop shop for border security needs, especially for a small- to medium-sized business.

We evaluated the Firebox X1250e, which features eight 10/100 interfaces, stateful packet inspection, application proxies, remote-user and site-to-site VPN, and optional modules for gateway antivirus, antispyware and antispam protection, plus URL filtering.

Configuration/Management: A
is straightforward. We followed the included quick- start guide to get the device working in less than an hour.

The management interface is one of the best we've seen. The rules setup is logical and does not require knowing any cryptic languages. The proxies and other features are well integrated, and can be configured and enabled/disabled easily for each rule.

Effectiveness: B+
The firewall immediately stood out on its own, thanks to the ease of setting up rules. Rules are granular, and you don't have to worry about putting them in the correct order--Firebox takes care of that for you.

Application proxies for HTTP, FTP, SMTP and DNS, and a generic TCP proxy allow the firewall to inspect traffic and deny or allow the request based on your policy. For example, we set up a rule in the FTP proxy to deny "get" requests. The rule worked as intended and wouldn't allow any file downloads. The controls are granular; you can, for example, block the download of certain extensions, and block or allow HTTP requests or content types in the HTTP proxy.

Firebox's IPS capabilities are strong. By default, it will block anyone trying to port-scan or send suspicious packets through the device; our port scans got us quickly blacklisted. We set up a Web site behind the Firebox and attacked it using Metasploit, but all our attacks were stopped.

The antivirus module is based on open-source ClamAV, which we've found to be a competent antivirus. One issue here is that you can only use the antivirus through the HTTP and SMTP proxies, so, for instance, there is no way to scan files going through the FTP proxy.

The VPN uses IPSec and PPTP, supporting remote user and branch connections. Back-end authentication can be implemented through Firebox itself, RADIUS, Active Directory, LDAP or RSA Security's SecurID.

The VPN client only works with Windows--a restriction for some shops, which can use the less secure PPTP option.

The antispam filtering, provided by Commtouch, picked up spam that even our tuned SpamAssassin filter missed.

While Firebox's URL filtering module features many categories and blacklisted sites, it was possible to get around some by using the IP address.

Reporting: B+
Reporting capabilities are good, but you can only export the results in HTML and NetIQ formats (but it derives the reports from XML data, so importing it elsewhere is not out of the question).

However, the reporting gives you an excellent breakdown of device statistics, traffic stats, and IPS alerts, and a report of hits on any rules you have in place (such as users trying to visit blocked Web sites.

There are also extensive real-time monitoring capabilities including traffic and bandwidth monitors, device statistics (memory usage, processes running) and a list of authenticated users.

Despite some minor flaws, the Firebox X series is an excellent UTM deal, with its low entry price, terrific firewall and routing capabilities, and top-notch filtering services.

Testing methodology
We tested the Firebox X 1250e protecting two internal networks and a DMZ that included a Web server, FTP server, SMPT and POP server.

This product review originally appeared in the January 2007 edition of Information Security magazine.

Read more on IT for small and medium-sized enterprises (SME)