REVIEW: Watchguard's Firebox X Edge

Ian Yates tests Watchguard's Firebox X Edge and doesn't want to send it back!

You wouldn’t setup any Internet connection these days without some basic security, but you mostly get that for no charge from your ISP. These days all but the most basic access plans include a modem-router with built-in firewall, which might not keep out the harshest hackers but will certainly stop most of the newbies and script kiddies from having their way with your office PCs. This level of firewall is akin to the locks on your front door – neither will stop serious criminals but they’ll stop nosy-parkers just wandering in off the street.

When you want something more serious in the security department you used to call in the experts, or roll-your-own out of several black boxes running Linux. You could also do it using Windows servers but most people preferred to let their ordinary servers do nothing but serving and leave security to a separate box of tricks. Around ten years ago, an outfit called WatchGuard appeared on the scene, flogging a pre-configured firewall in a bright red PC case, called appropriately, Firebox. The security experts laughed and said “call that a firewall?” but users liked the price and the easy setup.

Ten years later, the ubiquitous red box is still going strong, but these days it’s shrunk to the size of the latest retail software boxes from Adobe and the like, and it has even more Ethernet ports than the original, as well as a pair of antennae sticking out like a Martian’s ears and it’s name has changed to Firebox X Edge. What has also changed is the attitude of the security boffins, who now recognise this class of device as “unified threat management” and both recommend and install them for their clients. What hasn’t changed is the ease of setup – to get it going requires no more than answering a few questions in your web browser, which also means it works just fine in a non-Windows environment.

Answering the setup wizard’s questions leaves you with an internal network known as “trusted” and an external network known as … “external” … which is the big bad Internet. In default mode absolutely nothing is allowed to enter your trusted network from the Internet unless it was specifically asked for by one of your PCs – such as a web page or collecting e-mail. Your old router-with-firewall supplied by your ISP could probably do that anyway, but when you do need to open up some ports so that your local web server or email server can operate, the Firebox does things a bit differently.

In between the LAN and WAN Ethernet ports on the back panel, sits another port marked “OPT” for “optional”. This is an entirely separate network from your internal trusted network and it’s where you connect any servers, which need to have some visibility to people looking in from the Internet side of the firewall. You would also typically connect your VoIP hardware to this port. The “optional” network is also visible to your “trusted” network but not vice-versa unless you make explicit changes to override the defaults. Of course the Firewall settings page also has a multitude of preconfigured packet filter policies so you can, if required, tell the Firebox where to direct specific requests, from and to and between any of the networks. This is best left to those who really understand security.

Those antennae on the sides support WiFi, but not your ordinary everyday WiFi. The Firebox has three WiFi networks, just like it has three Ethernet networks. There’s WiFi for the “trusted” network, which is for your users’ notebooks and smartphones and the like. Then there’s WiFi for the “optional” network, where you’d probably let the developers connect their notebooks when they visit to do maintenance on your web server. And finally there’s WiFi Guest access, which lets casual users connect directly to your Internet gateway but with no access to your trusted or optional networks. That is, visitors can browse the Internet and check their email in your foyer but can’t connect to your office PCs or servers. You can also tick a box to stop people transferring data between their individual notebooks via WiFi. Sneaky.

The Firebox X Edge is also a control-freak’s dream come true, when you choose the optional “WebBlocker” feature. This feature is built-in but activated with your licence after you send WatchGuard some more money. Once activated you can force users to browse the Internet via profiles that you setup by clicking on the categories to which you want to restrict access. The major categories are the obvious “adult”, “crime”, “entertainment”, “shopping”, and so on, but they each have sub-categories, so you could for example, restrict access to “adult” content but allow access to “sex education”.

Another two optional features activated by the exchange of funds with WatchGuard are “spamBlocker”, which uses the Recurrent-Pattern Detection (RPD) solution created by Commtouch to detect spam attacks, and Gateway AntiVirus and Intrusion Provention Service, which operates with the SMTP, POP3, HTTP, FTP, and TCP-UDP proxies to look for viruses, worms and Trojans. These services are optional because you may have similar services already installed on your network or provided by your ISP, so you’re not forced to duplicate. Of course, if you’re a fan of the belts and braces approach to security, you can activate these options regardless of what you might already have protecting your network.

Last but not least on the extensive list of features is support for Virtual Private Networks (VPN) between branch offices and also to allow secure connection from road warriors, which can be implemented via IPSec, PPTP or redirected to an SSL server. If you want to connect branch offices you’ll need a Firebox at each end of the link, but once connected, you can manage the remote Firebox from the head office via the VPN tunnel. Oh, almost forgot – the Firebox has two WAN ports. You can connect to two separate ISPs and either balance the load between them, or have one sit idle and only go live if the primary link fails. You could have the second link via a wireless provider, which is usually more expensive than ADSL, but perhaps a price you’d be prepared to pay if an enthusiastic council worker chops your landline.

The price of the Firebox X Edge varies depending on how many users you want to support. Budget around $1500 for the 50-user version. The same hardware can start out for less than half that price supporting only 15 users and then be upgraded by simply paying for additional users up to the maximum of 50. WatchGuard also offers two other hardware packages, Firebox X Core and Firebox X Peak, which support 100-300 users all the way through to 300-3000+ users. There’s a lot to like about the Firebox X Edge, with the main problem being the requirement to disconnect the little red sentinel from the network and hope that the very basic ISP-provided modem-router-firewall protection is sufficient when this review is done. That’d be around about now, actually. Darn.

Read more on Network security strategy