WatchGuard has a big firewall for SMBs

Geared to the SMB market, WatchGuard Technologies's Firebox X series offers a feature set comparable to more expensive firewalls -- along with some of the accompanying setup and administration complexities of enterprise firewalls.

In addition to extra-strength network protection -- including application layer security, intrusion detection, and intrusion prevention -- the Firebox provides central management of remote office and remote user VPNs, spam blocking, URL filtering, and the ability to add as many as three extra 10/100 ports for additional throughput and/or high availability with only a software license upgrade.

The only significant difference between the 1000 and 2500 models is the number of users supported -- as many as 500 for the X1000 and more than 500 for the X2500. The hardware is the same, the optional features are the same -- only the system's capacity changes. You boost a 1000 to a 2500 via a software upgrade.

Feature roulette

The Firebox X line is designed with enterprise-class features. Aliases allow you to define all traffic that meets specific criteria, such as all traffic on a particular Ethernet port or on a specific TCP/IP port number. Groups make it easy to apply security policies to a broad range of users, and the management console manages multiple units on the local network or at remote sites.

The firewall supports remote logging on a log server, which consolidates logs from multiple Fireboxes. Authentication is provided by the Firebox via a Windows NT domain or a RADIUS server -- a good range of options.

I tested the X2500 by using it to replace my usual firewall, then running a firewall test application from the outside. I added several of the optional upgrades: the three-port upgrade, the VPN upgrade, and the spam filtering upgrade.

Strong security is enabled by default, so you must create exceptions for any service you want to allow through, including HTTP, FTP, and SMTP. This provides the highest possible level of security but may prove confusing for less-experienced administrators. A wizard to walk the user through the steps necessary to enable a VPN connection, for instance, would be welcome.

The management application is another high-security part of the system. There's no HTTP interface -- the specific management app must be installed on a workstation on the trusted network. (The Firebox has an external interface, a trusted interface, and an optional interface, each on a separate subnet.)

The management application installs on a Windows workstation, but VPN users must download the upgraded version from the WatchGuard Web site. The version distributed with the system has VPN features disabled due to federal export restrictions on encryption technologies. Some manufacturers address this issue by having separate SKUs for domestic and foreign shipments, which is easier for end-users.

Another annoyance: It's often necessary to make changes in several places in the interface to enable one service. For example, I had to create a VPN user, create a default packet-handling filter for the VPN user's IP address and for the PPTP (Point-to-Point Tunneling Protocol) group, remove the VPN user's IP address range from the blocked-sites list, save the configuration, and, finally, install VPN software on the client. This is a two- to three-step process with many other firewalls.

The X2500 does have a nice configuration wizard that will step you through the initial configuration. When that's done, however, the rest of the process is somewhat complex. Separate keys must be entered for a number of features, including branch office and remote user VPN services, Web site filtering, high availability, spam filtering, anti-virus, and to enable the other three ports.

The administration application has two modes, a read/write mode and a read-only mode. My first inclination was to start the console in read/write mode; yet when I attempted to start the Policy Manager application to make a change, the application said the single read/write connection was already in use. I had to exit the administration application, restart it, and then launch the policy manager and enter the read/write password before I could make the changes I needed to make. It's a high-security feature that makes working with the app harder than might be necessary.

Weighing complexity

After you get used to the different passwords and separate applications, the management application and policy manager provide a lot of functionality, including real-time monitoring of logs, traffic, intrusions, and hosts connected to the Firebox.

After all the initial configuration complexity, creating site-to-site VPNs was very easy, as was creating policies for client VPN connections. Application layer security provides proxy servers for HTTP, SMTP, and FTP that intercept improper commands and violations of the protocols used by some hackers to gain access to servers.

WatchGuard also offers LiveSecurity Informer, an e-mail and RSS service that provides security information intended for SMB administrators who must receive important security notices without being inundated by a massive flow of software-patch notices. It's a nice way to get useful information, and something not many vendors are doing. LiveSecurity Informer is also available separately as a subscription-based product for users of other firewalls.

The Firebox X offers a lot of functionality, with enterprise-class features such as centralized administration of remote offices, a capable policy engine with groups, and a built-in authentication server. On the downside, the increased setup and administration complexity is also comparable with an enterprise-class product; don't expect to find the streamlined, wizard-driven setups of typical SMB-oriented products in Firebox X2500.

The recommended retail pricing for the WatchGuard Firebox X 2500 is $7,132 excluding GST. Australian distributors include Firewall Systems, LAN Systems and WhiteGold Solutions.