Clavister Security Gateway SG57 review

Swedish company Clavister may not have a huge presence in the UK market, but it aims to stand out as its CorePlus OS offers a complete set of UTM functions yet is designed to run in the smallest amount of memory.

The SG57 targets remote or branch office deployment plus SMBs, and combines an SPI firewall, IPsec VPNs, IPS, antivirus, anti-spam, web-content filtering and WAN failover. Kaspersky looks after virus scanning, IPS is handled by Endeavor and web filtering comes courtesy of ContentKeeper.

Installation starts with a serial port link to the CLI where you assign an IP address to the management port and then move over to browser access. This kicks off with a basic wizard, which helps set up the LAN and WAN ports, and a DHCP server for the former if required.

It gets a lot tougher as the appliance defaults to blocking all internet access so you need to create rules to control this. We'd recommend getting objects sorted first as they define all network elements from IP addresses and subnets to services, schedules, VPNs and ALGs (application layer gateways).

You use rules to combine actions with services and schedules plus source and destination interfaces. We created a simple rule that enforced NAT between the LAN and WAN ports to allow firewalled internet access to our LAN clients.

The SG57 also offers a transparent mode that is more versatile than most as it can be applied between selected interfaces rather than across the entire appliance. But it's difficult to set up.

Web-content filtering doesn't get any easier as we needed to create an HTTP ALG object, select from 31 URL categories and create a service object for HTTP. We then assigned the ALG object to the service and applied this to the required network interface objects using a new HTTP NAT rule.

We found ContentKeeper delivered a reasonable score in our tests. With the games and gambling categories selected we were denied access to 40 of the first 50 online bingo sites visited.

Anti-spam measures are disappointing. You can create an SMTP ALG and apply antivirus scanning to inbound mail, but the appliance supports only DNS RBLs for anti-spam. We were advised by Clavister that this only works with an internal mail server.

IPS is on the menu and you also get ALGs for FTP, POP3, SIP and H.323. Traffic shaping looks a handy feature as this uses QoS policies to assign rules to pipes that determine bandwidth usage for specific services. Clavister's optional InControl suite also provides centralised management along with real-time monitoring of selected appliances and a store for security configuration files.

The SG57 is clearly a versatile security appliance but is best suited to businesses that want to deploy a diverse range of policies for different services and network segments. Smaller businesses with limited IT support will find it difficult to configure and would be better off checking out products such as eSoft's InstaGate or Cyberoam's CR15i as these are far easier to use.

Author: Dave Mitchell