SonicWALL NSA 240 review

SonicWALL's latest network security appliance (NSA) aims to offer enterprise level features at a price SMBs can afford. The NSA 240 looks to deliver on its promises, as this little box of tricks combines an SPI firewall with SonicWALL's deep packet inspection (DPI) technology and spices it up with IDP, IPsec VPNs, gateway anti-virus and web content filtering.

Anti-spam isn't on the menu as SonicWALL wants you to use its dedicated email security appliance, the ES 300, which impressed us enough to garner it a coveted Recommended award. The NSA 240 provides a simple RBL based solution where you can add list providers to enable basic anti-spam measures.

SonicWALL's application firewall and DPI can scan emails and files and check message content, subjects, senders and recipients and block file types. You can control FTP transfers or HTTP requests and apply actions such as blocking or redirecting, and it can be used to limit bandwidth for certain types of file transfers. VoIP also gets a look in, as DPI can prioritise SIP and H.323 traffic and automatically protect these devices on the LAN.

The NSA 240 is well equipped in the hardware department but only three of its nine network ports are of the Gigabit variety. Nevertheless, if you go for the routed mode these extra ports can be used for LAN, WAN or DMZ functions. There's also a PC Card slot in the side which accepts a SonicWALL approved wireless, GSM or modem adapter.

SonicWALL makes light work of installation, as you point a web browser at the appliance's default address whereupon it loads a wizard for initial configuration. Select from routed, HA or transparent modes, configure the WAN port, activate DHCP services and away you go. We opted for transparent mode and had the appliance protecting the lab network in a few minutes.

The appliance uses zones which represent logical groupings of physical ports allowing you to apply security policies to groups rather than individual ports. Security types can also be applied so traffic from an untrusted zone will not be allowed to pass to another zone unless access rules permit it. Furthermore, the zone policy can contain a combination of measures such as a content filtering, anti-virus scanning and so on.

The price of the unit includes the premium web content filtering service, which offers 64 different categories. Policies can use custom black and white lists, and schedules determine when they are active. Filtering performance was impressive - with all categories selected, our attempts to access gambling, games and social networking sites were all rebuffed.

Be careful if you leave some categories unchecked as we found the classification process a little unpredictable. For example, most online bingo sites were put under gambling but some slipped through if we didn't have the gaming category active. You'll also find Facebook classed as a personal web site whereas MySpace comes under web communications.

You'll need to factor in the extra cost of separate anti-spam and if you want a total security solution then check out the PC Pro Recommended eSoft InstaGate 404e. Nevertheless, the NSA 240 offers a lot for the price, with SonicWALL's DPI technology providing extensive traffic controls and tough IDP measures.

Author: Dave Mitchell