D-Link NetDefend DFL-860 review

D-Link claims its NetDefend security appliances are unique: along with a complete UTM solution they offer the Zone Defence feature, which allows them to send commands to xStack switches to stop infections from spreading across the network.

The DFL-860 is the top dog of D-Link's UTM appliances and brings together an SPI firewall, IPsec VPNs, IPS, antivirus and content filtering, plus WAN failover.

The DFL-860 targets businesses of up to 150 users and offers a pair of WAN ports that support failover, a DMZ port and seven LAN ports. Installation gets off to a good start, since the web interface offers a quick setup wizard to get basic internet access available to the LAN.

From here, though, things become more complex. For example, the appliance supports a transparent mode but the document showing you how to do this is three pages long; for most other solutions at this price point you can achieve this by ticking a single box.

Network objects are created first since these define all your network elements, such as IP addresses, ranges and subnets to services, schedules, VPNs and ALGs (application layer gateways). Usefully, the appliance provides an address book for collecting details of interfaces, networks and subnets for easy access.

Rules contain service and schedule objects that are assigned to source and destination interfaces and networks, and describe an action such as allow, deny or apply NAT. Rule management is aided by folders, so you can organise rulesets based on the sources and destinations for which they're applied. Rules are maintained in lists and are applied in strict priority from the top.

Web-content filtering is difficult to set up as you create an HTTP ALG object with up to 31 categories selected within it to be blocked. You then need to create a service object for HTTP, assign the ALG object to it and apply this to the required network interface objects using a new HTTP NAT rule, which must be moved up in priority in the list.

Once there, we found filtering performance was good: with the gambling category selected, we were denied access to 36 of the first 40 online bingo sites visited. ALGs are also provided for FTP, H.323, SIP and SMTP, where the latter is used to apply antivirus scanning to inbound email. The latest firmware version adds a POP3 ALG and basic anti-spam measures using free RBLs.

To use Zone Defense you need to create an object for the IP address of the D-Link switch, which is then assigned to the switch object itself. You then add an SNMP community name, ensure the firewall's IP address is excluded to stop it being blocked, and create a traffic management threshold rule.

The DFL-860 is undoubtedly a powerful security appliance. However, configuration is far too complicated to get anything useful out of it.

Author: Dave Mitchell