StoneSoft StoneGate SG-250e review

Judging by the size of its current product family, Finnish-based StoneSoft's move into the security appliance market a couple of years ago has largely been successful. It started out with just four appliances, and now the SG-250e is the latest to join a range more than ten strong. The new appliance targets small remote offices requiring firewall and VPN services along with high-availability Internet links, and its primary aim is at the enterprise requiring centralised management.

Web browser access isn't supported, as all StoneSoft's appliances are managed and monitored using its Java-based Management Server (MS) and Log Server utilities, which can run together or on separate systems. The MS is accessed via a separate Management Client (MC) and provides all the necessary tools to configure, manage and monitor multiple appliances from a single console. Enterprises and service providers will approve of this centralised management approach, but as we found during testing it's total overkill for small businesses running from a single site.

Installation starts with the MS software, which needs to be loaded and configured ready to receive the appliance. The MS uses elements to represent the network and those devices that are to be part of an access control policy. We configured the SG-250e as a single firewall element, but a key feature of StoneGate products is support for appliance clustering. During element creation, you need to provide a name for the appliance and create a password. The appliance is then accessed via a CLI session over a local serial port connection where you're greeted with a setup routine that requires one of the four Ethernet ports to be designated for management access. You then provide it with the IP address of the system running the MS and details of the password created earlier.

The remaining ports can be used as required and all support LAN, WAN or DMZ operations. If the primary management link fails, you can add more IP addresses on other interfaces so they'll function as backup links to the management server. The SG-250e uses a multilayer system for controlling access, which comprises NAT, stateful packet inspection, packet filtering and application proxies. These are managed using policies created and maintained on the MS, which contain rules for handling inbound and outbound traffic on each interface. Security policies are implemented using a range of rules, with a default policy provided as standard. Templates speed up policy creation and you can create rules that include inherited access controls from other templates. Each rule is carried out in strict order, but it's easy to open a policy and insert or delete instructions as required.

It's also simple to manage multiple appliances from a single console, as you can create new policies and push them to selected devices. Software updates can be carried out equally swiftly by selecting an image stored on the MS system, applying it to multiple appliances and remotely rebooting them on completion. The MS provides extensive monitoring facilities. You can view general statistics and performance data, see what the current firewall load is, and view tables and graphs for each interface.

The SG-250e delivers tough security measures that can be easily customised. It's too complex and costly for small businesses, but the remote management facilities make it highly suited to enterprises and service providers.

Author: Dave Mitchell