Product Reviews

Formerly a purveyor of software firewall solutions, Finland-based Stonesoft has decided it's time to move into the security appliance market. It does so with a family of four products. The SG-500 on review aims to extend full firewall protection and VPN facilities to remote offices consisting of more than 12 people. It offers a maximum firewall throughput of 50Mb/sec, but Stonesoft's licensing scheme allows you to increase this to 100Mb/sec simply by applying a new licence.

Unlike much of the competition, none of Stonesoft's appliances are designed to be managed via a web browser. Instead you need to use the bundled Java-based Management Server (MS) and Log Server utilities, which can run together or on separate systems. Whereas the browser approach only allows each firewall to be accessed individually, Stonesoft's solution provides the tools to configure, manage and monitor multiple appliances from the same Management Client console. Installation isn't the easiest we've encountered, and had to be completed by a Stonesoft engineer. However, this isn't an issue as we were advised that all purchases include the services of an on-site engineer during installation.

This process starts with a CLI session over a local serial port connection. You're greeted with a setup routine that requires one of the five 10/100BaseTX Ethernet ports to be designated for management access. The rest can be used as required and all support LAN, WAN or DMZ operations. The MS utility uses elements to represent the network and those devices that are to be part of an access control policy. In our case, we configured the SG-500 as a single firewall element, but a key feature of the StoneGate products is support for clustering. Elements can also be given an alias that allows you to assign the same device a range of access rules running on different firewalls. Each appliance interface also needs to be declared along with its IP address and you then select one as the primary management link. Should this fail for any reason, you can add more IP addresses on other interfaces that will function as backup links to the management server.

The SG-500 controls access with a combination of

ADVERTISEMENT

NAT, stateful packet inspection, packet filtering and an application proxy. These are managed using policies created and maintained on the MS, which contain rules for access control, NAT and routing, that are used to handle inbound and outbound traffic on selected interfaces. Security policies are implemented using a range of rules and a default policy is provided as standard. Templates speed up policy creation, and you can create rules that include inherited access controls from other templates. Each rule is carried out in strict order, but it's easy to open a policy and insert or delete instructions as required. You can even add sub-rule bases that can improve performance as these are only carried out under specific circumstances.

The Stonesoft management tools really come into their own with policy deployment as you can select multiple appliances and push new policies to all of them directly from the MS. You can easily see which policy a device is running. This also makes software updates a cinch to install as you select an image file stored on the server and leave the MS to upgrade the selected nodes and reboot them on completion. From the same menu you can run diagnostics.

The MS interface is relatively simple to use, as it provides easy access to all firewall functions. The Element Manager keeps a tidy list of all declared devices, which can all be accessed from the Explorer-style tree structure in the left pane. Individual elements are viewed from the Control Panel, which provides an impressive range of statistics and performance data. You can see at a glance what load a firewall is under plus a table below shows overall throughput in packets and bytes for the appliance and each interface. Selecting up to six of these values immediately adds the categories to a graph to one side. This can be configured to show the action as it happens or averages for the last minute, hour or day.

The appliance supports site-to-site VPNs. Multiple tunnels can be created allowing you to provide fault-tolerant links that are activated if the primary link goes down. You also get a browser-based VPN client for mobile users. A well-designed interface and copious documentation help the setup process. Logging features on the appliance are impressive and plenty of alerting facilities ensure messages can be sent to multiple users if anything untoward happens.

The StoneGate appliances clearly offer a strong security solution that can be customised to suit most environments. The management method makes them unsuited for small businesses wanting a single firewall solution, but for enterprises looking to deploy firewall and VPN services to remote offices and branches, while still insisting on centralising all control, the StoneGate is a good choice.