SnapGear packs big firewall
- 05 November, 2003 16:09
As broadband connections become nearly ubiquitous, so too are paperback-sized firewalls. At first glance, SnapGear’s SME550 appears to be another, albeit smaller than most.
This impression is shattered once you get a look at the Web administration interface and the spec sheet. The SME550 offers everything you’ll need to protect a branch office or SMB (small and midsize businesses) from Internet attacks, connect securely to the main office over the Internet, and allow remote users to connect securely.
The SME550’s functionality is far above average, including features such as VPN tunneling for secure remote access and LAN-to-LAN tunnelling, URL filtering, DNS proxy, content filtering, traffic shaping, intrusion detection, and more. It’s ideal for remote office applications and has the capacity to support main offices as well, since the SME550 provides 10Mbps of VPN tunneling, 25Mbps of traffic through the firewall, and up to 400 IPSec tunnels, which easily will support enough users and traffic for an office of 25 to 50 users. And here’s the kicker — you get all this at the very competitive list price.
Competitors in this firewall market segment, such as WatchGuard and SonicWall, typically have a fairly low limit on the number of users their product supports in this price range. The SME550, on the other hand, supports an unlimited number of users with no additional cost for VPN or other capabilities. SnapGear also promises free software upgrades for life, a nice bonus at no additional expense.
Setting up the SME550 is simple. It has two Ethernet ports, one for the internal network and one for the external network, and a serial port connected to a modem that acts as a fail-over back-up Internet connection. Once connected to the network, the supplied Windows-based configuration utility will find the SME550 and let you configure the basic TCP/IP information (the manual also details basic configuration from Linux).
From that point, all further configurations can be done through the browser interface or Telnet. Set-up and configuration of protocol filtering and intrusion detection is particularly easy, with a wide variety of available, preconfigured attacks.
The SME550 supports a direct connection to an Internet router as well as cable modem and DSL connections, including PPPoE (Point-to-Point Protocol over Ethernet) support. It can also use a dial-up ISP connection via external modem or ISDN through the serial port as a primary rather than back-up connection. Setting up a modem or ISDN connection with the SME550 is no more difficult than configuring a standard PC for the same connection.
The fail-over connection is configured by specifying a TCP/IP address to ping on regular intervals. If the SME550 loses touch with that address, it will connect via the modem or ISDN terminal adapter to provide continuous Internet access. When the primary connection becomes available again, the fail-over link falls back to that.
To secure incoming traffic, access to specified services can be restricted to specific IP addresses, adding security measures above and beyond the VPN protocols. The SME550 supports PAP, CHAP, MSCHAPv2, RADIUS and TACACS+ for dial-in user authentication, and Point-to-Point Tunnelling Protocol (PPTP) and IPSec for securing VPN traffic, which should allow sufficient flexibility to meet any existing standards and support any client OS. Outgoing traffic can be restricted by blocking particular IP address ranges or services such as mail or HTTP to different groups of users. Traffic can also be blocked by the admin, with restrictions set by content type.
The SME550’s intrusion detection features are powerful, too, detecting attacks (probes) as well as blocking the sites that spawn them. The box is pre-programmed with dozens of common probes and the ability to specify custom probes so attacks not preprogrammed into the SME550 can still be detected.
Overall, the SME550 shines brightly. My only complaint is that accessing the manual is not as easy as it could be — it’s available on the CD, but not installed with the configuration utility, and not available from the Web interface. Once you find the manual, it is clear and thorough with lots of useful examples, but — truth be told — most administrators probably won’t need the documentation since the user interface’s help screens are so informative.
The SME550 is a highly competent firewall and VPN device, with a lot of juice for under $500. The unlimited number of VPN users, the traffic shaping and filtering, as well as the free lifetime software upgrade policy, make this a great buy.