The VPN-1 Edge is a family of firewalls for branch offices and small offices. There are two product families in the range: the “X” family, which doesn’t include wireless connectivity, and the “W” family, which does.
In the wireless range there are four variants: The W8, W16, W32 and WU, which support eight, 16, 32 and unlimited concurrent users respectively. The device we played with was the WU.
Before we start, we can’t help but mention the rather “split personality” of the unit. The box says it’s a “Safe@Office”, and there’s a SofaWare sticker on the unit itself. Even the support pages and tech docs are on SofaWare’s Web site. The reason is simple: it’s made by a company called SofaWare, which has been part of Check Point for a few years now, and before it was called the VPN-1 Edge, it was called the Safe@Office.
Although this doesn’t prevent you from using the unit, it’s a bit confusing – and one would expect Check Point to have sorted out the branding and at least to have the support documentation under the proper Check Point Web site.
The unit itself is a small desk-standing box with a pair of removable aerials and an external power supply; there’s no fan, so the unit’s silent. There are four 10/100Mbit/sec LAN ports on the back, plus one 10/100Mbit/sec WAN port and another 10/100Mbit/sec port which can be configured either as a second WAN port or a DMZ. There’s also a rather wobbly 9-pin serial port which can be used either as a console port (so you can connect a terminal) or a modem (for remote dial-up).
As well as providing what you’d call “normal” firewall services (i.e. defining access between outside and inside based on addresses and ports, and doing the more advanced application-specific filtering you’d expect from Check Point’s firewalls) the device supports a number of extra services that you can subscribe to as optional extras. There’s built-in VStream anti-virus, as well as an anti-spam service for incoming email. You can also enable remote management, software updates, Web filtering, dynamic DNS and dynamic VPN services – all of which is done in the Services GUI item.
The GUI, by the way, is Web based and very simple to understand, and as I’ve observed a number of times over the years about Check Point products, the on-screen reporting is excellent; too many firewall vendors want you to set up a Syslog server or similar, but Check Point seems happy to give me what I want, namely a simple view of recent activity direct from the GUI.
The VPN system supported by the VPN-1 Edge is Check Point’s SecuRemote. The configuration section lets you set the device up as a VPN server (which you’d want if the box was being used by a small, single-site organisation) or as a site-to-site connection between the unit and another of the company’s offices. I always mention the fact that there’s always going to be an element of complication when you’re setting up VPNs, just because of the nature of the beast, but the GUI is simple enough and it’s all wizard-based so the pain is eased somewhat.
Setting your rules is the usual case of telling the system what type of service to permit, from where, and to where. You can, as you’d expect, define human-readable names for computers and/or networks, so instead of having to type cryptic addresses you can define rules allowing access to a particular service on “Accounts Server” to an IP range called “London Office”.
Strangely, unless I’m missing something, you don’t seem to be able to do a similar naming thing with port ranges; and when you define a rule you seem only to be able to specify one port or range at once. For instance, I have a VoIP package that uses no less than eight assorted TCP/UDP ports or ranges, which are dealt with in a single rule by my Netscreen-5 as you can say: “UDP port X-Y AND TCP port Z AND UDP port A-B …”. To do it on the VPN-1 Edge doesn’t seem able to achieve it in a single rule. This isn’t unusual, of course (the NetGear FVX538 we looked at some time ago is similar in this respect) but it’s a bit of a pain.
Aside from the port range niggle, the VPN-1 Edge W is a nice little firewall. It ticks all the right boxes, the VPN technology is sensibly implemented, and the packet-filtering side of the firewalling process is excellent because it incorporates Check Point’s “SmartDefense” mechanism, which lets you do clever things like telling the firewall not to permit the “delete” command to be executed in an FTP session”. In all, then, despite its slightly split personality, the VPN-1 Edge W is worthy of consideration if you’re looking for a small/branch office firewall.
NB: To find a local reseller, visit the Check Point website.
If you want a small office firewall that's mega-fully featured, this is definitely an option - it seems to do everything, and SmartDefense does some clever application-level stuff. The thing is, though, if you want a decent firewall for your small office and you're happy to live without the bells and whistles, a NetGear FVX538 will cost a fifth of the price.