Whilst remote users and branch offices must have access to the Internet and head office, securing these connections can be problematic. You could simply drop a firewall into each location but without the ability to remotely manage them they can easily becomes a support-related nightmare. StoneSoft aims to provide the cure as its first move into the firewall/VPN appliance market delivers a family of four products specifically designed to be managed, monitored and maintained from a single, central location. The SG-500 on review is aimed at small remote offices and is equipped with a decent 532MHz VIA processor and 128MB of RAM, while the Debian Linux kernel and pre-loaded StoneGate Firewall Engine run from a 256MB Compact Flash card. Five dual-speed Ethernet ports are provided and although all can support LAN, WAN and DMZ functions only one can be designated as the management port. You can also set up IP addresses on the other interfaces as backup links that will allow management access if the primary link fails. Performance is determined by the license as the base SG-500-50 model on review is restricted to 50Mb/sec firewall throughput although it’s easy enough to apply a new license to increase this to 100Mb/sec. Call the engineer
Installation isn’t the easiest but we were assured by StoneSoft that this phase for all StoneGate products is engineer assisted. No web browser access is supported as you need to load the Java-based Management Server (MS) and Log Server utilities which can run together or on separate systems. A Management Client is used to access the server and this can also be run on another system if required. A two-fold approach to initial setup is required as the appliance must first be added to the MS. Network devices that are to be part of an access control policy are declared as elements to the MS and these can be web or mail servers, specific workstations, users and, of course, firewalls. We added the SG-500 as a single firewall element but multiple units can be placed in a cluster element. The MS produces a one-time password that is entered during the configuration phase carried out locally at the appliance over a serial port connection. This allows the appliance to securely connect to the MS after which a policy needs to be pushed out to it and then the unit comes on-line. The SG-500 supports multiple site-to-site VPN tunnels so you can use primary and secondary links for fault tolerance. Mobile users also get a browser VPN client and although we found the setup process overly lengthy it is very well documented. StoneSoft calls its appliances multi-layer firewalls as they use a combination of stateful packet inspection, NAT, packet filtering and application proxy to control access. Security policies for controlling inbound and outbound traffic on each interface use access rules to determine their behaviour. A default policy is provided but you can swiftly add you own using templates. Rules within the policy can be arranged in order of importance and you can easily edit them to insert or delete new instructions. Policy deployment is extremely well streamlined as new or updated policies can be pushed out simultaneously to any number of appliances directly from the MS. Support departments will approve of the ease with which upgrades and new software versions can be deployed as these tasks can all be carried remotely with no local intervention required. The MS offers plenty of appliance statistics and performance data as a control panel in the management client provides a quick read-out on general load while a table below shows throughput in packets and bytes. You can select up to six of these values which are placed into a real time graph above which can be set up to display all data or averages for the last minute, hour or day. Although initial setup for multiple appliances can take a while, once they are up and running the management facilities make it very easy for support staff to remotely monitor and control them. The access rules can be customised to suit just about any application and users and groups can be set up to provide authentication services allowing you to strictly control who can access specific services.

OUR VERDICT

Delivering access control and firewall protection to remote offices demands central management if the head office is to ensure company-wide security policies can be enforced. The SG-500 is far too complex for small businesses that want a plug and go firewall but it really comes into its own at the enterprise level where multiple appliances must be supported.