Check Point's new VPN-1 Edge W touts wireless access support, better performance and a new print server, a combination that makes it a solid addition to the company's line of small security gateways. In this exclusive Clear Choice test, we focused on the features most attractive to enterprise network managers: wireless, VPN, QoS, high availability and management.

The Edge W - anchored with a scaled-down version of NG Version 5, Check Point's enterprise-class firewall - ships with six Ethernet ports, two wireless antennas and a serial port that can be used for console access or dial backup. One Ethernet port is dedicated for Internet outbound access, with the others assigned to other functions. The Edge W can support up to seven security and IP routing zones, or as many as 10 zones if you use 802.1q virtual LAN tagging.

Average wireless provision
The most obvious addition to the Edge W is wireless support in the form of an embedded 802.11b/g access point with optional "Super G" mode (a derivative of the 54 Mbit/s 802.11g standard that bonds channels together for higher throughput). Although the Edge W has solid security applied to the wireless network, with 802.1X, Wi-Fi Protected Access Personal (pre-shared key authentication) and WPA Enterprise (802.1X authentication) included, Check Point didn't go all-out on the wireless feature set. For example, the wireless connection cannot be used as an Internet up-link, and only a single Service Set Identifier and security zone is supported for wireless users. Advanced Encryption Standard encryption is not there yet.

While the Edge W's wireless security capabilities aren't impressive, what is included in the box works fine. We tested WPA Personal and WPA Enterprise features and had no problems connecting with Windows and Mac clients, or with our Funk Odyssey RADIUS server for 802.1X authentication.

What we did
We took a portion of our production network out from behind our firewall and used the Edge W to protect the network. We configured the device first using the Web-based GUI to give a typical policy for a branch office network, with outgoing access allowed and a small number of internal servers and services accessible from the outside. We did a few tests to evaluate whether the virus scanning was activated and working and to check the WAN failover capabilities of the Edge W.

For wireless testing, we first tried Wi-Fi Protected Access with pre-shared key authentication using two clients: a Windows built-in wireless driver on a Dell laptop running Windows XP; and, the Mac OS X built-in wireless driver on a PowerBook running OS X 10.3. Then, we used the Odyssey RADIUS server provided by Funk Software to test 802.1X authentication combined with Wi-Fi Protected Access.

For our VPN test, we downloaded the most recent versions of the Check Point VPN client (SecureClient) to the Dell and Mac laptops and attempted to connect from the Internet back to the network protected by the Edge W. For the site-to-site test, we initially tried to connect the Edge W firewall to our NetScreen and Cisco VPN gateways. This test was not successful because the Edge W could not bring up a fully functioning tunnel with either of these gateways using the GUI. We were able to bring up a tunnel to the NetScreen using command line interface (CLI) configuration and several hours of aggravation, but limitations in the Edge W configuration prevented this from working completely. Then we set up a Check Point NG R55 firewall on a Nokia IPSO system in front of the rest of our production network and brought up a secured VPN link between the Edge W and the new firewall without problems.

Testing the management
To evaluate the management capabilities of the Edge W, we created initial configurations with the GUI and then switched to CLI-based configuration, including a test of the disaster-recovery capabilities of the system by saving the configuration, clearing the device and restoring it.

To test VoIP traffic and QoS prioritisation, we set up calls with Session Initiation Protocol-based phones from Cisco and an Asterisk SIP proxy. To provide rate limiting, we moved the Edge W behind an unloaded DSL circuit. We tested voice quality going across the Internet to another location across the country with no other services running, then with several simultaneous multi-megabyte downloads (from the Internet to the inside of the Edge W) running, both with and without QoS prioritisation and bandwidth reservation enabled. We set the Edge W to reserve 64 kbit/s for the IP address being used by the SIP phone. We used subjective evaluations of voice quality to determine whether the Edge W was successful in "protecting" the VoIP traffic from the downloads.

Browser set-up
For basic configurations, a Web browser is sufficient to take the Edge W from "out of the box" to running the firewall within a few minutes. It's easy to jump into advanced configuration and define rules that control traffic flow, network address translation and QoS shaping in a simple and unified way. The Edge W also has a command line interface via the console port or a network connection.

For large deployments, Check Point offers SmartCenter, a centralised management system that can control and push unified firewall policy down to multiple Edge W devices. We connected to Check Point's Service Center to receive firmware, content filtering and virus signature updates. SmartCenter provides the ability to manage the configuration of hundreds or thousands of Edge devices using current management tools.

QoS on the agenda
QoS has become a hot topic with the rise of VoIP, and while the buzzword is used to describe the Edge W, it doesn't have all the technology in place yet. Check Point's QoS capabilities include packet tagging and bandwidth management. While it was easy to set aside bandwidth for the IP addresses occupied by our Session Initiation Protocol (SIP )-based IP telephones, the test results showed that the Edge W doesn't have a very sophisticated technology for QoS management. To that end, the tests in which we attempted to share a DSL line with both SIP-based VoIP traffic and a heavy download of Microsoft service packs were not very successful. In the upstream direction, the Edge W was able to guarantee a solid 64 kbit/s of bandwidth for our voice call, with excellent quality. Without any real management in the downstream direction, the received voice quality was poor, with numerous dropouts as VoIP packets arrived late or with too much jitter.

The VPN capabilities on the Edge W let you use it to easily and quickly join a Check Point VPN. We tested this with a Check Point NG firewall and were able to bring up a tunnel within a few seconds. An elegant feature of Check Point's overall VPN architecture is the dynamic pushing of network configuration, meaning that the Edge W doesn't have to be configured to know anything about the central VPN server besides its IP address and how to authenticate.

VPN tunnels
The Edge W also includes a VPN tunnel server for remote access, relying on Check Point's current Windows and Mac clients to make the connection. The Edge W also includes an "internal" VPN server that you can use to require internal users to authenticate and encrypt before they're allowed out of the network. This is moderately useful in the wired case, but also has relevance with wireless connections, where it can be used as an alternative to WPA security. This will be most interesting in environments where the Check Point client already is installed and people are using it for remote access.

The Edge W includes threat management tools such as virus scanning and URL filtering, but is limited in its capabilities. For example, only SMTP and Post Office Protocol traffic are scanned for viruses, while IMAP and Webmail are not scanned.

Check Point has pushed down into the Edge W a number of high-availability features available in its larger firewalls. The Edge W offers WAN failover capabilities based on the existence of a second Ethernet port that can be dedicated to managing a second upstream Internet connection. The Edge W also has support for device high availability, with state sharing across two cooperating devices.

After using the Edge W as a production firewall for a week, the verdict is "solid, but uninspiring." The Edge W will be most useful in VPN-oriented environments, including both site-to-site and remote access - taking advantage of Check Point's heavy expertise there. But we don't recommend you buy it solely to pick up wireless firewall capabilities.


Great VPN remote access capa-bilities; good integration with other Check Point VPN devices; VLAN and multi-zone support; multiple management options.