The EdgeForce Accel is a combined firewall and content analysis box that sits between the corporate network and an untrusted world, typically the Internet.
Physically, the unit is a 1U rack-mountable unit whose designers clearly have shares in Noisy Fans 'R' Us. It has the traditional three auto-sensing 10/100/1000Mbit/sec network interfaces (internal, external and DMZ), plus a serial console port. Our unit came with the extra Professional Module, which is an 80GB hard disk that slots in the back and provides storage space for some of the additional software tools.
Our unit shipped fully loaded with all of the optional components alongside the basic functionality. These add-ons are: the Performance module (which accelerates both the firewall and VPN functions); the virus scanning module (which uses McAfee's anti-virus package) and the spam filtering module (another McAfee product, this time SpamAssassin).
When you turn on the unit, it spends a minute or so starting up; when it's ready, it beeps three times to let you know all is well. You can manage the system via a command-line interface if you so wish (there's a serial console cable included) using a 9600-8-0-1 connection from your favourite terminal emulator. In fact, anyone who's familiar with NetScreen's command line interface will find ServGate's equivalent oddly similar (which we presume to be coincidental). The more friendly way is, of course, to use the Web GUI, which is accessed through an https:// connection.
The basic settings for the device live under the System section of the GUI. This is where you set the interface addresses, DNS servers, time, failover functionality (which you get if you buy the Performance module) and in-built digital certificate information, as well as handling option licensing and software updates. You'll find yourself using the Diagnostics section during setup, too, to check that you can ping the world and do DNS lookups. Next the Admin section deals with stuff relating to the management of the box setting up administrator logins, setting lockouts for bad passwords and so on. It's here, incidentally, that you can tell the system who to email in the event of a problem.
The Firewall section is where you configure the traditional firewall functionality the stuff that you'll have even if you dont bolt on the AV and spam protection extras. You can enable and disable individual attack patterns (SYN floods, port scans and such like), as well as choosing whether to block executable items, such as Java applets, completely. There's an area for you to define address collections (basically subnets) so you can refer to machines collectively, instead of individually, and another for standard protocols (so you can refer to FTP, HTTP, etc instead of listing port numbers and you can add your own if you wish). You can also define schedules for rules to be applied, as well as limiting the bandwidth available to specified types of traffic.
There's also a feature called MAC-IP binding which you don't come across all that often basically, it's all about binding hardware addresses to IP addresses, in a bid to spot illicit address hijacking from inside the network. Although a nice idea in principle, the documentation admits it is no use in a subnetted network. Once you've set the parameters up in the Firewall section, you apply them using the various options in the Policy section, which lets you define what can talk to what, when, and (in the case of incoming traffic) with what port mapping options.
In the service tab, you're given the option of configuring the unit as a DNS and/or DHCP server, a Web cache or a URL filter (the latter requires a nearby WebSense server to do the actual analysis). It's also where you configure the AV and anti-spam components. The anti-spam setup screens are fairly simple you can turn on the feature for SMTP, POP3 or both, configure spam ruleset download schedules and define how to deal with suspect mails. Similarly with the AV system it'll download its AV definition files on a schedule, and you can tell it whether you want to clean, quarantine or remove suspicious items. Enabling these extras is a simple task, as you just have to add the relevant licences through the management screen.
It's no surprise that the VPN section of the ServGate GUI supports both PPTP and IPSec VPNs, both network-to-network and network-to-host. PPTP works with Windows' built-in VPN software, but like many vendors in the field, ServGate also has its own proprietary VPN client if you're looking for something more secure. Of all the PPTP implementations we've come across over the years, this one has to be the simplest and easiest to configure we didn't even have to read the manual and it took less than two minutes from having the box talking to the network to getting connected to a Windows 2000 laptop via PPTP. Although we used the built-in user list, the device can also talk to both RADIUS authentication servers, or to any appropriate directory service that can talk LDAP.
The last configuration section we need to mention deals with Monitoring, which is where all the logging configuration and viewing happens. You can switch each type of logging on or off, define the log file cycle time, configure Syslog integration (so the unit can send log messages to a remote collation server) and define the SNMP settings (both for incoming SNMP management connections and for sending traps to management consoles. If you're not sending log information to remote locations, you can view it via this bit of the GUI too.
The ServGate is a useful security tool that provides some excellent features that are generally very straightforward to comprehend and use. The only niggle in our minds with any kind of integrated system of this sort is how you balance the "advanced" functions (Web cacheing, AV functionality, anti-spam, and so on) against the performance aspect. After all, these add-on functions are computationally complex, and so although the vendor cites 1Gbit/sec throughput for basic firewall functionality, and 280Mbit/sec for VPN traffic (with the Performance module) the performance effect when you start to introduce AV and anti-spam are absent from the data sheets.
Would these functions be more sensibly implemented in a separate box? Possibly but in this case, we're happy that it is in fact okay to have everything in one device. This is largely because what you get by having them with the ServGate is a single, integrated management screen for all your "edge" protection, the clincher being that key factors, such as AV signature file uploads, are implemented well (as opposed to hanging off, raggedly, like afterthoughts). Not only this, but by having a pair of units with failover capability, your AV and anti-spam functions gain this resilience too.
This device is particularly competitively priced for a unit of its type. The chances are that you'll want to get the Performance and Professional models anyway - which you should do, as it increases flexibility for relatively little money. Bear in mind, however, that although there are three units in the range (the EdgeForce, the EdgeForce Plus and this one, the EdgeForce Accel) you can't upgrade from either of the lower-end models to the Accel, so you'll need to think carefully about the capacity you'll require in the future.