Before you can use the firewall you need to license it. This involves an immense amount of faffing about, filling in a pointless Windows form, going to a website, filling in a Web form (with the same information you just filled in on the Windows form), saving the software key to a file, importing the file into the Admin Console, then rebooting the firewall. All the time the firewall is sitting beeping at you, trying to tell you “Hey, I’m not working because I’m not licensed yet” (indeed). As this point I should admit I have never come across such a obtuse system and the only reason I didn’t chuck the thing out of the window was because the licensing task is a one-off process. Once the firewall is actually working, life improves. The management tool uses the usual Explorer-like hierarchical list of options down the left-hand-side with the main detail pane on the right, and it’s pretty easy to find the bits you want to use. Policy Configuration comprises Rule Elements (you can define users, services, host computers and so on) and the Rules themselves (what user/group/host can communicate using what service[s] to what host). The idea of Service Groups is a nice one – you can define a group of services that can be used in a rule – so you could have a “power users” service set with Web, FTP, NetMeeting and so on, and a “peasant users” set with just email. Services Configuration controls the proxy services (there’s an impressive list of about 40 different proxy servers you can use, from SMTP to AOL), built-in servers (as it’s a Unix-like OS, you get things like the Sendmail mail transporter thrown in), DNS (the firewall can pass DNS requests to a separate DNS or can be told to act as your DNS itself), IP routing, Authentication (the unit can use an impressive range of methods to authenticate users, including LDAP, Windows NT authentication, built-in password files or one-time keys such as SecurID), Public/Private key Certificate Management, and URL blocking. With the exception of the last item, which seems to use the standard Squid package, the configuration screens are acceptably non-cryptic; to my mind, there’s a little too much emphasis on being able to edit low-level text-based configuration files with the URL blocking feature. The configuration screens for the VPN server are among the more usable we’ve come across. As we always say when we’re talking about VPN servers, there’s probably no such thing as a simple VPN configuration screen, because to have a secure VPN you have to muck about with cryptic-looking keys and loads of encryption-related TLAs. The Sidewinder’s certainly above average in this respect with its VPN control panels. The reporting facilities are more extensive than many (Netscreen take note), and there are many, many built-in reports. Although we did manage to get some reports out of the system – and they are well laid-out and informative – this wasn’t without (a) a number of instances where it made us give the admin username and password again; and (b) several “Index out of range” errors. The admin screens appear to be written as a set of Python scripts, rather than as (say) a Windows app or an MMC bolt-on, and so perhaps the problem was with the Python interpreter throwing a tantrum; not that this is any excuse, though, as our test machine was a simple Windows 2000 Pro PC with all the latest service packs and patches. (Note to Secure Computing: it’s slow – five or six seconds between clicking OK after entering the user ID before the password box appears – and you start to wonder whether it’s forgotten you’re there). The Firewall Administration section covers all the fundamental parameters of the firewall – the stuff you defined initially with the configuration wizard, plus some extra stuff such as high availability (which lets you have a pair of Sidewinders in a failover setup). There’s also a Software Management section here, where you can bolt in options or add patches that you’ve obtained from Secure Computing’s website. At the end of the menu is a Tools section, in which you can reconfigure the email and DNS services, and choose whether to use an external server or the built-in functionality for each. There are many aspects of the Sidewinder G2 we like. We like firewalls based on Unix-like operating systems, which leads us to approve of appliance-based packages because you don’t have hardware compatibility problems (one of BorderWare’s failings was that you had to buy some pretty esoteric, and sometimes quite antique hardware to make it work, because BSD/OS’s driver support was limited). And we’re very impressed with the extensive list of proxies, the well-thought-out user and service group concepts, the apparently simple-to-configure failover support, and the excellent support for a wide range of user authentication methods. But the administration screens suck. We’re talking industrial-strength Dyson here. Being bagless, no matter how much it’s sucked already, it keeps on sucking just as hard. The layout of the various options is actually very good, and it’s probably easier than, say, a SmoothWall or a NetScreen to remember where stuff is (and the VPN setup screens are very nice, as we’ve said). But why are the two items in the Tools menu not with the other service setup items? They seem to have been bolted on with no thought. Why did we get errors on the reporting screens? Why did we have to keep entering the admin username and password to get into reporting options? Why have they not put a nicer, more comprehensive GUI on the Squid configuration system instead of simply letting you edit text config files? Why is the whole thing so slow? (Okay, we know the answer to that one, it’s probably because it’s interpreted Python scripts rather than compiled Windows binaries). And why on earth is it so involved to licence the damn thing in the first place? Secure Computing has let itself down with the administration screens on this product. With a better front-end, we would probably be raving about it. As it is, we just can’t find it in ourselves to say “Go buy one” because the Netscreen, SmoothWall, GNATBox, Firewall-1, even the Cisco PIX are all more usable, GUI-wise.
A firewall should, obviously, have all the facilities you’re looking for (you may or may not require VPN, integration into your corporate directory structure, etc) so check the feature list. Consider also whether you need a pair of devices in failover mode. The administration software should also be usable, since the harder something is to configure, the easier it is to misconfigure.