We tested other advanced features in the firewall including denial-of-service avoidance with automatic SYN proxy and connection rate limiting, VoIP call tracking, and dynamic routing with Open Shortest Path First (OSPF), all of which worked as expected, even if a little debugging was needed to get it all straight. We also found the configuration interface for the advanced features simpler than the policy and NAT parts of the system, even when configuring OSPF dynamic routing.
Some features we tested, such as multicast support across firewall zones, took longer to figure out, but also worked fine once we understood what the terms in the GUI meant. Other advanced features include SSL control, which allows you to inspect SSL connections and block ones that don't match your security policy, such as self-signed certificates or certificates that have the word "proxy" in the common name. This worked, but of course we were hungry for full inspection of encrypted SSL traffic, which SonicWALL told us would be available in a future version of the operating system.
The TZ200 and TZ210 also both support Active/Passive failover of two firewalls (this is one of the differences from the TZ100, which does not support failover), although we did not test this because we only had a single unit of each.
We found other evidence of heavy experience in the firewall world, such as the ability to capture packets directly from the firewall itself for debugging — a feature we used many times in working out the multicast features of the firewall. This is the kind of feature that every firewall needs, even those aimed at the SMB market, just for debugging and system verification.
In some cases, though, we found both bugs and limitations in this version. As part of our testing, we were unable to add a rule to deny traffic in a zone, with a strange error message telling us to wait while the GUI refreshed. A similar permit rule went through fine. SonicWALL's PortShield, which implies that it provides each port with a dedicated firewall, doesn't actually do that in this version; traffic is only protected if devices are on different subnets.
Overall, the basic security functions in the TZ200 and TZ210 will work best for smaller networks with fewer zones and simple NAT policies. The intuitive interface and shortcuts to policy management make it a nice match. Trying to stretch the TZ210 to implement complicated security policies, environments with more security zones, and networks with more complicated NAT rules will be more frustrating and difficult than some of its peer devices from other vendors.
One hot new feature of the TZ200 and TZ210 firewalls is their 802.11n Wi-Fi capability, available as an option in each of the new TZ-series appliances. These built-in Wi-Fi radios bring very high performance wireless to the firewall without adding significantly to the cost.
The TZ200 and TZ210 have a highly constrained approach to wireless, offering a simple configuration with basic options and only a few bells and whistles (such as time-based wireless, which lets you turn off your wireless automatically outside of business hours for example). While the TZ200 and TZ210 do offer good guest access features (such as easy creation of guest accounts and simplified integration with other guest access services) on both wireless and wired, they don't have other features that we've come to expect from small wireless firewalls in this product category such as multiple SSIDs to separate out guest from corporate users.
The built-in 802.11n wireless radio should, in theory, offer up to 300Mbps of bandwidth — but SonicWALL's specifications don't trumpet that number for good reason. In our TCP-based performance testing, we were only able to drive the TZ210 wireless up to about 64Mbps with four 802.11n stations — which consumed 100% of the CPU of the TZ210. We found that the TZ200, with its 20% slower CPU, also maxed out at about 51Mbps with multiple 802.11n stations. Since the SonicWALL TZ200 and TZ210 seem to be CPU-bound for wireless, we also suggest configuring for 20 MHz wireless channels, which didn't reduce total throughput in our testing, but would be more "friendly" to other wireless equipment in the area.
The TZ200 and TZ210 can also act as wireless switches, controlling SonicWALL's external wireless device, the SonicPoint-N, a $400 managed access point. (The TZ200 can manage 2; the TZ210 up to 16). These are SonicWALL's best-kept secrets, a managed wireless LAN similar to Cisco or Aruba's wireless switch and access point technology, but at a fraction of the price.
The SonicPoint-N has all the features you'd expect from an enterprise managed wireless network. A few important features, such as multiple SSIDs, have been blocked out of the TZ series. SonicPoints go further and do more than the built-in wireless on the TZ200 and TZ210. For example, features such as wireless RF monitoring for common attacks and problems can be configured on SonicPoints, but not in the built-in wireless. More to the point, you have to configure SonicPoints and the built-in wireless separately, so if you do buy into the SonicWALL wireless story, you have to treat the wireless built into the TZ200 and TZ210 differently from your SonicPoints — really, not the best of ideas. The built-in wireless should look and act just like a SonicPoint for maximum integration, but it doesn't. And, if you do use SonicPoints, you can't connect them to the Gigabit Ethernet ports on your TZ210, because those ports are already dedicated to other functions. This restriction means you'll never get the full benefits of the 802.11n wireless because you'll be stuck on a 100Mbps interface. This doesn't seem very well thought out or balanced.
Although the 802.11n is a welcome addition, SonicWALL should have gone further with the experience they have from their SonicPoint line in giving a more powerful wireless feature set to the TZ series.
Advanced threat mitigation features
With the new TZ200 and TZ210, SonicWALL is continuing its power push into the UTM feature set. In addition to the existing content filtering, IPS and antimalware tools, this version of SonicOS brings SonicWALL's Application Firewall (TZ210 only) and antispam service to the SMB marketplace.
The IPS, content filtering and antimalware features are not significantly changed from earlier versions. SonicWALL offers both its own Content Filtering Service as well as an option for the Websense engine. Both antimalware and IPS use SonicWALL's own service only. We found configuration for antimalware (which SonicWALL breaks into antivirus, which can run across all traffic, and antimalware, which is limited to HTTP, FTP and email protocols) to be straightforward.
We tested antimalware by taking the 15 most recent, unique, viruses that were in our corporate antivirus quarantine and trying to re-send them through the TZ210 firewall. Out of the 15 viruses, the TZ210 failed to identify two suspected viruses. We submitted these to the Virustotal multiple-engine scanning service, which gave a 78% "is a virus" score for one of them, and an 87% score for the other. The TZ210 turned in the same results whether we used the FTP, HTTP, or SMTP to transfer the files. In an earlier test, we had also found that SonicWALL effectively found viruses on non-standard ports, a unique feature in this marketplace. We stressed this by trying both HTTP and SMTP on non-standard ports, and found that while the TZ210 was able to identify malware in HTTP traffic on non-standard ports, it did not work properly on SMTP traffic on non-standard ports. This isn't much of a defect, but network managers should be aware of this when considering their outbound and inbound SMTP policies.
We did not look in depth at the TZ210 content filtering service, other than to verify that it caught some obvious URLs. As with antimalware, configuration of content filtering is extremely straightforward.
Our experience with SonicWALL's Application Firewall was less positive. Although the Application Firewall definitely performed as advertised, we found it difficult to use and hard to trust. The Application Firewall is a new feature to this product line (it has been available in the higher-end NSA series since they were released) that allows the network manager to build policies based on very deep inspection of mail (SMTP, POP and IMAP), FTP and HTTP protocols, as well as SonicWALL's IPS signatures. For example, traffic can be caught by the Application Firewall based on the "Subject" line of an email.
Once the Application Firewall picks out traffic, you can then apply policies, including simply blocking the traffic, or using more sophisticated actions, such as blocking email attachments, adding text to messages, blocking or redirecting HTTP pages and applying bandwidth management. Policies have a variety of other qualifiers as well, such as IP addresses, zones, username and group membership and time of day.
As we quickly discovered, not every action is supported with every content match and with every protocol. SonicWALL provides a very good tutorial on the Application Firewall with numerous examples of ways to use this to enforce policy compliance, which is a must-read if you want to really understand what is going on. Although you only can define a very limited number of policies — five in the case of the TZ210 we tested — each policy is very powerful.
For example, we wanted to use the Application Firewall to enforce bandwidth limits for streaming video. To do that, we had to use IPS signatures. The category "Multimedia" is too broad (it covers, for example, audio file downloads as well as video), so we had to browse through the 208 signatures to find which ones would cover what we wanted. Unfortunately, there is no easy way to get documentation on each signature other than its short name (typically 40 characters or less) as you're configuring the Application Firewall.
Fortunately, we could pile as many signatures as we wanted in a single policy, even if doing so was incredibly tedious. We also felt that we were wandering a bit in the weeds with some of the signatures.