In the end, we got the policy we wanted with only a moderate amount of research, and the simple testing we did showed that the TZ210 identified unencrypted video traffic from popular video sites and was able to enforce bandwidth limits. The Application Firewall was a success, and the amount of work it took to define a policy seems high compared to other operations on the TZ210.
However, the Application Firewall goes where other firewalls can't, and gives you the flexibility to define security policy you've never been able to build before in this type of device. Is it an out-of-the-ballpark home run? No, but it's a great tool and one that could save you from having to buy another piece of hardware or another software package.
The last new security feature we tested on the TZ210 was SonicWALL's antispam service. This is an in-the-cloud offering that uses the firewall to redirect traffic to the antispam service, which does content filtering, and then sends the non-spam email back to your local mail server. Unlike other antispam services, the TZ210 antispam doesn't require you to change your DNS. Using a combination of firewall and NAT policies and some internal smarts, the TZ210 simply redirects connections to their service, which lets you turn on and off the antispam quickly while testing. The SonicWALL antispam service isn't a complete in-the-cloud offering because you must provide your own quarantine server (an application SonicWALL includes which sits on an existing Microsoft Exchange server) if you want to quarantine suspected spam, viruses and phishing messages.
We did not have an opportunity to test the effectiveness of the antispam service on a production mail stream. However, we did set up the antispam service and found it easy to install with very little aggravation — as long as you have a very simple setup with a single mail server, a small number (five or less) domains you want to filter, and a willingness to let your mail fly out into the cloud unprotected.
The TZ210 antispam service strips out any server-to-server encryption you may have configured, and all communication between the TZ210 and the in-the-cloud service is unencrypted, which could be a concern in some environments where server-to-server encryption is used to ensure privacy.
Performance of the antispam service will likely not be much of an issue, even though your mail travels over your Internet connection three times (in to the firewall, back out to SonicWALL, and then back to the firewall for delivery). SonicWALL's documentation says it uses its own reputation services to block incoming connections. Our testing showed that this isn't exactly true, although reputation services (and their ability to limit wasted bandwidth) do come into play once a spammer has already connected to the firewall.
Our limited testing didn't give us the ability to really offer a verdict on whether the antispam service is a winner. However, SonicWALL includes a free trial, and it's very easy to test this for yourself.
Included with the new TZ100, TZ200 and TZ210 firewalls are licences for a newly included SSL VPN function. The TZ100 and TZ200 come with one user licence, expandable to five and 10 users (respectively), while the TZ210 comes with a two user licence, expandable up to 10 users.
This isn't in the same league as SonicWALL's enterprise-class SSL VPN appliance the company added to its portfolio when it purchased Aventail in 2007; it's a simple network extension that is a competitor to IPsec VPN (also included with each device if you insist) for remote access.
The SSL VPN is simple to add and configure. Users appear in the SSL VPN as if they were in a new zone, so you simply write normal zone-based firewall rules to define your access controls. The SSL VPN includes a simple portal that can be used to launch or download the Java-based SSL VPN client (available for Windows, Macintosh, and Linux operating systems).
A small set of SSL VPN specific settings, such as whether to use split tunneling, whether clients can communicate with each other or whether the username and password can be saved, are about all you need to worry about to set up the SSL VPN.
Users for the SSL VPN can be stored locally on the firewall appliance, or the firewall can talk to a RADIUS or LDAP server for authentication. We linked our TZ210 to a running Active Directory domain and saw great evidence of SonicWALL's experience dealing with LDAP technical support — the configuration was well documented, easy to do, but not so ridiculously simple that we couldn't make some important customisations to make the TZ210 talk properly to our LDAP server. This kind of easy connection is one of the important differentiators between a product that fits quickly into enterprise infrastructure and one that doesn't go much beyond the demo stage. Because the TZ210 linked up so easily, we weren't even tempted to use the local user database — a better security configuration in the long run.
The SSL VPN built into the TZ200 and TZ210 is a great replacement — if you buy the extra user licences — for the harder-to-use and less predictable IPsec VPN in earlier versions.
We tested the TZ200 and TZ210 using the same performance-testing methodology we used in 2007 when we looked at UTM firewalls and in our 2008 test of the SonicWALL NSA E7500 appliance. We found that the TZ200 and TZ210 beat their data sheet numbers in some cases, and don't live up to them in others.
For raw speed, without UTM features enabled, we found the TZ210 turned in a goodput of 118Mbps using a typical Internet traffic mix, with a total throughput of 126Mbps; the TZ200 91Mbps goodput and 97Mbps throughput. Goodput measures only application layer data, while throughput also includes header information. Most vendors quote throughput numbers in their performance stats, but goodput is a better measure of what you'll actually see at the end system. Both devices beat their data sheet IMIX numbers easily.
When we turned on UTM features, performance — as expected — was dramatically affected. SonicWALL does not really distinguish between server-side and client-side IPS, so we tested IPS with and without the Application Firewall to see a range of performance. The TZ210 slowed down about 35% while the TZ200 only dropped about 12%. In fact, the TZ200 outperformed the TZ210 in pure IPS throughput, a result that SonicWALL wasn't able to easily explain.
With antimalware enabled, we saw a much more significant drop in both systems, although both dropped to about the same speed: approximately 13Mbps. That's nearly 90% performance hit for the TZ210, and 86% hit on the TZ200. Neither system comes very close to its datasheet specifications for antimalware performance. We discussed these UTM results at length with SonicWALL's product management team. Although they were at first very surprised by the results, they were able to confirm them in their own test lab. We also varied our test methodology and tried four different approaches, all of which returned roughly similar performance numbers.
SonicWALL explained that their original performance specifications were based on testing they did using SonicOS 5.1, while we were testing with SonicOS 5.5. During the upgrade, some new signatures were added to the UTM feature and these were causing the performance slowdown we saw. Unfortunately, there was no easy way to identify which signatures were causing the problem on short notice, although they promised to work to improve UTM performance as quickly as possible.
Our testing shows that SonicWALL has done a great job of providing high speed firewall in a small package. However, UTM capabilities, especially antimalware, continue to be difficult performance challenges. Network managers who want to make use of antivirus at the gateway should be careful to limit their performance exposure by only protecting the traffic they think is likely to be infected with malware. Because the TZ200 and TZ210 run nearly identical firmware, network managers who are looking for simple firewalling probably won't find much reason to jump to the higher price/performance point of the TZ210. If some of the advanced features of the TZ210, especially the Application Firewall, are important, those certainly differentiate the two models. Similarly, the reach and noise resistance of the TZ210 wireless is likely to be better than the TZ200, and that could be a reason to go for the higher-end model. However, the wireless TZ210 has a street price about 60% more than the TZ200, so for the performance offered, the TZ200 is a much better deal.