Clavister Security Gateway 4300
Strengths: Good hardware platform, plenty of upgrade options, object-based security policies, optional InControl management
Weaknesses: An exponential learning curve, only DNS RBL anti-spam
Verdict: Solid range of network security measures; plenty of upgrade options but not easy to configure; basic anti-spam
Clavister's profile in the UK security appliance market is relatively low key but it aims to improve its image with the ever-increasing family of Security Gateway products. The SG4300 targets enterprises, data centres and VPN hosting services. A key feature is Clavister's CorePlus OS that doesn't rely on any open source components and is designed to have a low memory footprint.
The appliance brings together an SPI firewall, IPsec VPNs, WAN failover plus traffic management - and augments these with optional IPS, anti-virus and content filtering. For the last three features you have Kaspersky stepping in for anti-virus duties, Endeavor handling IPS and ContentKeeper looking after URL filtering. Anti-spam is provided as standard but, as you'll see, it's nothing to write home about.
The SG4300 is designed to be easily upgraded, as Clavister's flexible licensing lets you add features and increase performance as required. The base SG4310 kicks off with a 1.5Gbps firewall which can be upgraded to 7Gbps.
The appliance offers a choice selection of network ports with its six fixed copper Gigabit ports partnered by a quartet of SFPs for longer connections over fibre. Management options have also been improved, as all SG appliances offer a web interface and for centralised management of multiple devices you have its optional InControl software.
You can use the appliance's LCD panel for port configuration, but we found it easier to use a serial port connection and the CLI which provides a basic startup menu and options for configuring one port for management access. Then it's over to the web interface: well designed and providing easy access to the various functions.
Clavister has also added a wizard to the web interface which helps set up one port for the LAN, a DHCP server and another port for internet access. However, it gets a lot more complicated after this phase and it's worth taking time out to understand the concepts behind CorePlus.
Three main components are used to create security policies and comprise physical interfaces, logical objects and rules. Objects define all network elements and include IP addresses, ranges and subnets, services, schedules, VPNs and ALGs. Usefully, the interface provides an address book for collecting details of interfaces, networks and subnets.
The wizard automatically created objects for the first two ports along with a DHCP server, an IP address pool plus network and broadcast addresses, but you'll also need to do this for each port you want to use. Next, you create rules that define source and destination ports and networks, service affected, what action is to be applied and a schedule object.
We created a simple rule which enforced a NAT action between our designated LAN and WAN ports to allow firewalled internet access to our LAN clients. Rules have actions assigned that decide whether traffic should be blocked, rejected, dropped or allowed or have NAT or SAT applied.
To apply content filtering and anti-virus scanning to web traffic, we created an HTTP ALG - selected from 31 URL categories - and set up an HTTP service object. The ALG was then assigned to the service and applied to our two test network interfaces using a new HTTP NAT rule.
URL filtering worked reasonably well: with the games and gambling categories blocked, we were denied access to 40 of 50 online bingo sites. It would be useful to have a specific social networking category. Nuisance sites such as Facebook and Twitter get different classifications: select multiple categories to stop them all.
Clavister provides basic email security, as the SMTP ALG can be used to scan messages for infections, block attachments and limit the messages being passed through each minute. Anti-spam measures are very basic.
You also get FTP, H.323 and SIP ALGs, while the traffic management feature allows you to create pipes that measure the traffic flowing through them and enforce guaranteed bandwidth and restrictions for selected services. The web console has a handy status screen where you can see how processor and memory are holding up, view interface use and check out a pie chart of the top five web categories.
If you have multiple SG appliances then you'll want the InControl software, as this provides slick centralised management. Each appliance communicates with the InControl server over an encrypted link and selecting one from the domain window provides full access to its interface, presented in exactly the same format as the web console.
An alarm centre keeps you posted on problems with appliances and the Quick Monitor tool provides a smart dashboard of dials. The dials are updated in real time; you can monitor up to four ports, view overall connections plus traffic throughput and keep an eye on the appliance hardware.
The SG4300 is a powerful security appliance and its CorePlus OS offers a very good range of network security measures. The optional InControl provides good centralised management, although the URL content filtering could be better and anti-spam is a weakness.