Clavister Security Gateway SG4200
Strengths: Plenty of network ports for the price, namespaces and objects ease administration, strong management security, Kaspersky anti-virus measures
Weaknesses: Complex installation, limited email security features, no anti-spam
Verdict: A frustrating installation process, but the SG4200 does provide a highly versatile network security solution that can be easily upgraded
Aimed at enterprises, data centres and service providers, the SG4200 delivers a feast of network ports. You have eight Gigabit SFP ports to choose from, so you can add a range of high-speed connections over fibre using different modules, and these are complemented by a pair of copper Gigabit ports. You also get four Fast Ethernet ports and a key feature is Clavister's flexible licencing scheme, which allows you to upgrade the device in situ to cope with demand.
Installation can start at the appliance's LCD panel and control pad, but we found it far easier to access the CLI via a serial port connection and work through the basic start-up menu. From here you designate the port on which you want management access. Provide an IP address or opt for DHCP, and that's all there is to it, as the appliance fires up the core OS and then you can move over the remote management via the bundled FineTune application.
For testing we opted to dedicate a Fast Ethernet port for remote-management access and used the copper Gigabit ports for LAN and WAN connections. We found the FineTune interface well designed and it quickly becomes clear how versatile Clavister's appliances are. FineTune uses the concept of namespaces - repositories that hold descriptions of everything on the network they relate to. These range from hosts and services to VPNs, and each namespace can contain multiple SG appliances. FineTune maintains all this information in data-source files, so it's easy enough to have different files with their own namespaces and associated gateway appliances.
Namespaces simplify ongoing administration, but they do make initial installation a trial, as there are so many objects that need configuring. For the test, we had to set up objects for the LAN and WAN IP, broadcast and network addresses, create a DHCP address pool and link it to a new DHCP server object, which in turn needed to be assigned to our WAN port. To secure web access, we needed to create a route from the WAN port to the internet and set up a firewall rule to allow outbound traffic but block unsolicited inbound traffic.
Along with optional intrusion detection, traffic shaping is a handy feature as this allows quality-of-service policies to be implemented by assigning specific rules to pipes that determine how much bandwidth certain traffic is allowed to consume. You can stop unauthorised access to all settings as the active configuration must be checked out by an administrator before it can be modified.
For web browsing, Clavister offers anti-virus scanning and content filtering, deployed by creating an HTTP ALG within a namespace. There's more work to do here as a service object with the appropriate port must be created, the HTTP ALG bound to it and a new firewall rule created to use it. Dynamic filtering offers over 30 categories to choose from, you can strip out ActiveX objects and Java applets and apply your own black and white URL lists. Filtering performance was reasonably good: we visited 70 online bingo sites with the gaming category in the ALG block list and the appliance blocked us from 49 of them.
Clavister provides some email security features, but only SMTP is supported, so the appliance needs to relay to an internal mail server. The SMTP ALG object allows you to limit the number of messages being passed through each minute and block selected attachments. Virus scanning can be applied, but you can't block attachments by size. POP3 support should be out in the next version, but anti-spam isn't on the menu yet.
Once past the installation, the SG4200 offers a well-specified security solution with strong firewall and VPN functions. It can be easily upgraded by applying extra licences, and the namespace concept is a smart feature that'll makes light work of ongoing administration for multiple appliances.