Strengths: Well-designed interface makes complicated tasks easy.
Weaknesses: Weak logging, and default admin connection is unsecured.
Verdict: Offers an interesting mix of powerful features.
D-Link's DFL-2500 offers more network control than we expected, and does it at a good price for its class.
Strangely, the unit ships with all its ports configured to different network segments. This might be handy, but most will probably immediately reconfigure them. By default, only one port can connect to the management interface, and while this can be changed, it took a bit of trial and error to find it.
We were surprised that the HTTP connection to the management GUI makes no effort at all to secure the admin password - the login is passed in completely plain text over the wire. The unit does offer HTTPS connections, but the manual made no mention of this.
A pop-up wizard walks you through basic set-up. A nice touch is an automatic roll-back to the previous configuration if you fail to manually confirm that the interface is still accessible after any major configuration change.
To get the firewall working in a real environment, you need to spend time setting up definitions - networks, services, authentication groups and so on. These are all abstracted before being expressed in rules, so rules cannot be set up without a definition. This gets tiresome, but only because we are used to other products letting us skimp on what is, after all, much better practice. And the various pages all link together, making the process easy to use.
Apart from using syslog, we could find no way to log and report on the device's activities, which is astonishing. Like the role definitions, best practice suggests that managing logs elsewhere is a better idea, but this is an omission that may raise some eyebrows.
The unit can remotely manage other boxes via its Zone Defense feature - to create enterprise-wide blacklists in the event of an IDS trigger, for example.
As well as its filtering capabilities, this is actually a surprisingly flexible router too, with more traffic routing features than we would expect. This will be useful to some environments, although we would normally expect the box to be behind a real router anyway, so it might be redundant.
And the routing features do make the process of setting up some rules more complicated than they need to be.
The system provides IDS and you can create custom rules, but not your own signatures.
This well-priced unit has plenty of features and is very flexible. The interface has rough edges and you need a bit of network know-how to really use it to its full potential, but in the right hands this would be a very good solution indeed.