Firebox Peak X6550e
Strengths: Policy-based security, good centralised management, excellent web-content filtering, greatly improved logging and reporting
Weaknesses: Content database auto-updates still require Windows Task Scheduler
Verdict: The X6550e offers tough policy-based network security, and WatchGuard's latest firmware release brings in a host of new features
The latest update to WatchGuard's Firebox family herald some significant new features. The product family consists of Peak, Core and Edge models, with the top-of-the range Peaks aimed at enterprises. A useful feature of each family is you can start small and upgrade as demand increases simply by applying a licence.
The X6550e can start with simple SPI firewall and VPN duties and then be upgraded to full UTM status, where it provides IPS, anti-spam, anti-virus and web-content filtering. Not all these services are run from the appliance itself. The WebBlocker content filtering service, for example, is installed on a selected system on the LAN and the appliance passes URLs to it for categorisation.
Installation is a smooth affair thanks to the WatchGuard System Manager utility. Simply boot the appliance into a safe mode via the keypad on the front panel and use the wizard to upload the image and implement a basic network configuration. For testing we deployed the appliance in router mode, which supports dynamic host configuration protocol (DHCP) on designated external ports and requires different networks on each interface. Usefully, the device defaults to allowing outbound traffic and blocking unsolicited inbound traffic. The box provides an octet of Gigabit interfaces that can be configured for internal, external or DMZ duties and up to four WAN ports can now be teamed up for load balancing or failover.
The WebBlocker, logging, reporting and spam quarantine services can be distributed across multiple systems, but we had no problems running them all on a single Windows Server 2003 R2 system. Businesses deploying distributed appliances will like the management, as the WatchGuard System Manager looks after multiple Fireboxes. It provides a single interface where you can view basic status information on the devices'associated network ports and VPN tunnels.
Each device can be individually accessed using the Firebox System Manager, which opens up with a handy star-shaped graphic showing traffic passing between the various interfaces. There's a lot of information on offer, as you can view graphs and charts of traffic throughput, bandwidth usage and service status. Details are provided for viewing blocked clients and you can keep an eye on the status of anti-virus, anti-spam and IPS signatures.
All security is policy-driven, and these are created using the Policy Manager tool. Basically, you have three types based on packet filtering, proxies or custom rules. Most policies will be centred around proxies, as these provide Layer 7 inspection, anti-virus and IPS functions. For web proxies, you need to give the address of the WebBlocker server to which all URLs are sent for categorisation and approval.
For blocked sites, you can send the user a custom web page advising them of their transgression. The appliance now has the ability to work with both HTTP and HTTPS URLs, and the SurfControl database has been expanded to 54 categories. We found it simple enough to create a variety of policies, but were disappointed that WatchGuard hasn't automated category database updates, which still have to be run using the Windows Task Scheduler.
SMTP and POP3 proxies handle messaging security, while WatchGuard's SpamBlocker feature teams up with CommTouch to provide tough anti-spam measures. CommTouch works with many ISPs to create hashes of every mail passing through their servers, providing a method of easily identify spam. As the appliance scans inbound traffic, it computes hashes for each email and compares them with an external CommTouch server. This determines whether dubious messages are confirmed spam, bulk mail or just suspect. These are used to apply actions ranging from allowing, tagging, denying, dropping or quarantining. Usefully, CommTouch can provide early warnings of spam campaigns as its hash servers can be updated globally the moment an outbreak has been detected.
The Log File server has seen significant improvements. Instead of using XML files, logs are now saved to a PostgreSQL database running on the Log Server system. This method can get more information into the database and has helped overcome performance issues with XML files when generating reports.
VoIP comes into WatchGuard's picture with proxies provided for H.323 and SIP, allowing voice traffic to be managed. A single sign-on solution is now on offer, as is a new SSL-VPN service for mobile workers that allows you to authenticate using methods such as an internal database, AD or LDAP and grant access to all IP-based resources on trusted, optional or VLAN interfaces.
With its latest firmware release WatchGuard has made some serious improvements to its security appliance family. The use of policies and proxies makes for a versatile solution that can be easily upgraded as required and the management method is ideally suited to sites with distributed security appliances.