Kerio Control v7.4
Strengths: Simple setup, documentation geared for novice administrators
Weaknesses: VPN implementation is currently proprietary, light on reporting
Verdict: Great for small businesses or novice administrators. Companies with more complex environments may want to wait for v8.0
The term unified threat management can sound intimidating to administrators lacking in information security experience. Fortunately, basic UTM protection doesn't need to be overly complex, and Kerio Control is a great example of that.
The product we tested was provided as a VMware virtual appliance. Following the quick setup guide, it was a simple matter of importing the appliance into our ESX environment and starting the tool. Through the console, we set up our trusted and untrusted interfaces and chose an administration password. All further configuration was performed through the product's web interface. On first login, we were presented with a configuration assistant wizard, which guided us through installing our licence and setting up a basic traffic policy.
Kerio Control provides a clear, snappy interface for administration. The administrator is provided with a clean, configurable dashboard on login, which provides a number of system status charts. All device features are listed in a hierarchal menu on the left-hand side, with configuration options presented on the right. All of the features we'd expect are present, including a basic firewall, intrusion prevention system (IPS), content filter, perimeter anti-virus scanner and VPN. It can also serve as a dynamic host configuration protocol (DHCP) and domain name system (DNS) server.
While intended to be used as the default gateway, Kerio Control can be configured as a proxy server for content filtering purposes. The IPS is signature-based, with signatures updated automatically on a configurable schedule. Anti-virus services are provided by Sophos, with signatures again updated on a configurable schedule. The content filter supports rules based on IP address groups, URL groups and keywords. Lightweight directory access protocol (LDAP) integration is supported, which makes user-based content filtering extremely easy to implement.
Additionally, the HTTP cache can be enabled for bandwidth-conscious administrators. Kerio's virtual private network (VPN) features are extremely easy to implement, providing support for both client-server and site-to-site configurations. Despite its simplicity, the implementation is proprietary, so site-to-site tunnels are only possible between two Kerio appliances, and clients connecting to the Kerio appliance must use the client software. Fortunately, this is set to change in the 8.0 version of the software, which will implement standards-based IPsec tunnels and support for Android and iOS clients.
The documentation is very good. Guides are provided for the initial appliance installation, configuration and on-going administration. Presented as PDFs, they are well-organised and seemingly tailored for administrators without extensive UTM experience. One negative thing we noticed was their recommendation that administrators allow access to the administration frontend from the untrusted interface. While we acknowledge that it would make remote administration easier, it really does not follow best practices, so we recommend reading the documentation with a critical eye.
Product support is offered on a 24/5 basis, and is provided via phone or email. Kerio also maintains an online knowledgebase and active user support forums.
Kerio Control starts at a cost of c£175 for the software appliance, plus five users, and c£17 per additional user.