Strengths: Plenty of features for the price, firewall rules objects make it very versatile, along with good web content filtering performance
Weaknesses: Dangerously complex configuration process
Verdict: The DFL-860 offers an impressive range of features at a very good price, but you'll need the patience of a saint to configure it properly
D-Link has dabbled in the security appliance market for some years now and its latest DFL-860 brings together a UTM solution that delivers an extensive range of features that look very affordable for SMBs.
It offers a standard SPI firewall plus support for up to 300 IPsec VPN tunnels and augments these with Endeavor's IPS, Kaspersky's anti-virus and ContentKeeper's content filtering. Prices start at a very reasonable £609 and this includes the first year's subscription to IPS and AV services plus three months for content filtering. Further subscriptions only cost £300 per year for all three services.
This compact rack mount box has a pair of WAN ports that support failover, a single DMZ port and seven Fast Ethernet ports for a range of LAN duties. A serial port is provided for CLI access but it is much easier to point a web browser at its default IP address and take advantage of the quick-start wizard. This runs you through getting basic firewall-protected internet access, plus DHCP services if required.
The main interface is a busy affair as there is a lot going on. Don't even think about creating firewall rules yet as you need to sort out the objects that will be used to define all your network elements. These need to be created for single IP addresses, ranges and subnets plus network services, time schedules, VPNs and ALGs (application layer gateways). A useful address book is provided for storing objects relating to interfaces, networks and subnets.
IP rules combine service and schedule objects which are assigned to source and destination interfaces and networks. They all include actions which range from allow, drop and deny or applying NAT or SAT (static address translation). Folders help with rule management as you can use these to organise rule sets based on the sources and destinations they refer to.
The advantages of the D-Link method are clear, as rules can be used to control virtually any type of traffic. However, their structure does make them very complex to configure. A good example is setting the appliance up to function in transparent mode. Most SMB appliances will let you do this by ticking one box - D-Link's manual for this supposedly simple operation is four pages long.
It doesn't get any easier when setting up web content filter rules. You first need to create an http ALG object, decide which of the 31 website categories you want it to block and activate virus scanning if required. Next, you create a service object for http and assign the ALG object to it. Finally, you create a new http NAT rule with the http service object, apply this to the required network interface objects and place it in the rule queue with the appropriate priority.
As you can imagine, this took a while to get working and the process was not helped by the documentation, which is not very accurate. Even so, it was worth the effort as performance is good. With the gambling category blocked, we Googled for online bingo sites and the DFL-860 blocked us from 36 of the first 40 sites visited.
ActiveX objects, Java apps and VBScript can be stripped out using the http ALG and you can limit the size of files that can be downloaded. You also get ALGs for FTP, H.323, SIP, SMTP and POP3 and the latest firmware version adds simple anti-spam measures using RBLs. With the FTP ALG we could block file types by their extension and if you try copying down a file that matches the parameter, the download will just sit there for a few minutes before eventually hanging.
The anti-virus, web content and IPS databases can be updated automatically and as often as every hour. The console provides plenty of detailed logging information about all key components, including web filtering, anti-virus and IPS services, although there are no facilities for exporting them into reports. Traffic management is on the cards where you create pipes that measure the traffic flowing through them and enforce guaranteed bandwidth and restrictions in KB/sec for designated services.
For IPS measures you can use the entire signature database but it may affect performance so you would be better creating rules for specific services that only look for particular attacks. Don't expect a lot of help in determining what each signature does as D-Link's nebulous naming convention does not give much away and no comments are attached to each one either.
User authentication for web access is also provided and you can use a local user database or call in an external Radius server - surprisingly, Active Directory is not supported. Have a stiff drink before trying this one, as the supporting document is 14 pages long and you must disable web management on ports 80 and 443 first, otherwise authentication will fail as it wants to use these ports.
A potentially useful feature that makes the DFL family unique is D-Link's ZoneDefence. This ties in with its XStack switches where the firewall can send commands to block ports to prevent an infection spreading from a workstation or network segment.
There's no denying the DFL-860 is offering a lot for your money and is clearly a powerful security appliance in terms of features. However, it has to be one of the most complex and frustrating SMB security devices we have tested.
It's known that many breaches are caused by hackers exploiting misconfigured security appliances and from experience we suspect that the DFL-860 could tip the balance even further in their favour.