SonicWall NSA 2400MX
Strengths: Complete range of UTM security measures, integral L2 switch, port zoning adds extra versatility, deep packet inspection
Weaknesses: Expensive anti-spam licences; not the easiest to configure
Verdict: Smart combination of UTM appliance and network switch that delivers a quality range of security measures
SonicWall's security appliances have always had a strong focus on zoning networks and the latest NSA 2400MX takes this to the next level, as it combines full UTM features with a 26-port switch. This aims to reduce costs for SMBs by avoiding the need to purchase separate network infrastructure and security hardware.
It has 16 Fast Ethernet and ten Gigabit ports and these can be grouped into different zones, each with their own security policies. The price includes a one-year TotalSecure subscription to gateway AV and anti-spyware scanning, IPS, SonicWall's application intelligence and web content filtering service.
Anti-spam is optional and comes courtesy of the GRID, which gathers spam information from SonicWall appliances globally and stores it in a data centre to provide a sender reputation service.
Other advantages of this are the ability to block known spammers, so reducing message-processing overheads. It also integrates with Exchange 2003 and 2007 servers and can install a special Junk Store folder on them to allow users to inspect personal quarantine areas.
The only question we have about this feature is SonicWall's costly licensing structure. Enabling it for five mail domains and 250 users adds £2,000pa to the price.
Installation is helped along by setup wizards. A wizard is also provided for PortShield to group physical ports into logical units, which can have QoS profiles and SPI firewall settings applied.
The 2400MX provides all the features you would expect in a Layer 2 switch, with support for RSTP, VLAN trunking and port aggregation. Layer 2 QoS uses weighted round robin or strict priority queues and for network monitoring you can create port groups where all traffic is mirrored from them to one port.
SonicWall's firewall and deep packet inspection (DPI) provide extensive security measures. You can use them to control FTP transfers or HTTP requests and apply actions such as blocking or redirecting/limiting bandwidth. DPI can also handle VoIP traffic.
SonicWall's premium content filtering service is included in the price and offers 56 different categories to block or allow.
Web filtering performance is good - our users were unable to access games and gambling sites. Social networking was more problematic, as no single category was available to deal with the likes of Facebook and Twitter. SonicWall advised us that this will appear in a later firmware version.
Basic anti-spam comes as standard, but relies on RBLs, which we've never found to be overly effective in a business environment. The optional anti-spam module is a far better bet, but adds significantly to costs.
The module uses a scoring system to classify messages and you can reject, delete or tag them. If you have installed the Exchange Junk Store option, any message in these categories can be sent there.
If you don't mind using the SonicPoint wireless APs, you can extend the security umbrella to these as well. The appliance only provides basic log-viewing facilities and for quality reporting you need to use the ViewPoint software, included in the price.
The NSA 2400MX offers an impressive range of security measures. Amalgamating UTM appliance and L2 switch into the same hardware package is a smart move that can save money. The port-zoning feature adds extra levels of security and, although comparatively expensive for SMBs, the optional anti-spam service is well worth considering.