WatchGuard XTM 22-W
Strengths: Can now be fully configured from its web interface. Application awareness, HTTPS scanning as standard, low cost and no per-user licence restrictions
Weaknesses: Rogue detection disables wireless AP, no spam quarantining
Verdict: Offers an impressive range of security measures. Web browser management makes it far better suited to SMBs requiring a single appliance
WatchGuard's latest XTM 2 series indicates a new focus, as it aims to make its entry-level security appliances more suitable for smaller businesses. Traditionally, it used a distributed management approach, which works well for multiple appliances, but is heavy-handed for a single unit.
Previously, you were required to install its WatchGuard System Manager (WSM), Firebox Manager and five servers for handling management access: something we have raised as a concern for years, as it's too cumbersome for one appliance.
WatchGuard has been slow to remedy this: it was not until our review of its XTM 530 (SC, November/December 2010), that we observed that this was its first appliance with a web browser management interface. And that XTM 530 didn't provide full access for configuration, so you still needed to use the WSM et al.
In this exclusive review, we look at the XTM 22-W, the first of the WatchGuard appliances that can be fully configured and managed directly from its web interface.
It is one of three in the XTM 2 series and offers firewall and UTM throughputs of 150Mbps and 30Mbps respectively.
Another new feature offered across all of WatchGuard's XTM appliances is application awareness. This is included in the security bundle price and provides greater levels of control over social networking, IM and P2P usage in the workplace.
Facebook gets close attention and you can now control access to the login process, chat and Facebook's web mail. For IM apps such as Windows Live Messenger, it is possible to block or allow logins, chat, game playing and file transfer activities.
WatchGuard has a long list of P2P apps allowing, for example, BitTorrent to be blocked or controlled at the login, connection and file transfer levels. Remote-controls apps are always a security concern and you now have the ability to manage RDP, LogMeIn and GoToMyPC connections.
Wireless features have been improved and, along with support for 802.11n/b/g networks, the appliance can present up to three SSIDs. A guest SSID is preconfigured to bridge across to the WAN port only, so you can easily provide secure internet access to wireless users. The guest SSID can also be used to redirect clients to a web page, where they must agree to an AUP.
The other two SSIDs can be set to bridge with any one of the appliance's three Fast Ethernet and Gigabit ports. Security has also been improved as the new WPA Enterprise option can authenticate users with certificates.
Rogue AP detection is provided, but we advise caution when using this. We found it worked very well in our office environment, with it detecting other APs some distance away, but it will disable the appliance's SSIDs while it is running. You can schedule it to run outside normal working hours, but this does decrease its value.
We're pleased to see that WatchGuard has finally relented and fixed the issues with its WebBlocker URL database updates. Previously, you had to use the Windows Task Scheduler to run this regularly but this is now fully automated and runs at predefined intervals.
Multiple AD domains are supported and WatchGuard's IPS service can be applied to any security policy. Earlier versions only allowed IPS to be used in proxy rules, but this can now be applied to any policy including packet filters.
Even terminal services get a nod from WatchGuard, as it provides a small client that is installed on a Terminal Server or Citrix Server host. This allows you to link policies to AD users and
groups and control access from thin clients.
Setting up anti-spam measures is easy enough: you just enable and configure the POP3 and SMTP proxies within a policy. These use the Commtouch hosted service which we've always found delivers excellent spam detection rates.
Actions for handling suspect messages are basic. If you don't use the separate quarantine server component, then spam and infected messages can only be tagged and passed on for processing by your mail server or client.
The URL filtering service offers over 50 different categories which can be blocked or allowed on a per-policy basis. This service worked well during testing, with our test clients blocked from all manner of undesirable websites.
The new web browser interface offers plenty of information on traffic and performance. A separate window also provides graphs showing all anti-virus, anti-spam, IPS and WebBlocker activity and we found we could, indeed, configure any security service on the appliance from here.
You may find you'll need to load WatchGuard's logging and reporting servers, as the web interface doesn't provide any facilities for creating reports. However, these two components are included with the appliance and are fairly light on system resources, so don't need a dedicated Windows host.
The number of proxies available makes the XTM 22-W very flexible and value is increased further as HTTPS traffic scanning using man-in-the-middle is provided as standard. The new application awareness features also allow a far finer control over social networking, plus IM and P2P.
It has been a long wait for WatchGuard to provide full web browser access for management and configuration, but it does make the XTM 22-W much more appealing to SMBs looking to deploy a single appliance.