WatchGuard XTM 530
Strengths: Top performing anti-spam and web filtering services, no per-user licence restrictions, HTTPS scanning as standard, good reporting tools
Weaknesses: Smaller sites will find management complex; URL database updates still not automated
Verdict: A quality range of security measures offering good value, although its management tools are best suited to handling multiple appliances
WatchGuard's latest XTM security appliances aim to up the ante over the competition, with performance as a high priority. Along with a speed boost, they offer a complete range of security measures. On review is the XTM 530 that targets mid-sized businesses of up to 1,500 users.
The hardware spec isn't earth-shattering - this 1U appliance sports a simple 2GHz single core Pentium and 1GB of DDR2 memory. WatchGuard is claiming an impressive 2.3Gbps firewall throughput - 800Mbps with all the security features enabled.
A valuable feature is that all four members of the XTM family use the same hardware; performance is determined purely by a licence. This means you could start with the base XTM 505 and upgrade performance as demand increases, simply by applying a new licence.
The XTM 530 delivers plenty of security features: along with SPI firewalling and support for IPsec and SSL VPNs, you have the full gamut of gateway anti-virus, anti-spam, IDS/IPS and web content filtering. WatchGuard has also beefed these up with options for controlling nuisance IM and P2P apps, with a keen focus on Skype.
More features are on the cards: along with routed and drop-in modes, XTM appliances support a bridged mode. This allows the appliance to be completely transparent to the network and only requires one port designated for management access.
There's more. WatchGuard has finally relented and provided web browser access directly to the appliance. It doesn't provide full access for configuration; you are still required to use WatchGuard System Manager (WSM).
This is where WatchGuard differs dramatically from the competition, as it requires a number of services to be run from other LAN systems. WebBlocker content filtering service, for example, is installed on a selected system on the LAN and the app passes URLs to it for categorisation.
There is a separate quarantine server for infected messages, while reporting and logging also have their own servers. You can distribute the load by running each component on different systems, but we found it easy enough to install them all on a single Windows Server system.
WSM can handle multiple appliances from a single interface, so works well for businesses deploying them in a distributed environment. It provides a central console where you can gather all your appliances together and view status information on associated network ports and VPN tunnels.
To access a single appliance, you load the Firebox System Manager (FSM) from the WSM interface. This opens with a useful star-shaped graphic showing traffic between the various interfaces. FSM also provides graphs and charts of traffic throughput, system messages, bandwidth usage and service status.
By using POP3 and SMTP proxies, WatchGuard's spamBlocker works straight from the box and doesn't require any information about internal email servers. It comes courtesy of Commtouch, which we've always found works extremely well.
As the appliance scans inbound and outbound traffic, it computes hashes for each email and then compares them with an external Commtouch server. This returns one of three categories for dubious messages - confirmed spam, bulk mail or just suspect - and you can use proxy actions to allow, tag, deny, drop or quarantine them.
WebBlocker uses Websense, which could definitely be made easier to use: you have to manually download the category database, which extracts the first 300MB, to carry out basic web-blocking.
Annoyingly, WatchGuard still hasn't automated the database-update process, so you need to use the Windows Task Scheduler to do this. Even so, WebBlocker performed very well; with games and gambling categories blocked, clients were unable to access any online bingo, poker or games sites.
New for WebBlocker is an advanced local override feature, which allows users to enter a password to access a site that would normally be blocked. You also get its ReputationAuthority, which uses a scoring system to determine whether inbound web traffic can be trusted.
A separate report server offers an impressive range of predefined reports. You can choose from proxy activity reports to see what your users are up to and export reports in HTML or PDF formats.
The new web browser interface provides good levels of access to the appliance, plus plenty of traffic and performance graphs, but it is really a status-monitoring tool; it won't allow you to fully configure many features such as the various proxies. WatchGuard still prefers you to make WSM your first port of call for system configuration.
Smaller businesses deploying a single app will find WatchGuard's management method cumbersome, as you need to use so many utilities to access all the features. However, it works very well where multiple appliances and all their security policies need to be controlled from a central location.
Automatic updating for the WebBlocker service needs to be improved, but its URL filtering service does perform very well. The appliance also provides quality anti-spam measures and offers good value - a full licence activates all features and has no per-user restrictions.