The WatchGuard Firebox II forms part of the WatchGuard Security System which includes the Firebox II firewall, authentication, remote user and branch office VPN, and security management software.

One of the nicest features about the Firebox II is that everything is included � all hardware and software. Even the necessary Ethernet, crossover and serial cables are included in the box.

About the size of a slim desktop PC, the front panel sports a psychedelic status panel with numerous LED�s to show processor load, traffic volume, and direction of traffic between the three interfaces � protected, external and DMZ. It is certainly a striking device, designed to stand out in your machine room with its bright red case.

On the back panel are three auto-sensing 10/100 Ethernet ports, serial and console ports, power switch, and two PCMCIA slots labelled "Expansion". At present these will accept a single PCMCIA modem for out-of-band management. The ability for all three interfaces to share the same IP address allows you to install a Firebox internally without subnetting your network.

A quick peek inside reveals a far more integrated design than the previous Firebox, with a PC-like motherboard (labelled WatchGuard Technologies) which nonetheless sports a Pentium processor, a couple of DIMM memory sockets (one occupied) and a couple of PCI expansion slots (though the case is too slim to take advantage of them). Spare memory and PCI slots are clearly there to provide possible future expansion potential for WatchGuard rather than as options for the end user. As it is, the additional processing power and memory over the original Firebox is there to provide the extra horsepower required to support multiple VPN sessions.

There are no keyboard or video ports, and not even a hard drive, and the previous model�s floppy disk has also been ditched in favour of flash memory to store the operating system and firewall engine. Whereas the original Firebox sported a modified version of Linux as the host OS, WatchGuard appears to be moving slowly away from that towards a more proprietary offering for the latest generation, which makes perfect sense in this industry.

Installation is straightforward, with the documentation taking you through the process step by step. I do take issue with WatchGuard trying to get you to use a new (for many people) notation for IP addresses. Many users will find it difficult enough to grapple with IP addresses and netmasks � to replace the netmask with a single-line notation for both address and mask is confusing.

WatchGuard is to be applauded, however, for providing a clear and well-explained option for the user to create a "drop-in" configuration�� where all three interfaces have the same address � or a "multiple network" configuration � where each interface is connected to a different subnet or network. Most firewalls assume one or the other and leave the poor user to figure out what is going wrong if his network configuration does not match that which is expected (SonicWall is a prime example).

WatchGuard actually consists of three components:

1. The Firebox hardware firewall device that runs the stateful inspection and proxy code.
2. Security Management System (SMS) software to configure and monitor the Firebox
3. WatchGuard Event Processor to perform logging and notification of firewall events

All packet filtering and proxied connections are handled by the Firebox using a hybrid combination of a stateful dynamic packet filter and transparent application level proxies. Proxies are provided for SMTP, FTP, and HTTP, and IP masquerading hides your internal IP addresses from prying eyes. A separate Web blocking option is available for content filtering.

Once installed, all configuration and management is done via the SMS (Security Management System) software. This connects to the Firebox over an encrypted link (or directly to the management port) to provide a means to create the firewall rules base, graphically display the status of all managed services, and notify network administrators of security violations. This provides a clear, easy-to-use interface with excellent use of graphics and colours to denote status of proxies and devices. The screen is split into two areas: the services area and the configuration tree. New services � such as HTTP, FTP, SMTP, POP3, etc. � can be added to the services area, and access can be restricted by user, group, IP address, network address or host name. Various logging options can be set for each service, and it is possible to define your own services if required. The configuration tree is a hierarchical menu of parameters controlling the firewall as a whole, the proxies, VPNs, and so on. Once completed, configurations can be downloaded to one or more firewalls or stored to disk for download at a later date.

A welcome addition to Firebox II is IPSec-compliant branch office VPNs straight out of the box, to go with the remote user VPNs that were available in previous versions. Additional modules are also available for Web Blocking, Historical Reporting (provides a summary of network activity and a variety of reports), Graphical Monitor (monitor bandwidth utilisation and session activity in real time), and Global Console (centralised management of multiple firewalls from a central console).

Verdict

Described as a "network appliance", Firebox II lives up to this billing as it provides a complete hardware and software solutions that is as close to plug and play as you are going to get with a firewall.

Supplier : Wick Hill
Telephone : 01483 466500

Send mail to webmaster with questions or�
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.