Beware the hacker because she lives, ready to prey on your clients wide-open broadband Internet connection. DSL and cable are the harbingers of security risks. The always-on Internet means your clients are always susceptible to outside attacks. Thus, protecting their network, no matter how small, has become extremely important. Thats why your clients need—at a very minimum—a SOHO firewall, to protect them from the big, bad Internet.
We tested five SOHO firewalls that will meet the security needs of most of your clients while not crimping their pocketbooks.
The trick with these products is to provide security, but not at the expense of ease of use. While all of the products we reviewed are easier to install and configure than a trajectory to the moon, some really dumb it down so that anyone remotely familiar with networking could get them running.
Regardless of what kind of office your client has, there are a few SOHO firewall features that are important, if not vital, to your clients business, such as the capability to host a Web or e-mail server or accept a DHCP address from an ISP.
Each of these firewalls uses NAT (network address translation) and functions as a router, but only two—the products from NetScreen and SonicWall—permit NAT to be disabled, yielding configurable firewall rule sets. While more complicated to administer, rule sets allow a more granular level of control, which appeals to security-conscious clients.
All of the products can host Internet servers via port forwarding when NAT is enabled. That means, for example, any HTTP request on port 80 for the outside IP address will be forwarded to the appropriate inside IP address where the Web server resides. Any port can be forwarded, but its a one-to-one connection—one port to one inside IP address.
Another way to host Internet servers is through a DMZ, or demilitarized zone, which separates Internet traffic to Web, FTP and e-mail servers from the internal network. All of the vendors except SonicWall say they have a DMZ, but the functionality is built into the software and is nothing more than glorified port forwarding. In fact, only the NetScreen-5XP allowed us to use an IP address not part of the internal network—the other products require it. None of the products has a separate hardware port.
Many DSL and cable providers assign a dynamic IP address as well as use Point-to-Point Protocol over Ethernet (PPPoE) to authenticate users. All of the products support PPPoE, providing a space for the username and password, as well as accept dynamic IP addresses.
A static IP address usually will increase the price of a DSL connection, so the DHCP client feature can be an excellent cost saver for your client. Of course, a dynamic IP address rules out hosting any type of public server on the network, but it is more secure. On the inside network, the firewalls all provide a DHCP server, making your job easier to configure the clients.
Rounding out the list with two less-important features is content filtering and virus protection. Content filtering is the simple practice of denying access to Web sites that contain sex, violence, offensive language and a multitude of other themes. The three more expensive products bundle content filtering products, although both Watchguard and SonicWall charge a nominal fee ($49) for the service. Your clients will be left with free rein of the Internet with the DI-704 and the EtherFast BEFSR41.
Virus protection is not something inherent to the firewall (or at least shouldnt be), but a bundled application that can be deployed to desktops and updated easily lightens the load of administrative tasks. As it stands, only SonicWall delivers an anti-virus solution from Network Associates.
D-Link Systems DI-704 Our most inexpensive entry by a sliver, the DI-704 is happy to be a Toyota Corolla among Cadillacs. As long as security is not paramount, it delivers everything a SOHO needs at a rock-bottom price.
The DI-704 includes a four-port, Fast Ethernet switch—one of only three products to ship with a hub or switch—which means your client wont need an extra hub unless he grows beyond four computers. Of worthy note, D-Link ships multiple products in this space—the DI-701 and DI-707—the only difference is the size of the switch. Users can be divided into three groups by IP address to allow or block specific ports, but thats the extent of the user and group capability.
Lacking a VPN, encrypted remote management, and RADIUS or LDAP authentication, your clients will love the price, but look elsewhere if security or enterprise integration is a major concern.
Linksys EtherFast BEFSR41 The EtherFast competes head-on with the DI-704, by price, features and ease of use. Theres little to differentiate the two products, although the DI-704 ships with a stateful packet inspection firewall (Linksys says its is coming), while the EtherFast relies on NAT. Also, the EtherFast supports IPSec and Point-to-Point Tunneling Protocol (PPTP) passthrough, while the DI-704 supports only PPTP passthrough. This is most relevant for telecommuters that rely on a VPN client to communicate with the home office—if the VPN is IPSec, the EtherFast is the only inexpensive product to support it.
As with all Linksys products, the user interface was clean, smart and easy to navigate. Like the DI-701, its a great product for a client with basic needs.
NetScreen-5XP The NetScreen-5XP exuded “enterprise.” Its firewall rule set has an uncanny resemblance to Check Points Firewall-1, which is great for any reseller that understands how firewall rules work. In addition to the VPN, the NetScreen-5XP can authenticate both with RADIUS servers and LDAP, the only product to do both. Its logs are complete, management is integrated with the NetScreen Global Manager, and it is the only product with traffic management capability—excellent for guaranteeing or limiting bandwidth to certain applications or users, provided it communicates with another NetScreen box.
We tested a late beta version of the NetScreen-5XP, but the only thing beta about it we saw was the documentation, which made it slightly more difficult to work our way through the installation and configuration.
For 10 users or fewer, it slides in at $495, including the VPN. Thats the best price of the three products that ship with VPNs. More than 10 users? Slap down an additional $500 for unlimited users.
While it does lack bundled virus protection and a DMZ (at least in verbiage, because you can accomplish similar functionality with port forwarding), it is a strong product that will be happy in any SOHO environment.
Watchguard SOHO The Watchguard SOHO is a budding product, almost ready to take on a more robust role. The only feature lacking here that both the SonicWall SOHO2 and NetScreen-5XP have is the capability to turn off NAT, which would round out its excellent features set. While it does have a stateful inspection firewall to back it up, it succumbs to all of the limitations of NAT.
Watchguard includes a LiveSecurity subscription, which provides software updates, technical support over the phone and online training. Software updates are relatively easy with all of the products reviewed here, but the LiveSecurity subscription helps by notifying you via e-mail when it should be updated—an excellent feature.
With an interesting twist on remote management, besides the VPN and global management, a reseller can gain access to the SOHO remotely by having the client enable a timed remote management feature (60 seconds or so). This helps when the reseller is on the road without access to the VPN.
If your client doesnt need special applications when NAT is disabled, then the Watchguard SOHO delivers the goods at a reasonable price.
SonicWall SOHO2 The SOHO2 from SonicWall is all about choice, but at a price. The 10-user model costs $495, while the price for 50 users is $995. Have more users than that? NetScreens XPRS2 may work, which also includes a hard port DMZ. Add a VPN to the SOHO2 and it costs an extra $495, or you can buy it bundled in the TELE2 (the SOHO2 with VPN) for $595. Virus protection? Its yours for $325 for the 10-user version.
Clearly, if your client has more than 50 users and needs a VPN, the NetScreen-5XP is your only choice among these products (the Watchguard SOHO also has a 50-user limit). But you should be considering a different class of products. Of course, its dependent on what type of pipe your client has, because both products only go up to 6Mbps (give or take a Mbps)—more bandwidth requires a bigger box.
You really cant go wrong with the SOHO2, but be careful of the pricing structure—not everything is included.
Answer These Questions Delivering the right SOHO firewall solution to your client comes down to three questions. What level of security does she need? Match the level of security with the protection. How much is your client willing to spend? The dividing line is distinct among the product groups. Lastly, does your client need to communicate with another office? If yes, a VPN is a requirement—only available in the NetScreen, Watchguard and SonicWall solutions. Good luck.