SonicWall Aims at Enterprise Security

Pro 4060 appliance targets complex networks but still lags behind competitors.

The Pro 4060 appliance is SonicWall Inc.s notable attempt to gain traction in the enterprise firewall/VPN appliance market. The Pro 4060 carries an affordable price and provides better functionality for complex networks than its predecessors did. However, eWEEK Labs tests showed some of the 4060s new features underperform, and it lacks the next-generation, application-centric security services that many enterprises require.

We tested the Pro 4060, which ships with SonicOS 2.0 Enhanced firmware for $4,995. Enterprise buyers who need less encryption throughput can buy the Pro 3060 ($2,795 with SonicOS 2.0 Standard firmware, plus $995 for the Enhanced upgrade). Both units are available now.

The Pro 4060 and its sibling, the Pro 3060 Enhanced, might change SonicWalls reputation as a vendor of products that are great for simple networks but are not as good a fit for complex, mission- critical environments. Both offer improved reliability through hardware and ISP failover capabilities. SonicWall also has finally introduced an object-oriented engine that increases the Pro 4060s policy creation flexibility, allowing administrators to create their own service and user groups.

However, SonicWall remains behind the curve when it comes to next-generation security services. SonicOS 2.0 lacks the deep filtering and network application awareness offered in competing products from NetScreen Technologies Inc. and Symantec Corp. Instead, SonicWall continues to rely on stateful inspection technology.

The Pro 4060 features six 10/100M-bps Ethernet interfaces that administrators can allocate as needed among trusted (LAN), untrusted (WAN) and public networks (DMZ). One of these interfaces can also be used as an isolated link to a redundant failover device. However, two interfaces cannot share the same subnet, and Pro 3060 users must have the Enhanced upgrade to use all six interfaces. (The Standard version activates only three.)

We configured the Pro 4060 via a Web browser. (Encrypted and unencrypted configuration are supported.) The front-mounted serial port allows console access to a command-line interface with limited functionality. SonicWall officials promise full configurability from the command-line interface in a future release. SonicOS 2.0 also supports management from the companys Global Management System. (We did not test this.)

The new object-oriented firewall policy engine is a vast improvement over previous SonicWall offerings. SonicOS 2.0 finally introduces SonicWall users to the concept of service groups, meaning administrators no longer have to create an individual rule for every service. The improved interface also offers several layouts that break out rules according to their source and destination zones.

The Pro 4060s improved firmware management features are equally impressive—the unit now supports multiple firmware revisions in flash memory, whereas previous generations could host only one. Because users can boot between the versions, its much less complicated to test new revisions.

The Pro 4060s ISP failover capabilities allowed us to configure a second ISP connection in the WAN zone. We chose an active/passive configuration, although the Pro 4060 also offers round-robin and percentage-based load balancing of Internet connections. The Pro 4060 failed over flawlessly when the primary connection lost its physical link, but it could not compensate for upstream network troubles, despite our Internet Control Message Protocol probes to the Internet.

SonicWall Pro 4060

The $4,995 SonicWall Pro 4060 with SonicOS 2.0 addresses many shortcomings of legacy SonicWall products at a reasonable price. The improved interface grants much more detailed control of network policy via the new object- oriented policy engine. However, some quirks indicate the product may not be quite ready to deliver at the enterprise level.
















  • PRO: Improved object-based policy creation engine; enhanced VPN client eases ongoing maintenance issues; increased network interface flexibility; improved firmware management; inexpensive.
  • CON: ISP failover capabilities struggle with upstream network failures; anti-virus solution is a little kludgy; no LDAP support for users and groups.

• NetScreen Technologies NetScreen 208 • Symantecs Gateway Security 5420 • WatchGuard Technologies Inc.s FireBox V60

The SonicWall VPN now offers Advanced Encryption Standard in addition to DES (Data Encryption Standard) and Triple DES for both site-to-site and remote-client connections. We liked the Global VPN 2.0 clients ability to dynamically receive policy updates from the Pro 4060, then update its IP Security policy on the fly.

The Pro 4060 also offers user authentication services to remote clients through an internal database or via an existing Remote Authentication Dial-In User Service server. Wed like to see SonicWall further enhance this feature with LDAP functionality.

The optional anti-virus solution (at $2,995 per year for 100 users) enforces anti-virus policy at the client. Before allowing access through the firewall, the Pro 4060 verifies that the requesting client has up-to-date, SonicWall-branded anti-virus ware installed. If the clients virus definitions need to be updated, the client machine contacts Network Associates Inc.s McAfee servers for an update, which is then installed on the client.

However, this feature is intended for use only on Microsoft Corp.-based desktop systems. Servers and machines with other anti-virus products or non-Microsoft operating systems must be manually added to an exclusion list on the Pro 4060.

Unlike Symantecs Gateway Security 5420, the SonicWall Pro 4060 does not perform virus scans of traffic passing through the unit. However, the appliance can be configured to block known infected attachments or predefined file extensions, providing some measure of relief from e-mail-borne threats.

Technical Analyst Andrew Garcia can be reached at