While Watchguard is known by many security professionals for its firewall products it is less known for WiFi. However, this could change with the advent of its new offering, the Firebox SOHO 6 Wireless.
Wireless can be a security nightmare as far as configuration and performance are concerned. In an attempt to get a decent, workable throughput, many IT staff turn off encryption. Obviously, this is no good when confidential data is traveling though the airwaves and is therefore prone to snooping from unwanted sources.
Many of us have heard too many stories too many times about wireless hacking and wardriving. Having an access point that won't allow unwanted intruders an easy path into your network is a prime requisite before anything else.
The Soho 6 combines a four-port switch, cable/DSL router, firewall and Intersil processor-based 802.11b wireless access point in one small device. Its firewall boasts ICSA certification and VPN capabilities. These features are what set the box apart from most of the competition. The VPN can use either IP Security with Data Encryption Standard (DES) or the considerably more secure Triple DES (3-DES) for encryption.
Setting up the kit out of the packaging was simple, with the device connecting to the Ethernet port of a cable/DSL modem. It has four more LAN ports to connect up to four PCs direct or another switch for further options.
Configuration is achieved via a web browser page. Here the list of options is pretty comprehensive.
The wireless network runs on a separate IP range and an option can be set to disallow traffic between the wireless and internal LAN network. Upon start up, the wireless network is disabled until the administrator configures the security options.
This is a good start because, all too often, security is turned off for the sake of usability, so the product can be usable without too much configuration. We felt this demonstrated that security was top of the agenda as far as the product was concerned.
Whizzing through data packets
This is not to say that the box is a slouch when it comes to performance. With the Brecis 150MHz processor and 16MB of memory, the box whizzed through data packets, keeping the encrypted data flow streaming along.
Normally encrypted data, while obviously safe, can make accessing data on the wired network a pain in the rear. The box made this process a little more bearable.
As the current received wisdom is to access the corporate network via a VPN when connecting from a laptop, the box includes a single mobile VPN license out of the box (for concurrent external tunnels).
It probably would be better to have had more available and up to a maximum of 11 licenses can be purchased. We thought it would be better to have at least three licenses included in the initial offering, because this would allow more flexibility out of the box. The device also allows for six branch office VPN connections, although this comes as standard in the product's slightly bigger sister, the 6tc.
We also liked the support the device gave for dynamic DNS. This means that the VPN feature can use domain names instead of static IP addresses, this is a big plus for DSL and cable modem users who can't afford the extra fees that ISPs charge for such services. It also sports a DHCP relay in addition to its own DHCP server, which will kick in if it cannot contact the authorized DHCP server within 30 seconds.
The firewall on the appliance goes down the stateful inspection route, rather than port blocking. This is a much better system and provides better protection, because it is more likely to stop attack from outside, such as the Blaster worm. It will also work with Radius server and Active Directory, as well as SecureID and CryptoCard authentication servers.
The box comes with a 90-day subscription to Watchguard's LiveSecurity service, which provides software updates, a knowledge base and alerts. This takes a lot of effort out of trying to keep up with the current security threats.
Other offerings from the same company provide a year's subscription, and we would have welcomed the same with this. WebBlocker content filtering software, which is included with Firebox III boxes is optional for this device.
While the box has a lot going for it, it still lacks many features that are becoming standard in other devices, such as support for 802.11a/g (not such a problem for users with dual-band wireless cards who don't mind dropping down to 802.11b speeds).
Lack of support
Also, it does not seem to mention anywhere any support for 802.1X and Wi-Fi Protected Access (WPA) for extra authentication and security, which is probably not all that necessary as the unit does VPN and Firewall so well.
This device will probably go down well with the small and home office market it is aimed at, but there is a distinct lack of support for wireless standards out of the box. This may mean this appliance could have a short lifespan until further updates become available.
Also, many companies will have to shell out more money in order to buy extra VPN user licenses and extend the subscription service, which could put off some people and force them to seek cheaper options elsewhere.