The stateful inspection firewall was invented and patented by Check Point in the early 90s and is now the de-facto standard used by virtually all security appliances today. As you’d expect, Check Point has built up an impressive range of products since then with its VPN-1 Edge family aimed at securing access in small businesses and branch offices. The latest to join up is the VPN-1 UTM Edge with the model on review offering a complete package of security measures and finally delivering an integrated ADSL2/2+ modem into the bargain.
UTM (Unified Threat Management) is the latest buzzword in the security industry with typical appliances delivering the usual firewall, intrusion detection and prevention and VPNs but augmenting these with a host of extra features including anti-virus, anti-spam and web content filtering. The UTM Edge certainly makes a good stab at this as this minuscule box combines an impressive range of security measures.
It offers the usual quad of Fast Ethernet LAN ports and along with the integral ADSL modem you also get a second Fast Ethernet WAN port which can be used instead of the modem as the primary connection and act as a WAN backup connection or as a DMZ. There’s more too, as you also get a couple of USB ports for sharing printers over the network.
Installation is nicely handled by the smartly designed web interface with a wizard that takes you through choosing your primary Internet connection and adding your ISP details. On my BT Broadband connection I was done and dusted in a couple of minutes. The next task is to register the appliance and from the Services tab go to a Check Point service centre to activate all the features you’ve bought a ticket for. This is also handled sweetly as you only enter one code and all the extra security goodies fire into life. A slider bar with four settings is used to configure basic firewall operations which defaults to allowing all outbound traffic but blocking unsolicited inbound traffic. The highest setting only allows outbound traffic for a small range of services through, which includes web, mail, FTP and VPN.
As you’d expect the firewall behaviour can be customised with the use of rules. Once again, a wizard comes into play and guides you through deciding whether to block or allow traffic based on predefined services or port ranges and applying them to specific network ports. One system can also be placed outside the firewall by using the secondary WAN Ethernet port as a DMZ.
Traffic shaping enables you to create policies that determine how much bandwidth is allotted to specific types of traffic. First you enable these controls on the port managing the Internet connection and enter the total amount of upstream and downstream bandwidth. You have four predefined classes with different priority weightings assigned to them. To use them you need to create firewall rules that allow traffic through for a particular service and during rule creation you assign them to a selected weighting. For example, to give VPN traffic a high priority you create a rule for this service and during this phase you assign the rule to the Urgent QoS (Quality of Service) class. You then edit this class and provide details of the guaranteed bandwidth and a limit for both incoming and outbound traffic.
Content filtering is a hosted service with over thirty categories that can be blocked or allowed, but note that you can’t add your own custom categories. Any user attempting to access a banned site will have their web browser redirected to a warning page on the appliance. Virus scanning can be applied to both web traffic and email and for the latter both POP3 and SMTP are supported. No attempt to cure an infected attachment will be made as the appliance merely strips out the offending file and adds a comment in the message body advising the recipient. VPN setup is very well documented for site-to-site tunnels and mobile clients and I found the wizard assisted procedures surprisingly easy to follow considering the inherent complexity of IPsec.
Check Point’s anti-spam hosted service modifies the subject line of suspect messages. The message content also contains a full rundown on the scores applied so you can see clearly why it was considered spam and the original message is packed up and provided as an attachment. However, you will need an internal system or rule set on your mail client to deal with tagged messages. During testing the service worked extremely well as we ran it over a number of days and estimated that its success rate was above ninety per cent with no false positives.
The reporting feature is probably the biggest disappointment as it lists general firewall activity and appliance configuration changes but doesn’t log virus and spam activity or any attempts to access banned sites.
The VPN-1 UTM Edge offers a lot of security features for the price that are nicely integrated into a compact appliance. Reporting could be better but it’s very simple to deploy and we were particularly impressed with its anti-spam performance
The connection wizard offers the choice of either ADSL modem or Ethernet port for Internet access
The various features are easily activated with a quick visit to a service centre
The event log isn’t up to much but you can keep a close eye on inbound and outbound traffic
Check Point gives spam a very tough time and shows just why it has tagged particular messages
User accounts can be used to control access and a RADIUS server can be called up for external authentication
Unlike other sites, we thoroughly test every product we review. We use industry standard tests in order to compare features properly. We’ll always tell you what we find. We never, ever accept money to review a product. Tell us what you think - send your emails to the Editor.