Clavister Security Gateway SG12 Review
- Review Price: £404.00
In the security appliance market there are a large number of vendors that started with a software firewall solution that enabled customers to save some hard cash by sourcing a cheap and cheerful donor system themselves. Clavister is one such company and although it still offers firewall software it has since built up an extensive range of appliances that cover the full gamut of business use from small office right up to the enterprise.
In this exclusive review we look at the entry-level SG12, which is aimed primarily at providers looking to deploy customer premises equipment (CPE) to small businesses as a managed service. It can be used as a standalone device for a single office but as you’ll see from our experiences this isn’t to be recommended. The SG12 supports 10 users which can be increased to 25 and you can augment the 50Mbps firewall and VPN services with optional anti-virus, web content filtering and email security upgrades.
Installation kicks off with a serial port connection to the appliance’s CLI (command line interface) where you set up a dedicated management port and assign it an IP address. We became croppers immediately as we are now using Windows Vista and Server 2008 RC0 in the lab and Microsoft has rather annoyingly removed HyperTerminal from both. However, there are free private edition versions available for download. Once you’ve added your management details the appliance fires up the CorePlus operating system and you can then shift over to Clavister’s FineTune application for remote management.
On first contact with FineTune you immediately get a clear picture of the level of features on offer as the interface is packed with options. All configurations are stored in data source files, which hold information about the networks and associated appliances. You can create multiple data sources so all details of different locations such as remote offices to be maintained in separate files.
A fundamental concept used by FineTune is namespaces, which contain details of all network objects including networks, ports, hosts, VPNs, service, time schedules and ALGs (application layer gateways). Each data source has a global namespace and any modifications made to this will be propagated down to all devices declared within that data source. A Security Gateway folder is used for all appliances and you can add more namespaces here and collect selected appliances under different ones. As with the global namespace any changes made to these will be passed to all member appliances.
So far, so good but we found further configuration wasn’t helped by the indifferent documentation requiring us to avail ourselves of Clavister’s helpful technical support. The appliance is locked down tight by default and you need to get Internet access up to register it and activate any options purchased. This is a lengthy process that required us to create separate objects for the IP addresses of the LAN and WAN ports along with routes, a DHCP address pool plus a DHCP server and bind them all together. We then needed to create a firewall rule that allowed outbound access, assign it to a service object and give it a priority. For further fine tuning you can create multiple rules for source and destination network objects that determine whether service specific traffic is blocked or allowed.
Web content filtering requires a new HTTP ALG associated with a service, a port and a new firewall rule. With this is action you can now block ActiveX objects, Java apps and cookies, choose from over thirty content categories to block and apply black and white URL lists. For content filtering, performance could be better. We tested this by visiting a range of games sites and were only blocked from seventy per cent of them. Virus scanning is activated in the ALG and lists of file type exceptions added to it. Email scanning features are the weakest link as the SMTP ALG only allows you to implement virus scanning and restrict the number of messages being passed each minute. You can also block attachment file types but there’s no option to block by file size. POP3 support and anti-spam are conspicuous by their absence but these should be available in a month or so.
Standard features are extensive as the appliance can implement user authentication with its local database or integrate with external systems such as RADIUS servers. Traffic shaping lets you implement quality of service policies where rules are assigned to pipes to control the amount of bandwidth certain services are allowed to use. There’s an FTP ALG included and load balancing enables the appliance to distribute traffic across multiple servers on the LAN and monitor their health using ping and TCP connection tests. You can keep track of all firewall configuration changes and active configurations must be checked out by an administrator before they can be modified.
This diminutive appliance delivers the same level of security features as Clavister’s enterprise level products making it remarkably powerful. However, we wouldn’t recommend it as a standalone solution for small businesses as the management facilities are clearly best suited to handling deployments across multiple remote offices.
(centre)”’Your first port of call for installation is a serial port connection to the appliance’s CLI.
FineTune is packed with plenty of configuration features and firewall rule options.
Web content filtering offers a wide choice of URL categories and you can add your own lists.
The SMTP ALG has minimal features for controlling email and anti-spam isn’t available yet.
FineTune uses namespaces to store network objects and we found it worked happily with Vista.”’
Score in detail