The majority of budget priced broadband routers provide a basic level of firewall protection but for many small to medium businesses this isn’t enough. They want features such as a high throughput firewall they can customize for business use, and not games, plus VPN termination along with traffic management and user authentication as well. D-Link’s latest DFL-210 aims to offer these features and more and all at an affordable price.
It represents the entry level of D-Link’s NetDefend appliances and uses technology from Swedish vendor Clavister running as it does a version of its CorePlus operating system. You get a quartet of switched Fast Ethernet ports plus separate network ports for DMZ and WAN operations and enough processing grunt for an 80Mbps firewall throughput and room for up to 100 VPN tunnels. It also offers signature based intrusion detection and prevention, and for an extra £50 per year you can activate D-Link’s advanced service, which provides regular engine and signature database downloads.
On first browser contact with the appliance you get a quick start wizard. Make sure you turn off your pop-up blocker first though prior to accessing the appliance though, as you only get one chance with the wizard as if it’s blocked it won’t load a second time. In this event your only recourse is to hard reset the appliance or do it via the complex CLI (command line interface).
A brief glance at the management interface shows there’s a lot to this appliance. However, before messing with firewall rules get your network objects sorted out as these are used to define all your network elements. These range from individual IP addresses, ranges and subnets, to ALGs (application layer gateways), network services, schedules and VPNs. Usefully, all objects relating to interfaces, networks and subnets are maintained in an address book for easy access.
For rule creation you select service and schedule objects, assign them to source and destination interfaces and networks and decide on an action. The latter can be as simple as allow, drop or deny or you can apply NAT or SAT (static address translation). Rule management is aided by folders so you can organize rulesets based on the sources and destinations for which they are applied. Rules are maintained in lists and are applied in strict priority from the top. You can right-click on one and move it up or down the list or place it at the top or bottom. There’s very little traffic you can’t control with rules making the appliance very versatile. We could, for example, use schedules to allow email for LAN users but stop them browsing the web during working hours.
URL filtering is complex to set up as you create an HTTP ALG object with a blacklist or whitelist of URL keywords. Each ALG object can contain multiple entries and you’ll need to create a service object and assign it to a rule which needs to be inserted in the priority list. ActiveX objects, Java apps and VBScript can be stripped out and you can limit the size of files that can be downloaded. You also get ALGs for FTP, SMTP and H.323 but not SIP. With the FTP ALG we could block file types by their extension and if you try copying down a file that matches the parameter the download will just sit there contemplating its navel before eventually hanging.
Traffic management is a lot easier to configure as you create pipes that measure the traffic flowing through them and enforce guaranteed bandwidth and restrictions in KB/sec for designated services. Don’t follow the manual when setting up user authentication as it will fail, due to a clash with remote management on port 80 and 443. You need to change these first followed by the creation of a local user database and then you must add no less than five new rules. It’s as well that D-Link has a support FAQ showing twelve web pages of procedures as it’s impossible to work this one out from the manual. At one point we called in D-Link’s support but found they were so ill-informed about the NetDefend products we actually ended up showing them how to carry out certain procedures.
(centre)”’The home page clearly shows the remarkable level of features on offer.”’(/centre)
The IDP/IDS features are another case in point as they are designed to allow you to scan for attacks specific to a type of service. Using the entire signature database will affect firewall performance so you create rules that protect selected services and only apply the relevant signatures to them. However, you can only go by the occasionally nebulous signature name to ascertain what they do as D-Link hasn’t added any meaningful comments to each one.
There’s no denying the DFL-210 is a powerful security appliance but it’s totally unsuited to small businesses with limited IT expertise as it presents a truly exponential learning curve. The inadequate documentation means it’s not immediately obvious how a lot of the features are configured and D-Link’s poor support comes in for criticism as well. Overall, we found configuration a frustrating experience and actually lost count of the number of times we had to reset the appliance back to factory defaults during testing
(centre)”’You will need the wizard to get up and running so make sure pop-up blocking is switched off first.”’(/centre)
(centre)”’Intrusion detection and prevention are included but no explanatory comments are provided for each attack signature.”’(/centre)
(centre)”’URL filtering can be customised with black or white lists but all entries must be added manually.”’(/centre)
(centre)”’User authentication can be used to restrict access to the Internet but it’s a real pig to set up.”’(/centre)
Score in detail
Unlike other sites, we thoroughly test every product we review. We use industry standard tests in order to compare features properly. We’ll always tell you what we find. We never, ever accept money to review a product. Tell us what you think - send your emails to the Editor.