Author: Sean Michael Kerner
Review Date: 3/27/2006

 

It’s not good enough anymore for a router to just include a basic firewall, if you really want to be secure. Though you may not work in the main office, why shouldn’t you get the same security they have?

That’s where a new generation of integrated router security appliances offering what’s known as unified threat management (UTM) come into play . UTM goes beyond the basic firewall functionality and addresses the wider array of threats that are out there today. Among the best I have yet to see is a new offering from Check Point called the Safe@Office 500.

What it is
The Check Point Safe@Office 500 series come in wireless and wired models (for this review we evaluated the wireless model). It UTM capabilities include a robust firewall, intrusion prevention as well anti-virus, spam and Web-filtering capabilities.

The appliance has an eye-catching orange finish and includes four 10/100 Ethernet ports for LAN connectivity, a separate DMZ port, which also doubles as a second WAN port. The WAN2 port enables the device to handle two separate Internet connections, which can be helpful from a failover point of view. The wireless model includes a pair of antennas that pump out up to 108 Mbps speeds with security that includes the following: MAC address filtering, WPA2WEPWPA and WPA-PSK. There is also a pair of USB slots that can be controlled with the appliance’s built in print server. Rounding out the Safe@Office 500w’s external ports is a console port that can also be used for connecting a dial-up backup modem to the unit.

The real magic of the Safe@Office 500w though is on the inside.

The appliance is based on Check Point’s NGX 6.0 embedded security software platform that is part of Check Point’s Firewall-1 enterprise product. What that means is this little box has a robust stateful inspection firewall that puts a basic Windows XP firewall to shame. But a firewall alone, no matter how robust still isn’t going to stop all the bad stuff and that’s where the Unified Threat Management thing comes into play.

As a subscription-based service, the appliance includes antivirus capabilities that can be configured to check whatever connected network devices you have. In our test case, we tested all inbound and outbound e-mail connections with somewhat mixed results. Certainly the Safe@Office 500w will catch its share of viruses, but not all, so you can’t go and uninstall your desktop antivirus capabilities. The same was true of the spam-scanning service, which didn’t catch as much spam as I would have liked.

Web filtering for objectionable sites is also part of the mix. It seemed to work well when it was working. You see the catch with the way that the Safe@Office 500w delivers some of its advanced UTM services is that its all subscription-based and delivered remotely via a Check Point service provider. So if, for some reason, connection to the service provider is interrupted, your services are going to get interrupted as well.

Over the evaluation period there were a few minor service interruptions that, in turn, caused Web filtering not to work properly. Normal non-objectionable sites, like PracticallyNetworked.com for example, got flagged because the filtering service was unavailable. It’s easy enough to override with a password, but in a multi-user environment when the password holder isn’t around, it can be a problem.

 

Administration
Administering and managing the myriad features of the Safe@Office 500w is a breeze thanks to an easy-to-use Web-based management console— easy once you move beyond the first page. Instead of beginning with a dashboard-type approach for the entry (as is the case on the WatchGuard Firebox Edge X5w), you get a welcome screen with three options: Upgrade and Services, Support and Documentation, and Locate a Service Provider. The side tab, however, exposes the true power of the Safe@Office 500w with links to Reports, Security, Antivirus, Services, Network, Setup, Users, VPN and Help. As you’d expect, each of those tabs has its own set of option that further provides feature accessibility and configuration options.

Thanks to wizards initial setup was a breeze. That initial setup though will certainly leave you with a working appliance, but you won’t recognize the full power of the device. For example, the Safe@Office 500w allows for Traffic Shaping, so you can assign minimum/maximum values for different types of traffic. In our evaluation, this proved to be useful and effective for ensuring high-quality VoIP calls while still operating P2P, instant messaging, Web and e-mail clients. VoIP demands lower latency than other applications and seems to work better with guaranteed bandwidth allocation, whereas for basic Web surfing and e-mail it really doesn’t matter.

On the security tab is an item called “Smart Defense,” which allows for granular configuration of the Safe@Office 500w IDS/IPS defensive capabilities. These are things like Denial of Service and IP-based attacks, which your average router doesn’t do squat to prevent. It also enables for control of IM and P2P usage on your network. In general, we found the default settings to work well, but it’s always fun to poke around and see what’s under the hood.

IPsec-based VPN capabilities are solid. The device even includes a hard link for downloading the client you need to connect with. Sure, it would be nice to have SSL-VPN but that just doesn’t exist at this price point (yet).

Reporting is a bit of a mixed bag. The main event log is essentially a data dump that you can save and then use another tool to analyze. You can’t sort or manipulate the event log through the management interface itself. You can also configure the Safe@Office to automatically send those same logs to a Syslog server as well.

I never felt lost in the management interface thanks to the context-sensitive help. As opposed to having to thumb through documentation (which is OK if you’ve got nothing else to do) the help button always seemed to pull up the information that was relevant to the area I was in. Moving beyond the included help, I also contacted support on a number of occasions by both e-mail and Live Help. My e-mail experience was OK, my Live Help experience was great. I tried to give the Live Help agents a hard time, but they didn’t flitch and guided me to the solution that solved whatever item I was trying to figure out.

All this wonderfulness has a price, though, and it’s not even the price of the appliance itself so much. The advanced UTM services are offered by a Check Point service provider and those services are offered on a subscription basis. So it’s not a one-time cost to run and deploy, you’ll have cost for as long as you intend to take full advantage of the enhanced services.

The subscription-based approach to enhanced services is, of course, not unique to Check Point, but it is something that tends to get overlooked when buying such a device.

All told the Check Point Safe@Office 500w is an impressive device. In almost two months of active use, it performed well in a few different test environments. The only real drawback was the few periods of service interruption, which were short, but still a nuisance. There was a time when the only way you could put a Check Point firewall into an office was to spend a whole lot of dough, but thanks to this small-friendly device that’s no longer the case.

Security threats in 2006 are a lot more than just a regular off-the-shelf firewall can handle, and no doubt more than a few shelves will become home to the Check Point Safe@Office 500w.

Pro:

  • Easy set up and management
  • great wireless range
  • traffic shaping capability
  • solid intrusion prevention setupCons:
  • subscription based services means recurring costs
  • web filtering service had intermittent interruptions during testing period
  • spam filtering didn’t seem to catch much.Price as tested: $321.41