Features

Based on a Toshiba Magnia SG20 solution developer kit, this unit runs a special version of Linux created by Astaro. It includes a firewall, VPN, DHCP server, traffic management and content filter. The latter includes web blocking and anti-spam.
The firewall uses stateful packet inspection and includes proxies for HTTP, HTTPS, SMTP, POP3, DNS, IDENT and SOCKS. It has user authentication and offers protection from the most common forms of DoS attacks. Of course, it provides network address translation. In addition it detects port scanning.

The Aladdin eSafe Appliance is a hardened, Linux-based device, which can be configured as an email inspection tool (SMTP relay) and, additionally, as a full content-filtering gateway for HTTP/FTP. To obtain the full content-filtering gateway functionality you need to use Check Point Firewall-1 configured with a HTTP/FTP security server as a content vectoring protocol (CVP) client.

The LogiSense EngageIP Traffic Manager appliance combines the security benefits of firewall and web content filtering with other features that include web caching, routing and bandwidth management, with real-time bandwidth consumption reporting and quality-of- service (QoS) shaping.

Fortinet offers a range of what it calls 'anti-virus firewalls' for all markets, from the home user to the large enterprise and carrier-class service provider.

Ingrian offers a range of appliances that are designed to secure any application that uses secure socket layer (SSL) transactions, while at the same time speeding up the performance. The company has recently added other features, including authentication, authorization, GZIP compression and an interface to external intrusion detection systems.

NetPilot was created to be a turnkey solution for businesses to solve all their internet connectivity requirements. It provides internet routing and the sharing of a single ISP account; proxy-based firewall and NAT; web server and web caching; servers for DNS, DHCP, FTP and email; access control and URL filtering. In addition it can act as a file and print server for Windows workstations.

This solution provides remote installation, backup and restore capabilities from a central console. Altiris Client Recovery Solution ensures that users can be back at work swiftly should they experience a system crash or virus damage. It requires 30Mb of hard disk space and a minimum of 150MHz processor power on the client side, with server requirements stretching to 350MHz processor, 100Gb hard disk, 128Mb RAM, Microsoft SQL 7.0 and IE 5.0 all running on Windows 2000 Server.

McAfee is well known for anti-virus software, and has built its complete anti-virus engine into an internet gateway product that examines HTTP, FTP, SMTP and POP3 traffic for viruses. It also performs content filtering and acts as an email anti-relay. Within the content filtering mechanism anti-spam functionality is included.

Primarily a content-filtering platform, the Minesweeper CF 500 came with optional extras for intrusion detection and vulnerability assessment. Content filtering comprises URL blocking, anti-virus and anti-spam. Standard features include a firewall with an IPsec VPN and a DHCP server.

SonicWALL is well known for its firewalls, but it is now starting to add optional functionality to the range. The model tested came with the extra-cost items of content filtering and anti-virus. Vulnerability assessment is another optional extra, but was not supplied on the review unit.

CyberGuard has a long and impressive track record in the firewall market, providing solutions from the desktop to those suitable for the high end, such as data centers. The SL2000 is positioned at the high end and, while certainly not the cheapest firewall in this Group Test, is worth every penny.

Clavister is a fairly new name in the security market, but its high-end firewall appliances are impressive enough to ensure that will not be the case for long.

Blade has made quite a name for itself over the last year or so with the development of its Blade IDS Informer application, which monitors the performance of your intrusion detection system and ensures that it is running to the best of its abilities. The company has now extended this with the release of Firewall Informer, which performs a similar function for your corporate firewall.

We looked at version 3.0 of this product in the virtual private network Group Test last year, and it is good to see it being evaluated as a firewall this time around. Astaro might not be a familiar name to most people, but it deserves to be if it continues to produce products such as this.

Swedish company Ingate may be a relatively new name in the firewall market, but its products have been getting an extremely positive reaction. The Ingate 1400 appliance is its solution for the medium-sized business; it is a black, 1U rack-mounted appliance, with four Ethernet ports, a COM port and a simple LED display.

Back in the world of software, we have Microsoft's entry in the firewall market. Microsoft Internet Security and Acceleration Server (ISA Server) is a fully-featured firewall with a number of bells and whistles that add considerable functionality and security.

Old hand BorderWare has decided to focus on one particular area of network security - email. Whereas most companies are happy enough to bundle email in with the rest of its internet traffic and allow the firewall to handle all of it, BorderWare's MXtreme MX-200 appliance specifically focuses on the problems of email traffic.

SonicWALL is another well-known name in the firewall arena, offering a range of products suitable for anything from the home user to the high-end of the market.

Stonesoft produced its own firewall a few years ago and has shown that it really understands the high end of the market.

The EdgeForce firewall with Performance Module 1 enabled incorporates a flexible demilitarised zone (DMZ) via a third port. This gives the ability to host public servers (email, FTP and web) from behind the firewall, and with this feature, non-authenticated access to servers behind the firewall can be granted, yet the private network itself is still completely shielded from the internet.