WatchGuard Firebox X2500 Offers Multiple Tool Management

Ports and All

I installed the Firebox X2500 on my home lab LAN behind a cable modem and router. On the protected side of the Firebox X, I connected a five-port Ethernet switch with a Windows 2000 Server and a Windows 2000 client, which also acted as the Firebox management station.

The Firebox X comes with a serial port for optional console connection and six switched Ethernet ports. Port 0 is the outbound connection; Port 1, the inside trusted connection. Ports 2 through 5 can be used to segment your network, though only Port 2 was working on my Firebox X. The remaining ports, which can be enabled by purchasing the appropriate license, are routed IP ports, not switched ports.

One hitch I discovered is that the Firebox cannot be managed remotely--rather than access the management software through a Web interface, you must install it on a local PC. WatchGuard says it expects to deliver a Web interface later this year.The Firebox System Manager has a simple and consistent interface for all the security functions. The Policy Manager section displays each service as an icon. Once I set up SMTP filtering, configuring WebBlocker and the other services was easy because their setup was similar. However, only one configuration module can be active at any given time. This wasn't a problem in my initial setup, but it could be troublesome if you're managing several features daily.

WatchGuard gives admins a lot of flexibility in configuring the services. By default, all security features are inactive--you decide which to enable and how aggressively each feature performs.

Security Lineup

You can set up VPNs for mobile and branch-office users. However, each VPN type requires its own license key. The device supports both PPTP and IPsec secure tunneling, though IPsec requires a license not included in the basic Firebox 500.

Mobile-user VPN setup involves enabling the mobile-user VPN server, determining the authentication scheme, and adding users and access rights. To perform these tasks, you must maneuver through three different sections of the manager application and through a separate VPN manager application. I would have preferred all the setup and maintenance functions in a single console. Once I set up the VPN, I could initiate a VPN connection from my "remote user" laptop and connect to the LAN with appropriate permissions.

For the firewall, I easily applied port forwarding and set limits on inbound and outbound traffic. Although Firebox has no antivirus application, you get client virus protection through McAfee. Five seats are included, and updates are available through a subscription.

I tested WatchGuard's claim of 80 percent to 90 percent virus blockage by sending a version of the Bagel virus through the Firebox. The virus was successfully extracted from the e-mail message and never made it to the desktop.

To enable WebBlocker, I opened the properties tab of the WebBlocker application and indicated I wanted to block browser access between 7 a.m. and 6 p.m. to sites containing violence, nudity and pornography. I added an exception for the management station--it could browse any site. Once I saved my changes, my new settings were in place and active immediately. When I tried browsing a questionable site, Firebox responded with a message saying the site wasn't allowed. I was able to access the same site from the management station.Firebox X's SpamScreen uses predefined rules that are very effective in detecting, deleting or tagging spam. I set Firebox's option to tag any e-mail it determined to be spam with subject line "[SPAM]" and then allowed several messages that I had previously identified as spam to come through the filter. It identified all the messages correctly. The spam filter uses a rating system to flag suspected spam that can be modified from the default settings.

Scott Koegler has been an IT executive in the health-care, printing and custom-apparel industries. Write to him at [email protected].