WatchGuard Firebox T10-W
WatchGuard’s Firebox T10-W is an eye-catcher, not merely for its tomato-red chassis, but for its combination of wired and wireless security features. Businesses on a tight budget will also like its pocket-friendly price.
The Security Suite is chock-full of capabilities, providing IPS, web-content filtering, anti-spam, antivirus, application controls and HTTPS inspection, as well as WatchGuard’s reputation-enabled defence. That’s not all: the price we’ve listed also includes WatchGuard’s optional advanced persistent threat (APT) blocker and data-leak prevention (DLP) services.
With all these security features to hand, it’s easy to forget that the T10-W is a full wireless access point – partly because the aerials are tucked away inside. All the same, it provides three separate SSIDs, supports 2.4GHz or 5GHz operations, and can act as a central controller for WatchGuard’s own APs.
We enabled the wireless gateway feature and set up a WatchGuard AP200, which was automatically discovered by the T10-W. After pairing the two units from the latter’s web console, we were able to dish out SSIDs, enforce wireless security and use heat maps to view wireless coverage. We could also apply the same security services protecting our LAN users.
Proxies are used to control all traffic types: HTTP, HTTPS, FTP, DNS, SIP, H.323, POP3 and SMTP. Firewall rules for each proxy define the physical interfaces they apply to and settings to be applied. We recommend taking time to practise setting this up, as it can be quite complex.
WatchGuard provides predefined actions for each proxy, which you can clone and configure to create custom policies. To implement web filtering, we had to clone the HTTP client action, assign a profile to it, choose from 127 URL categories and create an HTTP firewall policy.
The T10-W uses the spamBlocker service, and this also required a POP3 proxy action and firewall policyto tag dubious messages as “spam”, “suspect” or “bulk”. Gateway antivirus is easier to handle: simply enable it on selected proxies and decide whether to drop or block infected payloads.
The APT blocker service only works with policies where gateway antivirus is enabled. It’s virtually transparent, since it scans incoming files and compares their MD5 hash with the Lastline cloud service to check whether they’re known malware.
Application controls are the best, with entries for hundreds of common applications and 11 for Facebook alone, so you can restrict activities such as logins, Likes, media uploads and chat. DLP works with the HTTP, FTP and SMTP proxies, and we were able to create custom policies looking for specific keywords, or use the predefined policies for HIPPA and PCI.
In terms of network performance, IxLoad reported an average HTTP throughput of 140Mbits/sec, which tumbled to 44Mbits/sec when we enabled the HTTP proxy, gateway antivirus and IPS services. That’s acceptable for the environment the T10-W is aimed at.
The appliance provides real-time graphs for reporting, but for further monitoring you’ll need to set up WatchGuard’s Log Server and Report Server on a Windows host. These modules belong to WatchGuard’s free Server Center suite, which also provides centralised management of multiple appliances.
WatchGuard Firebox T10-W: verdict
WatchGuard’s proxies can be tricky to set up, but you won’t find better security measures anywhere else for this price. The slick wireless features make it the perfect A-Lister.