D-Link DFL-1100 review
D-Link has traditionally been the champion of the small business by offering a comprehensive range of low-cost networking products. However, it has been slow to attack some areas and not always with any significant success. It had an inauspicious attempt at the NAS market last year and only entered the firewall market early in 2004 with a couple of low-end products. The latest DFL-1100 signifies a move on the enterprise sector, and for the price you’re getting a fairly good set of features. However, design isn’t one of them, as this 1U appliance adheres to the same school of brown blandness as the majority of D-Link’s LAN switches.
There isn’t a lot to see internally either, as the minute Foxconn motherboard is equipped with a basic 800MHz processor and 256MB of RAM, although it does also incorporate a SafeNet PCI VPN accelerator card. Four ports are provided at the front for LAN, WAN and DMZ duties, and the fourth can function as an extra LAN or DMZ port or for connecting to another DFL-1100 for fail-over fault tolerance. A 64MB IDE flash memory card looks after the Linux-based OS, and a glance at the CLI shows the stateful packet-inspection firewall comes from Clavister.
Installation is swift enough. Once you’re past the Startup Wizard, you’ll find the DFL1100 offers a similar set of security features to the DFL-700 (see issue 117, p165), which costs about a quarter of the price. True, the hardware is more powerful, firewall clustering is supported and you’re licensed to use 1,000 VPN tunnels, but there’s little else to differentiate between them.
Administrative rights are easy to control. Encrypted links over HTTPS are supported, plus read-only admin rights can be granted for specific networks and access can be enabled or disabled on each port. LAN to WAN access is granted by default and protected by NAT and SPI, and you use policies to customise access further. Policies define the traffic direction for the interface pairs and any of the four ports can be selected. There’s no limit on the number of rules each policy can contain and they’re applied in strict order of precedence. Traffic shaping is on the menu, and once the maximum upstream and downstream WAN speeds have been specified you can set bandwidth limits and guarantees on a per-policy basis. Intrusion detection is also applied to selected policies, and you can decide to flag any attacks with an alert, or block the suspect traffic. An attack database is used to identify common threats, but at the time of writing no updates were available on D-Link’s website.
VPN options are good, as the appliance supports both remote VPN clients and tunnels with other IPSec-compliant devices. Internet access controls are also available. But don’t be fooled by D-Link’s content-filtering claims, as all the DFL-1100 can do is block by URL or URL keyword. You can create black and white lists and also block ActiveX controls, Java applets, cookies and specific file extensions.
The DFL-1100 is a well-priced security appliance that’s easy to set up and use. However, enterprises looking for true web content filtering and possibly anti-virus and anti-spam measures as well should look towards SonicWALL, Fortinet or WatchGuard.