WatchGuard Firebox Peak X5500e firewall
- 11 November, 2009 11:30
Note: Pricing for this product is in US$.
WatchGuard's Firebox Peak X5500e is a strong, manageable firewall and is fast compared to other firewalls we've tested, but complexity and weak attack protection hold it back
In the WatchGuard Firebox, we encountered a system significantly different from the other three boxes in this test. The differences were as fundamental as the number of processor cores and the whitelist/blacklist balance, and they extended all the way out to the complexity of the user interface. If you're looking for an easy-to-configure box that works with minimal admin interaction, then the Firebox is not the system for you. If, on the other hand, you need a high-performance, highly secure firewall, and you are willing to invest in a learning curve and a rather complex configuration process, then our experience indicates that Firebox should be on your short list of systems to consider.
WatchGuard splits management and administration functions across two different applications. In this case, the complexity serves a good purpose: System administrators can edit the XML rules files offline, then push the new configuration to the box when the new rule set is complete (and debugged). We were able to watch this feature in action as the WatchGuard engineers modified and pushed configuration files almost constantly during our testing. (This wasn't a bad thing. WatchGuard was the first company to come in for testing and served as guinea pig as we did final debugging on the test scripts.)
The good news is that swapping entire configuration profiles is no more difficult than making subtle rule changes. The bad news is that making changes to a single rule isn't a lot simpler than pushing an entirely new configuration profile. Still, in either case, the Firebox's unique process means troubleshooting and performance tweaking are much easier and more convenient than they might have been; we could work on a new configuration while the previous version was still under testing.
Security as process
It's important to note that, unlike the other products in this test, WatchGuard's is very much a client-server architecture. While there are many times when the architecture makes very little difference, WatchGuard's approach can be an advantage when it comes to things like verifying regulatory compliance. For example, the WatchGuard engineer working with us had a folder on his machine noting every configuration we had tinkered with. In one instance, we went back a couple of weeks to try out a previous configuration with a new version of the Ixia test tool. While the other products could hold multiple configurations, and yes, you could save them off to your workstation, WatchGuard makes it easy enough that the XML code could easily be dropped into a bug tracker or version tracker for quality control and compliance verification.
When we first began working with the Firebox, we got very frustrated with all of the reboots we had to suffer through while making what we considered minor changes (IP, subnet mask, and so on). But that's because we didn't yet understand WatchGuard's client-server attitude toward configuration. Clearly enterprise in nature, the thick configuration utility wants you to check your configuration changes before you commit them. It's not a handy Web utility that could accidentally paint you into a corner. It wants you to make your changes as a single update so that individual changes can be considered before you hit the return key.
With the Firebox, you could easily have an entire lab configuration (sandbox) to do some initial testing, then pre-edit the changes necessary to drop the config into production. By the same token, you could remove a troubled unit from production and flip it into a lab setting to confirm or deny problems. WatchGuard allows you to save configuration files and swap between them really easily, regardless of whether you're touching the original serial number that the configuration was built on.
WatchGuard's client server approach started us thinking about how well the Firebox line fits regardless of your company size. From the SMB-oriented single console to a team approach with undocked windows spread across the front wall of a NOC, you could find a version of WatchGuard's hardware and combination of software that should fit your needs. This is a stratified product line with software upgrades within the hardware platform allowing you to fit the cost of the unit to your immediate needs but still permitting an easy upgrade path. From smaller Edge units to the Core SMB units all the way to the larger Peak units, the Firebox product line has granular layers allowing a much closer fit to individual company needs. The same stratification can work just as well within a highly distributed enterprise; with varying levels of authority, I could easily see firewall management becoming a team sport.
GUI or CLI?
While we were, in general, impressed by the WatchGuard, it wasn't perfect. The most significant hassle, though, came from the manufacturer's packaging rather than the basic system design; there was no software at all on the CD-ROM, nor were you able to download it from the Firebox's console. You must be able to download it from the WatchGuard site, and the first setup must be on an Internet-connected link since the system wants to do "activation." We asked about this and got the impression from WatchGuard that there is a way around this if you're using it on an isolated network, but that way is not covered in the startup guide (nor is it freely offered by the company's technical support).
Once we got past WatchGuard's system maintenance window and were able to download the Firebox Manager, it wasn't too bad to get through the initial setup. We were advised, though, to not use both the GUI and the CLI since the configs are stored differently. We were told to use one or the other -- a shame since, on so many systems, the GUI is perfect for simple configuration touch-ups while the CLI is there for the heavy lifting. For initial setup, we used the front-panel buttons to give the Firebox an IP address, then connected using the Firebox Manager. You can also do it using the included serial cable to avoid the pain of countless arrow pushes to change the IP address.
Even with the extensive testing (accompanied by the necessary extensive configuration and management that goes with spending weeks on a device's console), we weren't able to work with every single feature on each system. The supercool feature that we couldn't try out on the WatchGuard was the drag-and-drop VPN setup. As long as the console is able to get an encrypted link to both firewalls, you can do a drag and drop from the branch office to the home office for VPN setup.
Speed to burn
With a proxy-oriented architecture such as the Firebox's, you expect to take a hit in absolute packet-passing performance. Typically what you lose in throughput you gain in security, thanks to the proxy's ability to obscure the details of the devices inside the network from the outside world, making it nearly impossible for external devices to connect to them directly. So we were surprised to discover that the Firebox was the fastest UTM in our test -- faster even than the SonicWall, which costs three times as much.
Though the Firebox proved faster than the SonicWall when under attack, its ability to turn away those attacks paled in comparison. The Firebox blocked only 33 percent of the malware we threw at it, while the SonicWall notched a 96 percent success rate. Like the other UTMs in our test, the Firebox does not provide a significant level of protection against vulnerability-based exploits.
However, the Firebox certainly provides a level of protection greater than its 33 percent success rate would indicate. In order to run our Web, FTP, and e-mail vulnerability exploits, we had to loosen up the Firebox's firewall rules and allow ICMP traffic. In other words, we had to run the Firebox in a way that WatchGuard does not recommend. The result was that the box was exposed to more attacks than if we had followed the vendor's best practices. If we had run the Firebox with tighter rules, would it have blocked as many of the exploits as the SonicWall? Our gut tells us no, but it would have been a better horse race.
Our short take on the WatchGuard Firebox? It forces you to adopt procedures that should be part of your best practices anyway. If you want something that will slide into a network and let traffic flow until you get all your firewall rules figured out, you'll be completely frustrated by the Firebox. If you want to deploy a secure system in a secure way, though, WatchGuard has provided a box that will work with you to make (and keep) your network safe. It's a strong and granular firewall that offers a lot of control. Just keep in mind that the success of its UTM function is highly dependent on using its firewall features to tightly lock down the types of traffic that are allowed to pass.
Base price: US$5,990. Price as tested: $9,299 including Gateway AV/IPS, WebBlocker URL filtering, and spamBlocker anti-spam.