SonicWALL Pro 4100

A firewall appliance is a physical device using an embedded operating system and dedicated to one role, namely securing access to a network. Over the last few years such devices have evolved from simply being a firewall to being a multi-faceted security device offering a range of solutions from packet inspection to anti-virus, anti-spam, content blocking monsters.

What makes these appliances ideal is that the OS is not accessible, they are easily configured and they replace a lot of mismatched software solutions that can often cause compatibility problems. Such problems create instability and do nothing to reduce your attack footprint. Another sign of the maturing of this market is that vendors no longer see themselves as a single point of protection but now talk about the need for layered security.

The SonicWALL Pro 4100 is an enterprise class firewall appliance with lots of built-in features. These features allow you to secure your enterprise against virtually any kind of electronic threat and all in a single box. It is designed to sit at the key gateway to your network and sports 10 gigabit Ethernet ports.

When you open the box, the SonicWALL Pro 4100 looks a little understated - encased in a 1U grey box with 10 ports on the front, a power port on the back and a serial port. You get power, network and serial cables, a CD with documentation and utilities, a getting started guide and mounting brackets to house the device in a standard rack cabinet.

Getting started is simple. Apply power, connect to the WAN, and connect to a laptop or PC using an Ethernet cable or via the serial cable console port and turn on. The 4100 takes around 90 seconds to boot and will assign a DHCP address to the laptop if connected via a network cable. If you are using the serial cable you will need to configure your terminal emulation application which should take mere seconds.

For some strange reason, SonicWALL has decided that of the ports on the front, X0 will relate to your LAN, X1 to the WAN and X2-9 are user definable. It would have been more intuitive to make X0 the WAN.

Once you are connected to the 4100, the first thing to do is set its address on your network, save and restart. Once you are logged back in, you only need to run the wizard to configure the 4100. One of the nice things about the 4100 is that it is so easy to get a basic secure setup. From box to completing the wizard and rebooting to ensure settings are properly applied took just under six minutes.

Now that you have a basic level of security in place, the fun begins. SonicWALL, like all security vendors, is very focused on Unified Threat Management (UTM). What this means to the rest of us is that if something can cause a threat, the appliance needs to be able to deal with it. This is where the 4100 is very powerful and very confusing.

The first thing to do is register your 4100. SonicWALL only allows access to firmware updates to registered customers. Registration also gives you the option of downloading and unlocking some of the extra features for 30 days to see what they do. This includes features such as Intrusion Prevention Service, GateWay Anti-Virus, Anti-Spyware, Network Anti-Virus and Premium Content Filtering Service.

SonicWALL has kept its old menu structure and this was very helpful in beginning to navigate such a complex product. I was able to quickly get to the settings that I knew I wanted access to such as VPN, DHCP and log files and ensure that they were configured as needed.

One of the first things I noticed is that SonicWALL has fixed the problem of being able to send log files. Older generations did not support the use of email login to a server in order to send files with the result that you often didn't get logs, alerts or any information at all. The only way to know what was going on was to manually connect to the device and read the log. Not very useful.

One of the features of all SonicWALL devices is that it can be used as a DHCP server if required, taking the load off of the normal network servers. By default, this is turned on and you have to manually disable if you don't want it clashing with your other DHCP servers. One reason for leaving it on is that the 4100 supports the provision of DHCP to remote clients.

The 4100 uses Digital Certificates to control some access and feature sets. This is extremely useful if you want to allow people to login through the firewall rather than use the VPN client. For Windows Server administrators, SonicWALL has provided support for the Microsoft certificate allowing the 4100 to talk directly to Active Directory for user login.

What makes the 4100 ideal for use at the heart of your network is the support for eight user defined ports (X2-X9). Each of these could be a single server or it could be a link to a branch office or internal department. You can apply IP address ranges to each port and create zones around them such as trusted and untrusted.

This gives you the ability to partition your network up through the 4100. With the increasing use of managed office spaces, this allows the building owner to put in very high speed SDSL circuits and partition them using the 4100. The advantage of this is that you can ensure that traffic passing between each port is subject to a range of security checks such as packet inspection and security rules that you create.

Among the all the features were three that really stood out. The first was support for working times through security policies. You can create access policies based on working day, evening and weekend. This allows you to turn ports on/off and even disable access through the SonicWALL if necessary.

The second was support for SonicWALL's SonicPoint range of wireless access points. You can configure and control these from the 4100 through policies and make them subject to policies set inside the 4100. For example, many organisations have struggled with securing their wireless networks especially when out of normal working hours. By allocating the SonicPoints to one or more of the user defined ports on the 4100, you can allow those embedded in the heart of the building or in certain departments to work 24x7. Others located near the building walls or in common areas such as reception can be turned off outside of normal business hours. It makes for a very elegant and controllable solution.

SonicPoint support goes further in that you can detect and disable access for unsupported wireless access points inside your building. This stops unauthorised use of wireless and reduces your risk of attack further.

The third area was the improvements to the VPN support. It's still not as simple to setup as it needs to be but there is a wizard. You can also supply DHCP addresses to users connecting through the VPN. One of the biggest problems with a mobile workforce is supporting them when they cannot get access to resources inside the network. IP address clashes with the hotel/broadband supplier that they are using and your internal address scheme is a common problem. In one go you can remove this.

SonicWALL has done much to improve the features inside their devices and this is the fourth generation of their operating system. It's much improved on the previous version and they are doing their best to offer good deals to get customers to upgrade. If you don't you will lose support for the older devices. If you do, then you stand to gain from the anti-malware features.

One of the disappointments here was the complexity of the menu system. This is as much about the wealth of features as it is the poor support in the documentation and the lack of wizards for common tasks. The user manual is a general guide to all of SonicWALL's product lines and this gets confusing when you are looking for a feature that isn't in the 4100.

As an experienced SonicWALL user I was able to navigate the menu with only a modicum of annoyance and a smallish amount of lost time. SonicWALL novices will find this a very confusing product to work with and this must be addressed.

The SonicWALL 4100 is targeted at the Enterprise market with a wealth of features that will have your head spinning. The question is whether or not everyone wants all these features and how best they can use them. It's ability to control wireless devices, albeit only those from SonicWALL and huge range of policy options make it very attractive as the heart of your security solution. The downside is that with so many things it is a full time job truly understanding and tuning the device.

Email to a friend

Print this page