WatchGuard XTM 510 review
WatchGuard’s latest XTM appliance has a wealth of network security measures, but management is a weakness. Read our exclusive review of the new XTM 510 to find out more.
With their fire-engine red chassis, you can't mistake a WatchGuard Firebox appliance. The latest to join this family are the new XTM models which aim to offer mid-range businesses a complete yet good value gateway security appliance.
There are four models in the family and the improved hardware specification is designed to give them a big boost in performance. They are endowed with a 2GHz Intel Celeron 440 processor along with 1GB of DDR2 memory and, for the XTM 510 on exclusive review here, WatchGuard claims a high firewall throughput of 1.4Gbps.
A feature that gives WatchGuard's appliances greater longevity than much of the competition is that you don't have to buy a new box when the current one runs out of steam. You could start with the entry-level XTM 505 which offers a firewall throughput of 850Mbps and upgrade performance simply by applying a new license. For the XTM 510 it would cost a further 2,365 to turn it into an XTM 520 which would increase firewall performance to 1.9Gbps. When the time comes you could then upgrade it to a full blown 530 and up performance to 2.3Gbps.
All XTMs offer a single 10/100 port for WAN duties and six Gigabit ports for LAN functions as well as up to five DMZs. The two USB ports at the front are a new feature these let you connect a flash drive and copy the unit's configuration to it for safekeeping.
For deployment you now have three options as WatchGuard has added a transparent bridged mode to the standard routed and drop-in options. The oddly named FireCluster aims to improve high availability. Previously, you could only run appliances in active/standby mode which is expensive as one does nothing, but you can now run them in active/active mode where load balancing is performed across cluster members.
With all services activated you get an SPI firewall, deep packet inspection plus support for IPsec and SSL VPNs. These are augmented with anti-virus, anti-spam, IPS and web content filtering. It's certainly a bumper bundle of security measures, but WatchGuard's management process is a strange brew that may not be to everyone's taste.
At the top of the tree is the WatchGuard System Manager (WSM) which provides a central location for managing and monitoring multiple appliances. Along with this you need to install the WebBlocker, log, reporting and quarantine servers which can be loaded on one reasonably specified system or spread across the network.
The WebBlocker filtering service is cumbersome as it runs on any Windows system on the LAN for which the appliance proxies all HTTP and HTTPS traffic. After installation you have to manually download the category database. We were gobsmacked to see that WatchGuard still expects you to use Windows' Task Scheduler to automate database updates.
We had no problems loading all the various components on one Windows Server system. The installation routine also allows you to pick which servers you want, so it's easy enough to load them on different systems. For testing we also opted for routed mode and dropped the appliance in between our LAN and WAN.
The appliance uses policies created using the separate Policy Manager. Policies determine how traffic is handled and each one contains details of the source and destination networks plus application proxies, packet filtering and custom rules. The proxies are a valuable feature as these provide Layer 7 content inspection, anti-virus and IPS facilities.
You have a good range of proxies to choose from, including ones for HTTP, HTTPS, FTP, SIP, H.323, POP3 and SMTP. The last two proxies make very light work of controlling messaging as you don't need to provide them with any details about internal mail servers. The Commtouch spamBlocker service is configured from the SMTP and POP3 proxies. We've seen quite a few security vendors moving over to the Commtouch service which isn't surprising as it works extremely well.
Commtouch spamBlocker works with many ISPs allowing it to passively monitor mail messages and compute hashes for each one. This allows it to identify spam very quickly as it simply compares hashes sent to it from the WatchGuard appliance with its own servers. Messages that trigger a response will receive either a confirmed spam, bulk or suspect message categorisation and you can apply actions such as allowing, tagging, denying, dropping or quarantining.
WebBlocker actions are configured from the HTTP and HTTPS proxies and you have a choice of over fifty categories to block or allow. With Websense behind the scenes we found performance to be extremely good with it blocking our test clients from all manner of time wasting sites.
Web filtering gets a boost from WatchGuard's ReputationAuthority service. With information gathered from WatchGuard's global network of appliances, it can determine whether incoming web traffic can be trusted by applying a score to it. You also get the new local override feature where a user can access a blocked site by entering a password.
The XTM appliances can now be accessed via a web browser which provides configuration access along with monitoring services. However, there is limited access to policy creation and modification as you can't, for example, configure the spamBlocker or WebBlocker functions within the relevant policies. This has to be done from the Policy Manager.
With only a single XTM appliance on test we found management complex due to the number of utilities and server components that need to be loaded. The WatchGuard System Manager and its associated servers are best suited to handling multiple appliances.
Nevertheless, the XTM 510 looks comparatively good value especially as the licenses include unlimited users. It performed exceptionally well during testing and the multitude of proxies also makes it very versatile.
During testing we found the XTM 510 performed very well with both the WebBlocker and spamBlocker features particularly impressing us. The appliance is good value, performance can be easily upgraded in steps and the myriad proxies allow the creation of very versatile security policies. However, the method of management is best suited to large, distributed deployments of WatchGuard appliances and is too complex for single appliance installations.
Chassis: 1U rack Processor: 2GHz single core Intel Celeron 440 Memory: 1GB DDR2, 1GB CompactFlash card Network: 1 x 10/100, 6 x Gigabit Ports: RJ-45 serial, 2 x USB Software: WatchGuard and Firebox System Managers plus WebBlocker, Report, Log and Quarantine servers Options: Upgrade from XTM 510 to 520, £2,365 (ex VAT)