Dell SonicWall TZ600 review
Bursting with security features at a price affordable for SMBs
Dell's new SonicWall TZ family of network security appliances aims to deliver the security SMBs and remote offices are crying out for at a price they can afford. This sixth generation model claims a big boost in performance over its predecessors and brings sophisticated wireless management into the fold as well.
The flagship TZ600 on review looks up to the job as this compact desktop box has ten Gigabit ports for LAN, WAN, DMZ and WLAN duties. Recommended for up to 70 users, it comes with 1GB of memory while processing power is served up by a quad-core 1.4GHz MIPS64 Octeon processor.
The appliance costs just over a grand with a one-year TotalSecure subscription increasing this to a still very reasonable 1,499 ex VAT. This enables Dell's Intrusion Prevention System (IPS), gateway anti-virus and anti-spyware, web content filtering and Dell SonicWALL's application intelligence and control.
Anti-spam is optional with a 1-year subscription costing an extra 400. The TZ600 comes with the wireless management feature enabled as standard and can handle up to 24 SonicPoint access points including the latest 802.11ac models.
Port zones makes light work of applying security policies to multiple users
Dell SonicWall TZ600: swift setup
We found deployment simple as the web console's quick start wizard sets up the first LAN port and a WAN port for Internet access and applies a security policy to the default zone. Zoning makes the TZ600 very versatile as you can place selected ports in different zones and apply a single security policy quickly to all the members of a particular zone.
Selecting a security type for each zone also determines what traffic can pass through it. All LAN ports are trusted but the WAN port is untrusted, so no traffic will be allowed to pass from it to another zone unless a firewall rule permits it.
Usefully, as you create zones, the appliance automatically sets up new firewall rules for them. The various security services are applied to zones with a couple of clicks, so we could quickly enable IPS and gateway AV on the WAN zone.
We could keep a close eye on traffic flows with the Real-Time Monitor
Dell SonicWall TZ600: feature details
The TZ600 gets the benefit of Dell SonicWALL's Reassembly-Free Deep Packet Inspection (RFDPI) which is designed to identify and control applications without any significant hits on performance. For web filtering, we enabled the Content Filter Service (CFS) but you can add the optional Websense Enterprise premium cloud service.
We can't see the point in splashing out for Websense Enterprise though, as the CFS performed well with very few web sites slipping past it. We created multiple content filtering profiles from the 60 available URL categories and assigned each policy to different zones.
The TZ600's App Controls are a winner as they manage a wide range of applications such as FTP transfers or HTTP requests and apply actions such as blocking or limiting bandwidth. The Advanced App Controls are even better as these use signature IDs to identify specific activities.
It provides over 1,500 signatures that can spot activities such as Facebook likes, pokes or posts so you can block, log or allow them. Signature action policies can be applied to selected groups of users, IP addresses or even only SonicPoint access points and linked to a daily time schedule.
The TZ600's wireless provisioning features are a cut above the rest
Dell SonicWall TZ600: wireless control
Wireless management features are impressive and we tested these using a SonicPoint ACi dual-band access point. Before connecting it to the TZ600, we created a bunch of wireless provisioning profiles that defined settings for each radio, security and so on.
When we connected the AP, the TZ600 recognised it as an ACi model and automatically applied the correct profile to it. The upshot was we had secure, dual-band wireless services up and available in minutes.
We used a dedicated WLAN port zone so were able to quickly apply custom security policies to it such as web content filtering, IPS and gateway AV. The WLAN zone wireless guest settings include permitting or denying inter-guest communications, redirecting users to an external web site for authentication and blocking wireless traffic deemed to be coming from non-SonicPoint APs.
IxLoad shows performance dropping substantially when we enabled the gateway AV and anti-spyware services
Dell SonicWall TZ600: performance test results
For real world performance testing, we connected the TZ600 to our lab's Ixia Xcellon-Ultra NP load modules via eight of the TZ600's Ethernet ports. Using the IxLoad control software, we created four client/server streams each requesting 1MB web pages.
With no security services enabled on the WAN, we saw IxLoad report a steady HTTP throughput of 1.3Gbits/sec. This was very close to the claimed 1.5Gbits/sec and we're sure with five client/server streams, we'd have achieved this.
With IPS enabled on the WAN zone, throughput dropped to nearly 1Gbits/sec again, very close to the claimed figure. However, we found the gateway AV service very demanding as throughput dropped to 385Mbits/sec and with the anti-spyware enabled as well, speed fell further to a steady 300Mbits/sec 200Mbits/sec less than claimed.
We doubt if we could have achieved any more as the appliance's processor was maxed out during the last test. We could also see from its web console that the TZ600 only uses three of the four processor cores for traffic handling with the other one set aside for management processes.
Dell SonicWall TZ600: conclusions
Apart from the subpar gateway AV performance, our only other moan is that reporting tools aren't included as standard, but as chargeable options. These problems aside, the TZ600 impressed us with its superb range of security measures, top-notch wireless management features and affordable price.
For the price, the TZ600 has a superb set of security measures and tops them off with great wireless provisioning tools
Processor: 1.4GHz quad-core MIPS64 Octeon
Memory: 1GB RAM
Network: 10 x Gigabit Ethernet
Power: External power supply
Ports: 2 x USB, RJ-45 console
Management: Web browser
Options: Anti-spam, £400 per year; Analyzer reporting software, £152 (all ex VAT)