Kerio Control NG500 review

Kerio's Control is a long-term player in the SMB UTM market and for good reason as it has always offered a fine range of security measures at affordable prices. The company made the switch to software, hardware and virtual appliances a few years ago and its next generation Control products offer a boost in performance and features.

Kerio has launched three new hardware appliances with the top-dog NG500 on review aimed at head offices or large remote sites. Powered by a 3.6GHz Core i5 processor and 4GB of DDR3 RAM, this 1U rack appliance claims decent firewall and UTM speeds of 975Mbps and 280Mbps respectively.

It provides a solid foundation of SPI firewall, deep packet inspection, IPsec VPNs, IPS and bandwidth management. Kerio builds on this with Sophos' gateway anti-virus and its own Control Web Filter services, but anti-spam is not available.

The unlimited-user model costs 2,459 but you can save over 400 and go for a 100 user restriction. Ongoing costs aren't unreasonable as software maintenance charges for subsequent years are around 842 per year and include upgrades and updates to the Control, Sophos AV and web filter services.

Swift deployment

The NG500 is very easy to install as the tidy web interface fires up an activation wizard which runs through setting up Internet access, registration and creating a base set of firewall rules. Port options are versatile as the appliance defaults to assigning the first Gigabit Ethernet port to Internet duties with the other five grouped together as a LAN switch with DHCP services.

Kerio's tidy dashboard provides plenty of information about network activity

The NG500 supports failover and load-balanced Internet links and a handy wizard takes the strain. Both modes only use the first two ports for these duties. For load balancing, you can assign weightings to prioritise the link with the highest bandwidth.

If you wish, you can break selected ports out of the switch group and designate them as standalone. These can provide dedicated DHCP services and have their own security and firewall policies applied.

Security detail

For custom firewall rules, we chose from a fine selection of predefined services, added sources and destinations and decided whether to block or allow the traffic. Rules are placed in a list in order of priority and colour coded so we could easily see which were blocking or allowing traffic.

Along with HTTP and FTP traffic, the Sophos anti-virus scanner can be applied to SMTP and POP3 too, so some email protection is provided. Kerio's Web Filter service offers 150 URL categories to block or allow and supports multiple rules so we could apply a wide range of browsing controls.

Kerio's Web Filter service offers 150 URL categories to choose from and performed very well

Kerio's intrusion prevention shouldn't be sniffed at as this is handled by the well-respected Snort. It's enabled for all traffic with a single click, uses three threat severity levels to decide whether to allow, log or block dubious incoming traffic. Its signature database can be updated automatically as often as every hour.

VPN choices

VPN support extends to the IPsec, PPTP and L2TP varieties. Unlike most of the competition however, Kerio doesn't support SSL VPNs. The proprietary VPN server is remarkably easy to configure though, which makes up for this surprising absence.

All we needed to do was enable the Kerio VPN Server service, choose the default certificate and activate the predefined firewall rule to allow inbound VPN access from the Internet. Kerio provides Control VPN clients for Windows, OS X and Linux. We tested the Windows version, which just required the eternal address or FQDN of the NG500 and user credentials.

Kerio's proprietary VPN server is a cinch to set up and client connections are equally pain free

Performance is good, too. Copying a 2.5GB test file over the Kerio VPN link to a desktop on the LAN returned good sustained transfer rates of around 16.5MB/sec with appliance CPU utilisation never going above 21 percent.

Users and guests

Kerio supports transparent and non-transparent HTTP proxy operations, while user authentication can be carried out locally or via Active Directory. Kerio's license only applies to user authentication so you can have as many unauthenticated users as you like.

This is handy for setting up a guest network as we could break out an interface from the LAN switch group and use it for this purpose. After providing it with a fixed IP address, the appliance automatically assigned DHCP services and a firewall rule to allow guest Internet access and it's hardcoded to block them from the LAN.

Users connecting to our guest network were automatically redirected to a welcome web page which can be customised with a company logo and AUP. You can assign custom firewall rules and request they enter a shared password, but you can't apply Kerio's Web Filter services to guest traffic.

The NG500 can be cloud managed with a MyKerio account and provides good local reporting as well

Conclusions

The Control NG500 is pleasantly simple to deploy and offers a good range of security measures for the price. It's also easy to manage and you get free access to the MyKerio web portal for remotely monitoring and configuring multiple appliances.

Anti-spam would have rounded the NG500 out nicely, but it can't be faulted for its firewall, Sophos gateway AV or web content filtering features. Secure guest access is also a bonus as are Kerio's VPN services which delivered comparatively good performance.

Verdict

The Control NG500 delivers a good set of network security measures in an affordable and easily managed appliance

Chassis: 1U rack

Processor: 3.6GHz Intel Core i5-4570S

Memory: 4GB DDR3

Storage: 32GB SSD

Network: 6 x Gigabit Ethernet

Other ports: 2 x USB 2, RJ-45 serial port

Power: Fixed 220W PSU

Management: Web browser, MyKerio

Warranty: One year standard