Kerio Control NG100 review
A compact unified threat-management appliance that’s ideal for small or remote offices
Kerio's Control NG100 is the smallest UTM appliance we've ever seen, but the manufacturer has managed to pack plenty into this palm-sized slab of steel. It runs the full version of Kerio's Control software, providing SPI firewalling, IPsec VPNs, IPS, deep-packet inspection and bandwidth management. In addition, you also get Kerio's own Web Filter service and Sophos' gateway antivirus.
It's good value, too: inside beats a dual-core 1.33GHz Atom CPU, with 4GB of DDR3L RAM, 32GB of mSATA storage and three Gigabit ports. The 389 price includes a one-year licence for all software and signature updates. After this period, the maintenance cost is 122 per year, which includes updates to the Control, Sophos AV and Web Filter services.
The NG100 is aimed at small firms and remote offices, but you don't have to count seats too carefully, as the licence is for unlimited users. The only limitation is the bandwidth of the hardware itself: Kerio claims a UTM throughput of 30Mbits/sec.
Installation was swift: the web console's activation wizard automatically sorted out internet access and created a base set of firewall rules. It assigned WAN duties to the first Gigabit port, and grouped the other two together as a LAN switch along with DHCP services. If you prefer, these ports can be configured separately, each with their own firewall rules and DHCP services, and given separate weightings for traffic prioritisation.
Setting up the firewall was easy: we had no problem choosing from the extensive list of predefined services, selecting sources and destinations and applying block or allow actions to the traffic. IPS is handled by the well-respected Snort, which can be enabled for all traffic with a single click and updated automatically every hour.
The web-filtering service recognises 150 categories of site, which you can blacklist or whitelist: it worked well for us, with none of our test URLs slipping through the net - save a few bingo sites. Kerio doesn't offer anti-spam services, but the Sophos AV scanner can be applied not only to HTTP and FTP traffic, but to SMTP and POP3 too, allowing the NG100 to provide some measure of mail protection.
The NG100 supports transparent and non-transparent HTTP proxy operations, and you can apply user authentication locally or via Active Directory. You can also use one of the LAN switch ports to host a separate guest network: in this mode, the NG100 automatically sets up DHCP services and configures a firewall rule to allow guest internet access. When users first connect, they're sent to a customisable welcome page, which is hard-coded to block access to the rest of the LAN. But add an AUP to the welcome page, and the web filter doesn't apply to guest traffic.
The NG100 doesn't support SSL VPNs, but Kerio's proprietary VPN server is easy to configure. All we had to do was enable the service, choose the default certificate, and activate the predefined firewall rule to allow inbound VPN access. Control VPN clients are available for Windows, OS X and Linux. Performance is impressive: we copied a 2.5GB test file over a VPN link to a LAN system at an average of 7MB/sec - although we did see appliance CPU utilisation hitting 98% during the operation.
There are plenty of monitoring tools, too. The web console provides graphs displaying hardware, WAN/LAN utilisation and active users, and keeps logs of every activity. Firms with multiple sites will love the free MyKerio web portal service, which provides full remote access to each appliance's web console. The NG100 is probably the smallest UTM appliance you can buy, but it's no lightweight. It offers features that would put more expensive appliances to shame.
This review was originally published in PC Pro issue 262.
The NG100 is probably the smallest UTM appliance you can buy, but it’s no lightweight. It offers features that would put more expensive appliances to shame.
1.33GHz Intel Atom E3825 4GB DDR3L 32GB mSATA 3 x Gigabit Ethernet USB 2 USB 3 HDMI RJ-45 console External PSU Kerio Control and Web Filter Sophos AV 1yr standard warranty