This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
We also had a good user experience in testing the SSL VPN client (up to 10 simultaneous users are supported). Windows and Mac users were able to connect, log in and deploy the client software without reading the manual or encountering confusing buttons. We also had no problems building a site-to-site VPN (up to 25 tunnels are supported), thanks to the VPN wizard and good default settings.
We found the logging to be poorly thought out and implemented. Log messages either overwhelmed with trivia or failed to capture the information needed to audit traffic. Policies such as NAT are global to the entire firewall--it's either on or off, making anything but the most basic deployments problematic.
The SSL VPN was a particular disappointment. With a default "permit all" policy that can't be changed, we found that trying to control access once someone logs in over the SSL VPN is impossible. Moreover, when we tried to put in an SSL VPN policy that didn't simply grant broad access, we ran into bugs in the way policies are evaluated, giving less security than the policy indicated. We also found bugs in enabling remote management, but fortunately the error was in the direction of greater security--remote management could not be enabled.
The FVS336G is not a UTM firewall, but it has limited UTM features, including content filtering by keyword and domain, as well as blocking of ActiveX and Java controls.
Testing methodology: We evaluated the FVS336G by connecting it directly to the Internet and placing test systems on the inside interface. We then tried to implement three different security policies for firewall and SSL VPN.
This was first published in April 2008