This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
As a firewall, the NSA E5500 sat up and paid attention in class. It uses a zone-based firewall as a base, with different interfaces bound to different zones. Although you can't skip the zones and go pure-IP firewall (one of the few shortcomings), the firewall model is intuitive and easy to configure. Most normal security policies will be easy to express in the user interface. The appliance can also be put into transparent mode, for network managers who want to add UTM features to their network without replacing an existing firewall or router.
Firewall policies include the obvious elements: source and destination zone and IP addresses, and service, but can also have schedules attached (such as "during business hours"), user-based qualification (i.e., the E5500 will pull user and group information from LDAP servers, such as Active Directory), and some very basic QoS attributes. QoS includes a very limited ability to cap or guarantee bandwidth, a feature becoming more important in these days of latency-sensitive and/or bandwidth-hungry applications, such as voice and video.
If the NSA E5500 firewall falls down anywhere, it's in the complexity that occurs when you start configuring the firewall and turning on all the available features, such as wireless guest services, remote access VPNs, and user-based firewall rules. For example, enabling common management protocols on an internal interface causes six automatically created rules to show up in the firewall to enable management. For larger and more complex configurations, these rules tend to multiply and obscure the actual security policy.
The appliance also suffers from some confusing feature-itis in the basic firewall. For example, there's a check box that says "Enable support for Windows Messenger." That's interesting, except you don't get enough information to decide whether checking that box is a good idea. There are several screens of this kind of stuff, intermixed with more useful features such as SYN flood protections. These excessive knobs aren't necessarily very bad, as they can be easily ignored during basic policy setup.
We used the Web-based GUI for this review--although SonicWALL does also offer a central management and configuration tool, Global Management System for all its products.
The NSA E5500 has a variety of optional, separately licensed, advanced firewall features, divided into two main categories: UTM and application firewall. The E5500 has SonicWALL's own UTM features including Web content filtering, gateway antivirus, signature-based intrusion prevention (IPS), malware detection and blocking.
The E-class appliances feature the multicore Cavium Networks Octeon CPU overcome UTM performance hogs, such as antivirus. The NSA E5500 has an eight-core processor. We didn't test performance, but SonicWALL says the appliance's eight cores will translate into 750 Mbps of antivirus scanning, 550 Mbps of intrusion prevention (or 400 Mbps with everything turned on). The E6500 and E7500 are rated even faster.
Although the UTM feature list is relatively standard, we found the actual implementation to be full-featured. For example, Web content filtering, you can select from three different content filtering engines: SonicWALL's own, N2H2, WebSense, as well as the option to use third-party RBL services, such as Spamhaus, for spam filtering. We used SonicWALL's own engine and were happy to find more then the normal list of categories. For example, the NSA E5500 can provide HTTPS content filtering by looking at IP addresses and comparing them against a SonicWALL list of known problem sites, closing a hole in many content filtering strategies. Built-in features, such as "consent to monitoring" Web screens, will be especially attractive to public organizations and schools.
Another plus is stream-based anti-virus scanning. SonicWALL is one of two firewall vendors looking for viruses in any (unencrypted) data stream. Because antivirus UTM is primarily useful in cleaning up holes left in other protocols, having coverage across all data streams is a key benefit in the NSA E5500. For example, while most enterprises have a good strategy for dealing with HTTP and email-transferred malware, they may not have a way to block viruses coming in via peer-to-peer or instant messaging protocols.
All UTM features (except for content filtering) are enabled on a per-zone basis, with a single policy in each area applying to an entire zone, such as LAN, WAN, and DMZ.This approach doesn't provide much granularity. For example, you can't have one antivirus policy for your wireless LAN users and a different one for your web servers, unless you want to disable anti-virus entirely.
A more significant innovation, especially for enterprise network managers, is SonicWALL's extension of its existing application firewall, an add-on to the standard firewall used to apply extra application-layer controls to Web browsing, file transfer, and email streams passing through the firewall. For example, , the Application Firewall can identify specific parts of an email message (such as content within the body, or a subject line or recipient), FTP commands, HTTP requests and responses, specific web browsers and web content (such as Active X components), and filenames or types being sent over HTTP, SMTP, and FTP. Once traffic matches one of the application firewall objects, the network manager can apply any one of a number of actions, such as blocking the SMTP or FTP traffic or redirecting a web browser to a different page.
Security managers who have looked at proxy firewalls from Secure Computing and WatchGuard, as well as deep inspection in Check Point, Cisco, and Juniper firewalls will find this familiar territory—trying to apply the power of application layer security in network layer firewalls. SonicWALL has taken a slightly different approach by disconnecting the application firewall from specific traffic rules in the basic firewall, but the core concepts are competitive with other firewalls aiming at enterprise security environments. The benefits of this decoupling are that it's easy to manage the application firewall without having to worry about going into multiple network layer firewall rules to be sure you're covering all bases.
At this stage, the Application Firewall is still a toolkit. There are no predefined policies, so it's up to your managers to decide what they want to do with the tools they've been given and write their own rules for content blocking, compliance and alerting. SonicWALL provides 10 "use cases" to show where the application layer firewalling could be most used, along with configuration examples, but this component definitely needs fine tuning, bug fixes, and additional functionality. For example, the first rule we tried, blocking MP3 downloads, worked for FTP but not for HTTP. Our second rule, to block outbound SMTP mail to "yahoo.com" was also not very successful, because we were able to evade the blocking..
The NSA E5500 has basic site-to-site and remote access VPN features. However, although SonicWALL now has bought two different SSL VPN companies, they haven't integrated any SSL VPN into their firewall appliances. Perhaps that's done to avoid cannibalizing sales of SSL VPN within the firewall, but we think that SonicWALL owes us a better remote access VPN client and end-user experience than their current IPsec offerings, which require cumbersome deployment and management.
Network managers who are developing multi-site VPN configurations will also want to skip the Web-based GUI unless they only have a few sites and a small number of networks to worry about. The local VPN management tools are inadequate to handle larger numbers of sites and networks because of the lack of coordinated policy across multiple devices. SonicWALL's Global Management System makes the task of managing site-to-site VPNs much simpler.
The NSA E5500 does not have embedded wireless adapters, but it can be linked to SonicWALL's SonicPoints 802.11a/b/g thin access points. SonicWALL's wireless capabilities are probably the best-kept secret of the entire corporation--and one that you should know more about.
As an enterprise wireless solution, the NSA E5500 isn't in direct competition with enterprise wireless products from Cisco, Aruba or Aerohive, but it does provide a fast and cost-effective way to securely add high-end wireless capabilities, including multiple security profiles and SSIDs on a single access point, guest services (such as captive portal login) and guest provisioning, along with some wireless intrusion detection and RF management features, all handled through the Web-based GUI.
We set up two SonicPoint devices and were able to move quickly from bare metal hardware to a sophisticated and secure wireless environment in less than an hour. SonicWALL includes features, such as the ability to speedily create guest users with session limits and expiration dates, that have to be bought separately or "hand built" in other wireless products.
Testing methodology: We installed the NSA E5500 in our production network for four weeks, putting a subset of users behind it and testing each of the UTM and advanced application-layer firewall features. We also integrated the NSA E5500 with two SonicWALL SonicPoint 802.11a/b/g access points, and set up both employee and guest wireless access.
This was first published in March 2008