The latest version of Ingate Systems’ Firewall 1600 improves on the Firewall 1400. The result is a SIP-aware VoIP firewall suitable for all but the largest enterprises.
The Firewall 1600 is a more capable unit designed to handle twice the load of the 1400. It’s built to fit easily into the enterprise; Ethernet ports run at gigabit speeds, for example. The firewall supports VoIP survival, which lets a remote office continue to function and connect to the outside world even if the central PBX is down or unreachable. Although this feature requires a media gateway to connect to the PSTN, it lets your remote offices function even when network problems intrude.
Other useful features include support for remote SIP connectivity. Employees can travel outside the phone network but retain network access if they use a SIP phone or a SIP softphone.
The 1600’s Web-based GUI, used for configuring the firewall, is intuitive and easy to use. Some of those configurations included advanced functions such as setting up NAT traversal and proxy settings, but we never had to open the manual during configuration. Normally NAT requires outside users and firewall managers to jump through a series of hoops that make the process very difficult or impossible, even in cases where the firewall will pass SIP packets (not all will). Thankfully, NAT traversal is designed into the 1600, so setting up outside users is reasonably easy.
The 1600 attaches to your network in a number of ways. It can work as a stand-alone VoIP firewall, siphoning off voice traffic and easing the burden on your enterprise firewall. It can live in the DMZ of your existing firewall and handle voice traffic through it. Or the 1600 can be your only firewall, handling both voice and data protection. In this scenario the 1600 is a capable network firewall, although it isn’t as full featured as some — it lacks VLAN hardware acceleration, for example.
We tested the 1600 in each of the firewall configurations described above and found all of them to be effective. In our SIP PBX test, the Firewall 1600 served as the only VoIP firewall on the network. For the most part configuration and management were surprisingly easy. It worked perfectly with the Siemens HiPath 8000, the Zultys MX250, and the Versatel Networks 1500L media gateway. There were a few unresolved problems with the Avaya PBX, mainly in maintaining sessions for long periods of time. We are fairly certain that this was due to a configuration issue, but we ran out of time before we found out for certain.
More importantly, the 1600 handles twice as many VoIP users — as many as 360 at a time — than its Firewall 1400 sibling. Its six interfaces, two of them running at 1Gbps, mean the Firewall 1600 fits well into existing networks and won’t create a bottleneck. It handles as many as 1,000 registered SIP users and standard SIP addressing for reaching specific phones on inward calls.
Like the Firewall 1400, the 1600 lets you create lists of which callers are allowed to do specific functions. For example, you can turn off all 900-number calling, turn off long-distance calls for some phones, or set the firewall to allow domestic long-distance but not overseas calls. For users who need the firewall to connect to a central PBX, the 1600 now supports VPN connections as standard.
To get automatic updates, you must use Ingate’s annual maintenance agreement. The price for the maintenance is US$1,315 per year, or more than 10 per cent of the base price of the Firewall 1600. We think that’s a little steep. We also think the purchase price of the 1600 is a little steep, considering that you get a licence for only 10 users and five SIP traversals.
However, a PBX-to-PBX connection counts as only one user, so the basic unit may work just fine for midsize to large companies. In addition, the company makes a product called the SIParator, which provides everything you get in the 1600 except the firewall functions. This could be useful if you already have an adequate firewall.