Organizations of all sizes need a firewall to protect their system. Unfortunately, many companies lack the expertise or the money to purchase and properly configure a powerful, complicated firewall device. The Celestix Networks Inc. Aries One Security Server Appliance aims to solve this problem for small offices. However, administrators may find its flashy exterior and easy set-up overshadowed by performance problems and unreliable support.
If we were giving awards for case design, Celestix would certainly be in the running. The Aries One is a small, sleek device that just looks cool. Inside, the Aries One is running a hardened version of Red Hat 7.1 and Check Point Software Technologies Ltd. FireWall-1/VPN-1 NG (Next Generation) Small Office. Changes made to Red Hat Inc. during the hardening process include a new kernel to accommodate some CheckPoint dependencies. Additionally, all r* utilities and FTP have been removed. Shell access is available via OpenSSH.
Initial set-up on this device is relatively straight-forward. The LCD screen on the front of the device allows basic configuration for network interfaces, so it is easy to define IP address, network mask, and default gateway for the internal and external interfaces. The Aries One appliance also can act as the network’s DHCP server.
After configuring the IP addresses, we connected to the device via Internet Explorer 6. We had a few difficulties initially accessing the admin site because the documentation provided by Celestix was for the previous version of Aries One. (The company is supposedly putting together an updated CD for NG.) When we received the correct information, we were able to proceed.
First, we tried to change the admin password from the default. For reasons we could not determine, we had to key in the change a few times before the system actually made it. We then set the hostname of the system and performed a few other administrative tasks, which ran smoothly.
Next, we configured the CheckPoint NG Small Office firewall. Here, the appliance had a few problems. We did not receive any documentation for CheckPoint’s firewall other than the introduction to the Web-based interface in the Aries One user guide. Supposedly, you can use the CheckPoint GUI client for more granular control of the firewall, but we were unable to test it because neither Celestix nor CheckPoint provided it.
Celestix forwarded every question we had about CheckPoint NG to CheckPoint, and CheckPoint’s responses were not very timely. Additionally, we tried to obtain the manuals from CheckPoint’s Web site, but were not able to access the password-protected site, even using our CheckPoint certification and site log-in information.
The Web-based interface provides basic set-up and control for the firewall. The step-by-step configuration leads you through the process of defining IP addresses for both internal and external interfaces, administrative log-on, control mode, security mode, defining of services running on the internal network (such as Web services and FTP), and content security (such as URL filtering and anti-virus).
We had problems using the Web interface at times, although we tried several different browsers. Often, pages would not display on the first try and we had to click back and try again.
Additionally, the appliance locked up on several occasions after it had been running for a few days. It was handling minimal traffic, and we were not running any tests at the time. Unplugging the system and restarting it solved the problem, but its cause remains a mystery.
Celestix has designed a great-looking appliance, but the documentation and performance need improvement. Additionally, Celestix should provide more CheckPoint support. Organizations considering the Aries One should carefully examine their requirements. If support and documentation are a high priority, consider some of the other small office firewall devices from NetScreen, Sonicwall, or WatchGuard.
THE BOTTOM LINE: CONSIDER
Celestix Aries One with CheckPoint NG Small Office
Business Case: Aries One appliance aims to provide enterprise-level security in an easy-to-use device. Getting support from CheckPoint and dealing with lockups may eat up some IT staff resources.
Technology Case: Inefficient support and issues with the system locking up should be carefully evaluated.
+ Small device footprint
+ Easy to deploy
– Must purchase CheckPoint license separately
– CheckPoint documentation not included
– Inefficient support
Cost: US$799; licence for CheckPoint NG starts at US$600
Platform(s): Security appliance running hardened Red Hat Linux 7.1 and CheckPoint NG
Company: Celestix; http://www.celestix.com