Review: SonicWALL firewalls for under US$1,000

SonicWALL recently started shipping six new firewalls to replace the low-end of its product line. The new firewalls are the TZ100, TZ200 and TZ210, each also available with 802.11n wireless integration. This product release completes SonicWALL’s transition to the Cavium Networks’ Octeon processor line, putting all of their firewalls on the same code base and with a similar feature set.

Network managers who have experience with older TZ-series firewalls will be especially impressed with the jump to the Cavium, as the new Cavium-compatible SonicOS Enhanced v5.5 brings a substantial set of useful features, including integrated SSL VPN, integrated in-the-cloud antispam service, and several new reliability options designed to increase uptime and performance. We’ve been critical of SonicWALL’s UTM performance in the past with pre-Cavium processors, so this transition to the Cavium brings much-needed performance boosts.

 

In our testing, we found the TZ210 delivers more than 125Mbps of pure firewall power, although there is a significant slowdown when all UTM features (antimalware and intrusion-prevention system [IPS]) are enabled. This makes the TZ210, and its slightly smaller brother, the TZ200, an excellent choice for solid UTM coverage well within the bandwidth requirements of the SMB market. We focused on two devices, the TZ200 and TZ210, in our testing.

 

While the TZ200 looks like something Apple would sell with a white plastic case and curvy lines, it still boasts respectable specifications: five 10/100Mbps Ethernet ports, an optional 802.11n (2.4GHz only) 2X2 Wi-Fi, and raw firewall performance of 97Mbps in our tests. We concentrated on its bigger brother in the somewhat uglier (but more professional looking) boxy Volvo-esque metal case, the TZ210, with seven Ethernet ports (two Gigabit Ethernet, five 10/100), optional 802.11n (2.4 GHz) 3X2 Wi-Fi, and raw performance of 126Mbps in our tests.

 

Both run the same software, and pricing for each is very attractive. The TZ200 costs US$400 to US$450 (depending on whether you get the 802.11n/b/g Wi-Fi) while the TZ210 costs US$600 to US$750 (again depending on whether you want Wi-Fi). The TZ200 and TZ210 (and TZ100 as well) are sold without per-user or per-node limits. Many firewall manufacturers added per-node limits and extended licensing costs on their low-end appliances as a way to try and get more money from larger companies for the same hardware, but SonicWALL has now moved away from such customer-disappointing strategies. Both the TZ200 and TZ210 are normally sold with a year’s software support, content filtering, antimalware, and IPS subscription for about US$150 to US$200 a year.

 

Presumably the bigger price differential on the TZ210 hardware is because of the more powerful Wi-Fi (3X2:2, meaning three transmit antennas and two receive antennas, and two data streams, giving a maximum theoretical performance of about 300Mbps, if 40MHz channels are used) than the 2X2:2 Wi-Fi on the TZ200. The main theoretical advantage of the TZ210 wireless is a longer reach and more immunity from noise, not higher performance.

 

 The new low-end appliances in SonicWALL’s firewall line make a respectable bridge between SonicWALL’s traditional small-office market and the larger enterprise business it has been aiming at these last few years. For example, while the TZ200 and TZ210 firewalls we tested don’t support virtual LANs (a feature in SonicWALL’s higher-end devices), they do let you break up each Ethernet port into a different security zone, giving tremendous flexibility in setting security policy.

 

On the TZ210, with seven Ethernet ports (including two Gigabit Ethernet), we set up some ports with the firewall as a router, others in pass-through (transparent) firewall mode with a different device handling routing, and used yet another port pair as Internet-facing outbound interfaces, load balanced between two different ISPs. A few lingering restrictions remain that could be annoying in some deployments. For example, one of the TZ210’s two Gigabit Ethernet ports is dedicated to Internet traffic and can’t be changed to any “inside” function, such as a DMZ. That’s a waste, since very few of us have 200Mbps Internet connections (the maximum rated speed of the TZ210), but it would be nice to have that kind of performance going from trusted inside network to the DMZ for applications such as backups.

 

SonicWALL told us it wasn’t aware of the restriction, and would work to lift it in future software versions.

 

The hardware in both devices was rock-solid for us, and we did abuse it by shipping it to Europe for part of our testing, then bringing it back to the United States for the remainder. Not even a peep of protest from the hardware. Both units are fanless and use an external power supply. Another pleasant surprise: the power supply connector has a locking tab that firmly attaches it to the firewall, resolving a long-standing complaint with the traditional coaxial connector that is so easily tugged out. While SonicWALL isn’t necessarily blazing new ground in making a compact firewall with a handful of ports and built-in 802.11n wireless, the TZ200 and TZ210 are solid platforms that let the power of SonicOS shine through.

 

New hardware and new features in the SonicWALL TZ200 and TZ210 don’t hide the firewall, which is essentially unchanged from the last version we looked at. Existing customers using SonicWALL’s previous generation of small firewalls at SonicOS v3.9 will see a new GUI, but the firewall function and style is unchanged from previous versions. SonicOS 5.5 continues to have a versatile, but confusing view of network address translation (NAT).

 

 Unlike other firewalls that integrate the access control policies and NAT into a single view, which we find to be a conceptually simpler way to deal with NAT in most networks, SonicOS continues to separate them, much to the confusion of anyone who might want to understand and edit the NAT policies. For example, in our sample testing, our TZ210 firewall with no access control policies, other than the defaults, grew to 48 separate NAT policies all on its own. Fortunately, the defaults that come with SonicOS work pretty well for most Internet-focused environments. Still, SonicOS could be a lot easier to use and understand in the world of NAT.

 

Other basic access control features within the firewall are optimized for ease-of-use, and we found the definition and creation of policy to be a fairly simple matter. As a zone-based firewall, the TZ200 and TZ210 suffer from a common deficit: you can’t manage access control rules that cover multiple zones. (Try to do so and you’ll get the strangely confusing and ungrammatical “Some rule may not be created since network object does not match related zone” error message.) When the firewall only had three zones in it (LAN, WAN and DMZ, in SonicWALL’s terminology), that was OK, but now that the firewall comes with seven zones out of the box, old weaknesses in rule management are becoming more significant. As with NAT, our firewall grew an amazing number of default rules — 93, to be exact — by the time we had finished adding a few extra zones and giving it some IP addresses. That’s before we actually wrote any security policy. That’s a lot of rules to start with when you think you have a clean slate.

 

In simple environments, the difficulty of managing a security policy that starts with so many rules may not be significant, since most small-office policies can be expressed with a single rule, “let people on the inside go out,” and rarely change from there. But after you’ve thrown in a couple of DMZs, guest access, wireless, and VPN features, the legendary ease-of-use for SonicWALL may become an impediment rather than a benefit. This is definitely an area that needs some work in future versions of the product.

 

Years of experience have given even the basic software in SonicOS v5.5 a slew of advanced features. For example, outbound (Internet) load balancing and failover is now supported for up to four different Internet connections. The new hardware also offers the option of using the cell network as your outbound interface. We configured the TZ210 to use a GSM USB cellular “modem” as our backup when the main Ethernet interface was unavailable. The TZ210 detected the problem with the main outbound interface, used the GSM device to restore our outbound connectivity, and then shut it back off when the main Ethernet connection was available again. All of this was astonishingly simple to set up and use.

 

We tested other advanced features in the firewall including denial-of-service avoidance with automatic SYN proxy and connection rate limiting, VoIP call tracking, and dynamic routing with Open Shortest Path First (OSPF), all of which worked as expected, even if a little debugging was needed to get it all straight. We also found the configuration interface for the advanced features simpler than the policy and NAT parts of the system, even when configuring OSPF dynamic routing. Some features we tested, such as multicast support across firewall zones, took longer to figure out, but also worked fine once we understood what the terms in the GUI meant.

 

Other advanced features include SSL control, which allows you to inspect SSL connections and block ones that don’t match your security policy, such as self-signed certificates or certificates that have the word “proxy” in the common name. This worked, but of course we were hungry for full inspection of encrypted SSL traffic, which SonicWALL told us would be available in a future version of the operating system. The TZ200 and TZ210 also both support Active/Passive failover of two firewalls (this is one of the differences from the TZ100, which does not support failover), although we did not test this because we only had a single unit of each.

 

We found other evidence of heavy experience in the firewall world, such as the ability to capture packets directly from the firewall itself for debugging — a feature we used many times in working out the multicast features of the firewall. This is the kind of feature that every firewall needs, even those aimed at the SMB market, just for debugging and system verification. In some cases, though, we found both bugs and limitations in this version. As part of our testing, we were unable to add a rule to deny traffic in a zone, with a strange error message telling us to wait while the GUI refreshed. A similar permit rule went through fine. SonicWALL’s PortShield, which implies that it provides each port with a dedicated firewall, doesn’t actually do that in this version; traffic is only protected if devices are on different subnets.

 

Overall, the basic security functions in the TZ200 and TZ210 will work best for smaller networks with fewer zones and simple NAT policies. The intuitive interface and shortcuts to policy management make it a nice match. Trying to stretch the TZ210 to implement complicated security policies, environments with more security zones, and networks with more complicated NAT rules will be more frustrating and difficult than some of its peer devices from other vendors. One hot new feature of the TZ200 and TZ210 firewalls is their 802.11n Wi-Fi capability, available as an option in each of the new TZ-series appliances. These built-in Wi-Fi radios bring very high performance wireless to the firewall without adding significantly to the cost.

 

 The TZ200 and TZ210 have a highly constrained approach to wireless, offering a simple configuration with basic options and only a few bells and whistles (such as time-based wireless, which lets you turn off your wireless automatically outside of business hours for example). While the TZ200 and TZ210 do offer good guess access features (such as easy creation of guest accounts and simplified integration with other guest access services) on both wireless and wired, they don’t have other features that we’ve come to expect from small wireless firewalls in this product category such as multiple SSIDs to separate out guest from corporate users. The built-in 802.11n wireless radio should, in theory, offer up to 300Mbps of bandwidth — but SonicWALL’s specifications don’t trumpet that number for good reason.

 

In our TCP-based performance testing, we were only able to drive the TZ210 wireless up to about 64Mbps with four 802.11n stations — which consumed 100% of the CPU of the TZ210. We found that the TZ200, with its 20% slower CPU, also maxed out at about 51Mbps with multiple 802.11n stations. Since the SonicWALL TZ200 and TZ210 seem to be CPU-bound for wireless, we also suggest configuring for 20 MHz wireless channels, which didn’t reduce total throughput in our testing, but would be more “friendly” to other wireless equipment in the area. The TZ200 and TZ210 can also act as wireless switches, controlling SonicWALL’s external wireless device, the SonicPoint-N, a US$400 managed access point. (The TZ200 can manage 2; the TZ210 up to 16).

 

These are SonicWALL’s best-kept secrets, a managed wireless LAN similar to Cisco or Aruba’s wireless switch and access point technology, but at a fraction of the price. The SonicPoint-N has all the features you’d expect from an enterprise managed wireless network. A few important features, such as multiple SSIDs, have been blocked out of the TZ series. SonicPoints go further and do more than the built-in wireless on the TZ200 and TZ210. For example, features such as wireless RF monitoring for common attacks and problems can be configured on SonicPoints, but not in the built-in wireless. More to the point, you have to configure SonicPoints and the built-in wireless separately, so if you do buy into the SonicWALL wireless story, you have to treat the wireless built into the TZ200 and TZ210 differently from your SonicPoints — really, not the best of ideas. The built-in wireless should look and act just like a SonicPoint for maximum integration, but it doesn’t. And, if you do use SonicPoints, you can’t connect them to the Gigabit Ethernet ports on your TZ210, because those ports are already dedicated to other functions.

 

This restriction means you’ll never get the full benefits of the 802.11n wireless because you’ll be stuck on a 100Mbps interface. This doesn’t seem very well thought out or balanced. Although the 802.11n is a welcome addition, SonicWALL should have gone further with the experience they have from their SonicPoint line in giving a more powerful wireless feature set to the TZ series.

 

With the new TZ200 and TZ210, SonicWALL is continuing its power push into the UTM feature set. In addition to the existing content filtering, IPS and antimalware tools, this version of SonicOS brings SonicWALL’s Application Firewall (TZ210 only) and antispam service to the SMB marketplace. The IPS, content filtering and antimalware features are not significantly changed from earlier versions. SonicWALL offers both its own Content Filtering Service as well as an option for the Websense engine. Both antimalware and IPS use SonicWALL’s own service only.

 

We found configuration for antimalware (which SonicWALL breaks into antivirus, which can run across all traffic, and antimalware, which is limited to HTTP, FTP and e-mail protocols) to be straightforward. We tested antimalware by taking the 15 most recent, unique, viruses that were in our corporate antivirus quarantine and trying to re-send them through the TZ210 firewall. Out of the 15 viruses, the TZ210 failed to identify two suspected viruses. We submitted these to the Virustotal multiple-engine scanning service, which gave a 78 per cent “is a virus” score for one of them, and an 87 per cent score for the other. The TZ210 turned in the same results whether we used the FTP, HTTP, or SMTP to transfer the files. In an earlier test, we had also found that SonicWALL effectively found viruses on non-standard ports, a unique feature in this marketplace.

 

We stressed this by trying both HTTP and SMTP on non-standard ports, and found that while the TZ210 was able to identify malware in HTTP traffic on non-standard ports, it did not work properly on SMTP traffic on non-standard ports. This isn’t much of a defect, but network managers should be aware of this when considering their outbound and inbound SMTP policies. We did not look in depth at the TZ210 content filtering service, other than to verify that it caught some obvious URLs. As with antimalware, configuration of content filtering is extremely straightforward. Our experience with SonicWALL’s Application Firewall was less positive.

 

Although the Application Firewall definitely performed as advertised, we found it difficult to use and hard to trust. The Application Firewall is a new feature to this product line (it has been available in the higher-end NSA series since they were released) that allows the network manager to build policies based on very deep inspection of mail (SMTP, POP and IMAP), FTP and HTTP protocols, as well as SonicWALL’s IPS signatures. For example, traffic can be caught by the Application Firewall based on the “Subject” line of an e-mail. Once the Application Firewall picks out traffic, you can then apply policies, including simply blocking the traffic, or using more sophisticated actions, such as blocking e-mail attachments, adding text to messages, blocking or redirecting HTTP pages, and applying bandwidth management. Policies have a variety of other qualifiers as well, such as IP addresses, zones, username and group membership, and time of day.

 

As we quickly discovered, not every action is supported with every content match and with every protocol. SonicWALL provides a very good tutorial on the Application Firewall with numerous examples of ways to use this to enforce policy compliance, which is a must-read if you want to really understand what is going on. Although you only can define a very limited number of policies — five in the case of the TZ210 we tested — each policy is very powerful. For example, we wanted to use the Application Firewall to enforce bandwidth limits for streaming video. To do that, we had to use IPS signatures. The category “Multimedia” is too broad (it covers, for example, audio file downloads as well as video), so we had to browse through the 208 signatures to find which ones would cover what we wanted. Unfortunately, there is no easy way to get documentation on each signature other than its short name (typically 40 characters or less) as you’re configuring the Application Firewall. Fortunately, we could pile as many signatures as we wanted in a single policy, even if doing so was incredibly tedious.

 

We also felt that we were wandering a bit in the weeds with some of the signatures. In the end, we got the policy we wanted with only a moderate amount of research, and the simple testing we did showed that the TZ210 identified unencrypted video traffic from popular video sites and was able to enforce bandwidth limits. The Application Firewall was a success, and the amount of work it took to define a policy seems high compared to other operations on the TZ210. However, the Application Firewall goes where other firewalls can’t, and gives you the flexibility to define security policy you’ve never been able to build before in this type of device. Is it an out-of-the-ballpark home run? No, but it’s a great tool and one that could save you from having to buy another piece of hardware or another software package.

 

 

The last new security feature we tested on the TZ210 was SonicWALL’s antispam service. This is an in-the-cloud offering that uses the firewall to redirect traffic to the antispam service, which does content filtering, and then sends the non-spam e-mail back to your local mail server. Unlike other antispam services, the TZ210 antispam doesn’t require you to change your DNS. Using a combination of firewall and NAT policies and some internal smarts, the TZ210 simply redirects connections to their service, which lets you turn on and off the antispam quickly while testing. The SonicWALL antispam service isn’t a complete in-the-cloud offering because you must provide your own quarantine server (an application SonicWALL includes which sits on an existing Microsoft Exchange server) if you want to quarantine suspected spam, viruses and phishing messages. We did not have an opportunity to test the effectiveness of the antispam service on a production mail stream.

 

However, we did set up the antispam service and found it easy to install with very little aggravation — as long as you have a very simple setup with a single mail server, a small number (five or less) domains you want to filter, and a willingness to let your mail fly out into the cloud unprotected. The TZ210 antispam service strips out any server-to-server encryption you may have configured, and all communication between the TZ210 and the in-the-cloud service is unencrypted, which could be a concern in some environments where server-to-server encryption is used to ensure privacy.

 

Performance of the antispam service will likely not be much of an issue, even though your mail travels over your Internet connection three times (in to the firewall, back out to SonicWALL, and then back to the firewall for delivery). SonicWALL’s documentation says it uses its own reputation services to block incoming connections.

 

Our testing showed that this isn’t exactly true, although reputation services (and their ability to limit wasted bandwidth) do come into play once a spammer has already connected to the firewall. Our limited testing didn’t give us the ability to really offer a verdict on whether the antispam service is a winner. However, SonicWALL includes a free trial, and it’s very easy to test this for yourself. SSL VPN Included with the new TZ100, TZ200 and TZ210 firewalls are licenses for a newly included SSL VPN function. The TZ100 and TZ200 come with one user license, expandable to five and 10 users (respectively), while the TZ210 comes with a two-user license, expandable up to 10 users.

 

This isn’t in the same league as SonicWALL’s enterprise-class SSL VPN appliance the company added to its portfolio when it purchased Aventail in 2007; it’s a simple network extension that is a competitor to IPsec VPN (also included with each device if you insist) for remote access.

 

The SSL VPN is simple to add and configure. Users appear in the SSL VPN as if they were in a new zone, so you simply write normal zone-based firewall rules to define your access controls. The SSL VPN includes a simple portal that can be used to launch or download the Java-based SSL VPN client (available for Windows, Macintosh, and Linux operating systems). A small set of SSL VPN specific settings, such as whether to use split tunneling, whether clients can communicate with each other or whether the username and password can be saved, are about all you need to worry about to set up the SSL VPN.

 

Users for the SSL VPN can be stored locally on the firewall appliance, or the firewall can talk to a RADIUS or LDAP server for authentication. We linked our TZ210 to a running Active Directory domain and saw great evidence of SonicWALL’s experience dealing with LDAP technical support — the configuration was well documented, easy to do, but not so ridiculously simple that we couldn’t make some important customizations to make the TZ210 talk properly to our LDAP server. This kind of easy connection is one of the important differentiators between a product that fits quickly into enterprise infrastructure and one that doesn’t go much beyond the demo stage. Because the TZ210 linked up so easily, we weren’t even tempted to use the local user database — a better security configuration in the long run. The SSL VPN built into the TZ200 and TZ210 is a great replacement — if you buy the extra user licenses — for the harder-to-use and less predictable IPsec VPN in earlier versions.

 

We tested the TZ200 and TZ210 using the same performance-testing methodology we used in 2007 when we looked at UTM firewalls and in our 2008 test of the SonicWALL NSA E7500 appliance. We found that the TZ200 and TZ210 beat their data sheet numbers in some cases, and don’t live up to them in others. For raw speed, without UTM features enabled, we found the TZ210 turned in a goodput of 118Mbps using a typical Internet traffic mix, with a total throughput of 126Mbps; the TZ200 91Mbps goodput and 97Mbps throughput. Goodput measures only application layer data, while throughput also includes header information. Most vendors quote throughput numbers in their performance stats, but goodput is a better measure of what you’ll actually see at the end system. Both devices beat their data sheet IMIX numbers easily. When we turned on UTM features, performance — as expected — was dramatically affected. SonicWALL does not really distinguish between server-side and client-side IPS, so we tested IPS with and without the Application Firewall to see a range of performance.

 

The TZ210 slowed down about 35 per cent while the TZ200 only dropped about 12 per cent. In fact, the TZ200 outperformed the TZ210 in pure IPS throughput, a result that SonicWALL wasn’t able to easily explain. With antimalware enabled, we saw a much more significant drop in both systems, although both dropped to about the same speed: approximately 13Mbps. That’s nearly 90 per cent performance hit for the TZ210, and 86 per cent hit on the TZ200. Neither system comes very close to its datasheet specifications for antimalware performance.

 

We discussed these UTM results at length with SonicWALL’s product management team. Although they were at first very surprised by the results, they were able to confirm them in their own test lab. We also varied our test methodology and tried four different approaches, all of which returned roughly similar performance numbers. SonicWALL explained that their original performance specifications were based on testing they did using SonicOS 5.1, while we were testing with SonicOS 5.5. During the upgrade, some new signatures were added to the UTM feature and these were causing the performance slowdown we saw.

 

Unfortunately, there was no easy way to identify which signatures were causing the problem on short notice, although they promised to work to improve UTM performance as quickly as possible. Our testing shows that SonicWALL has done a great job of providing high-speed firewall in a small package. However, UTM capabilities, especially antimalware, continue to be difficult performance challenges. Network managers who want to make use of antivirus at the gateway should be careful to limit their performance exposure by only protecting the traffic they think is likely to be infected with malware. Because the TZ200 and TZ210 run nearly identical firmware, network managers who are looking for simple firewalling probably won’t find much reason to jump to the higher price/performance point of the TZ210.

 

If some of the advanced features of the TZ210, especially the Application Firewall, are important, those certainly differentiate the two models. Similarly, the reach and noise resistance of the TZ210 wireless is likely to be better than the TZ200, and that could be a reason to go for the higher-end model. However, the wireless TZ210 has a street price about 60 per cent more than the TZ200, so for the performance offered, the TZ200 is a much better deal.

 

 Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at [email protected].