Review: Check Point VPN-1 UTM Edge security device

Check Point’s VPN-1 UTM Edge is a security appliance designed to protect remote branch offices where expertise may be limited or non-existent.

As such it provides a lot more than the normal firewall and VPN (virtual private network) facilities found on low-cost routers, adding support for centralised configuration and management, user authentication and automatic failover at the top of a long list of additional features.

A compact device, the VPN-1 UTM Edge runs an embedded implementation of the Check Point NGX software. No local storage is involved and the device comes in a robust metal case with all the connectors located at the rear.

These include a four-port 10/100Mbits/sec Ethernet switch with an 802.11b/g wireless access point an optional extra. The model we tested also came with a built-in ADSL modem, doing away with the need for a separate box to connect the unit to the internet.

Two USB ports allow printers to be attached and there is a separate Ethernet port that can be used to either create a secure DMZ (demilitarised zone) – to isolate public-facing web and email servers – or as a secondary Wan port.

When configured for Wan access you also get automatic failover in the event of connectivity problems, a facility that can be extended to other backup appliances (possibly connected to other service providers) for companies where loss of connectivity would be a real business issue.

The usual browser-based interface is provided for local management with wizards to help with the initial setup. This we found easy to use, with clear menus – although a fair amount of technical knowledge is assumed.

But then a key feature of the appliance is its ability to be configured and managed centrally, using Check Point Smartcenter (available separately) doing away with the need for individual setup and local expertise.

In terms of functionality there is, of course, a stateful inspection firewa ll (a technology that Check Point pioneered) plus an IPSec VPN server that can be used for both site-to-site and teleworker access.

Licences for Check Point’s Securemote client software are included in the price, with support also available for the Microsoft L2TP client in Windows 2000/XP.

Gateway anti-virus scanning can then be added (from £84 per year for five users) together with anti-spam and web content filtering. However, these last options are implemented as remote services rather than being performed by the box, and require additional subscriptions.

Other features of the VPN-1 UTM edge include support for tag and port-based VLans, plus user authentication using either an internal database or an external Radius server. Combined, these options can be used to provide granular controls over network access.

Guest users, for example, could be allowed to connect to an intranet web server and, optionally, the internet, but not allowed to see or access other resources.

We found the VPN-1 UTM Edge easy to set up and use, but to take full advantage of what the appliance has to offer you really need several remote sites – which may limit its appeal to larger companies.

That said, the hardware and embedded NGX firmware are basically the same as that used in Check Point Safe@Office products. These lack the VLan and user authentication features, but are a better option if you’re just looking to secure one location.