PRODUCT EVALUATION: Internet @ppliance Industry Report

Internet @ppliance Industry Report:
A Guide to Technology,
Products, and Deployment

eSoft InstaGate™
Security appliance for workgroups and branch offices. Includes proxy-based firewall, VPN support, scanning, and filtering features designed to permit controlled, authenticated access to private or DMZ network. Use alone or with a router or communications appliance.
Price:
InstaGate Communications $3,995, includes
firewall, internet application, and VPN features;
SpamFilter, SiteFilter™, Firewall Scanner, and
InterView™ options available a la carte or
as all-in-one bundle $5,495;
DMZ Ethernet $75; ISDN $287; V.90 $116
Contact:
eSoft, Inc.
295 Interlocken Blvd., Suite 500
Broomfield, CO 80021
Phone: (303) 444-1600
Fax: (303) 444-1640
Web: www.esoft.com

Reviewed:
May 1999

The eSoft InstaGate™ is a feature-rich appliance that emphasizes meeting the security needs of a workgroup or branch office network. Every service offered by the InstaGate - from basic email to virtual private networking - identifies and addresses risks associated with Internet access. The InstaGate is ideal for appliance users who consider security top priority.

What's inside?

The InstaGate we tested ran BSD/OS 3.1 on a 330 Mhz Celeron with 64 megabytes of memory, a 4 gigabyte hard disk, and dual 10/100 Mbps Ethernet NICs that allow it to sit between outside (public) and inside (private) LANs. Our test unit included base model features and InterView™ management software. Annual subscriptions for anti-spam, site filter, and scan services can be purchased individually or as a package. Interface options are available to directly connect the InstaGate to the Internet or add a "demilitarized zone" Ethernet typically used to isolate public servers from other network resources. When connected to a UPS, the InstaGate provides automated shutdown during sustained power failure.

Setting up the InstaGate

Beginners will find the InstaGate's unique Setup Wizard easy to use, while VARs, ISPs, and network administrators will love its ability to remotely generate start-up configurations. Simply pop the CD into any Windows PC and answer ten queries posed by the Wizard to produce a Setup Floppy. To reduce typing, internal network defaults are obtained from the PC; modify or confirm these, then enter external address and gateway. Optionally enter DNS, Mail, Web, and FTP addresses to facilitate smooth integration with existing servers running in your internal network. The Wizard proposes security policies

that block outside access to all but selected internal servers, while permitting proxied access by internal users to the outside (typically, the Internet). The Wizard produces a printable configuration summary, DNS updates, and a Setup Floppy that can be distributed to branch offices or customer sites and act as an initial archive. Excellent instructions guide physical setup, including red/green ports and cables for goof-proof wiring. Power up the InstaGate with the Setup Floppy inserted to (re)initialize the unit. Audible indicators let you know where you stand; we'd also like visual reassurance when booting takes longer than the suggested 90 seconds. Once you hear a "charge" tune, the InstaGate is up and running. In many cases, no additional configuration is required.

Manage the InstaGate through any web browser (IE and Netscape for PC and Solaris are supplied). Enter the URL https://:2000 to launch an SSL-authenticated and encrypted management session. The InstaGate's administrative GUI is nicely laid out. We found its single-page "work card" format and navigation hierarchy intuitive and easy-to-use. A lock/unlock icon protects against concurrent configuration - while essential, this mechanism can also be frustrating: remember to lock before making any changes!

Security Services

The InstaGate is first and foremost a security appliance. Connecting your workgroup or branch office to the Internet introduces security threats. You'll want to protect your network from unauthorized access, verify the identity of (authenticate) those you grant access, and prevent eavesdropping on (encrypt) any private traffic you allow into your network. The InstaGate uses security policies to:

constrain traffic source and destination;

selectively authorize access by individual users;

define which applications to proxy (permit) and which to reject (deny); and

configure "smart proxies" that filter content for applications like web, file transfer, and email (for example, blocking access to web sites, transfer of executable files, or "spam" email).

Policies not only protect against outside access, they also control how internal users access the Internet. It takes a little practice to understand the relationship between policy components, but it's well worth it: the InstaGate supports powerful policies that enable fine-grained control. Many common policies require only the Setup Wizard: for example, we initially configured our InstaGate to permit external access to our web and file servers and block all other outside traffic. In the other direction, we permitted insiders nearly unlimited proxied access to the Internet, but chose to block news and RealAudio.

We then used the InstaGate's GUI to augment these policies, preventing users from browsing selected URLs and active content, permitting authenticated Telnet, discarding "spam" email, and enabling outside access to a mail server on the InstaGate itself. SiteFilter can be used to block access to offensive websites; SpamFilter can be used to drop or flag email from known offenders. Authentication can be a simple login/password, but larger companies will appreciate the ability to integrate with existing authentication servers. Time periods can be used to apply different policies during business and off hours.

Advanced Security Features

Proxy-based firewalls enable intelligent, granular policies, but there's a price to pay: throughput. Where top speed is necessary, packet filters can be used. The InstaGate's packet filtering features are not emphasized in the GUI or documentation, but are there if needed. Proxies inherently keep internal addresses private; network address translation (NAT) can be used for privacy with packet filtering by mapping external addresses to public servers located on your internal network or DMZ.

The InstaGate provides virtual private network (VPN) services that enable inexpensive, secure (authenticated, encrypted) access to your internal network from the public Internet.

Remote users (travelers, teleworkers, business partners) can "tunnel" to the InstaGate using the Point-to-Point Tunneling Protocol (PPTP) from any Windows 98/NT PC. A tunnel connects a user to your internal network while verifying his/her identity and scrambling the traffic traversing the Internet.
Branch offices can be connected by constructing IP security (IPsec) tunnels between InstaGates. Used this way, InstaGates authenticate each other, not individual users - this is a simpler way to enforce secure tunneling between networks.

We created remote access tunnels on our first try, but could not tunnel IPsec due to the way we connect to the Internet. VPNs can be tricky; discuss your own needs with eSoft to ensure a good fit.

When relying on any device to secure your network, it's a good idea to make sure it's "hardened" - configured to minimize risk. Use InstaGate's Firewall Scanning service (not tested) to launch a scan request to a eSoft server running the latest version of ISS, a top-notch commercial scanner that produces reports which identify and help you close security "holes".

Internet Application Services

The InstaGate includes a full complement of Internet application services needed by most workgroups:

It can act as a domain name server or be integrated with existing name servers;
It can assign addresses to hosts on your LAN;
It can operate as anti-spam POP/SMTP email server for internal and external users;
It supports a minimal built-in web server for Intranet or Extranet sites; and
It can significantly speed up web requests by caching (saving copies of pages for later use).

Larger sites will want to integrate the InstaGate with separate application servers, allowing the firewall to focus on security; small shops will appreciate the ability to run everything in one box.

Administration

The InstaGate's GUI does an outstanding job of hiding operating system details. Backups can be written to floppy or another host with FTP or Microsoft file sharing. Restoring from floppy is straight-forward, but booting from network backup requires a terminal or keyboard connection not described in our documentation. The GUI presents resource summaries, raw log files, and configurable reports that display proxied traffic; more extensive information is readily available through undocumented web pages. License management is simple, with one caveat: don't invalidate your license by changing your external IP address.

This is the only appliance we've tested that integrates with enterprise network management through SNMP and a wealth of configurable alerts that send email or page a sys admin when something undesirable occurs. Administrative access via telnet or console can be disabled or key-authenticated to "batten down the hatches". On-line software upgrades are downloaded and applied in a manner that makes order and reboot requirements clear. Diagnostic utilities like "ping" can be proxied to enable network trouble-shooting. Finally, we loved the detailed daily and weekly security reports that can be viewed, emailed, or "published" by FTP or Microsoft file sharing in text or HTML format.

Final Word
The eSoft InstaGate is an excellent choice for small and medium businesses that need to allow selective, secure outside access to private network resources. Users with continuous Internet presence (e.g., DSL, cable) will especially benefit from the protection afforded by this robust, full-featured security appliance.

No part of this report may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without permission in writing from the publishers.