Check Point's VPN-1 Edge W security device picks up wireless support

Check Point's new VPN-1 Edge W touts wireless access support, better performance and a new print server, a combination that makes it a solid addition to the company's line of small security gateways. In this exclusive Clear Choice test, we focused on the features most attractive to enterprise network managers: wireless, VPN, QoS, high availability and management.

The Edge W - anchored with a scaled-down version of NG Version 5, Check Point's enterprise-class firewall - ships with six Ethernet ports, two wireless antennas and a serial port that can be used for console access or dial backup. One Ethernet port is dedicated for Internet outbound access, with the others assigned to other functions. The Edge W can support up to seven security and IP routing zones, or as many as 10 zones if you use 802.1q  virtual LAN tagging.

The most obvious addition to the Edge W is wireless support in the form of an embedded 802.11b/g access point with optional "Super G" mode (a derivative of the 54M bit/sec 802.11g standard that bonds channels together for higher throughput). Although the Edge W has solid security applied to the wireless network, with 802.1X, Wi-Fi Protected Access Personal (pre-shared key authentication) and WPA Enterprise (802.1X authentication) included, Check Point didn't go all-out on the wireless feature set. For example, the wireless connection cannot be used as an Internet up-link, and only a single Service Set Identifier and security zone is supported for wireless users. Advanced Encryption Standard encryption is not there yet.

While the Edge W's wireless security capabilities aren't impressive, what is included in the box works fine. We tested WPA Personal and WPA Enterprise features and had no problems connecting with Windows and Mac clients, or with our Funk Odyssey RADIUS server for 802.1X authentication (see How we did it at www.networkworld.com, DocFinder: 7322 ).

For basic configurations, a Web browser is sufficient to take the Edge W from "out of the box" to running the firewall within a few minutes. It's easy to jump into advanced configuration and define rules that control traffic flow, network address translation and QoS shaping in a simple and unified way. The Edge W also has a command line interface via the console port or a network connection.

For large deployments, Check Point offers SmartCenter, a centralized management system that can control and push unified firewall policy down to multiple Edge W devices. We connected to Check Point's Service Center to receive firmware, content filtering and virus signature updates. SmartCenter provides the ability to manage the configuration of hundreds or thousands of Edge devices using current management tools.

QoS has become a hot topic with the rise of VoIP, and while the buzzword is used to describe the Edge W, it doesn't have all the technology in place yet. Check Point's QoS capabilities include packet tagging and bandwidth management. While it was easy to set aside bandwidth for the IP addresses occupied by our Session Initiation Protocol (SIP )-based IP telephones, the test results showed that the Edge W doesn't have a very sophisticated technology for QoS management. To that end, the tests in which we attempted to share a DSL line with both SIP-based VoIP traffic and a heavy download of Microsoft service packs were not very successful. In the upstream direction, the Edge W was able to guarantee a solid 64K bit/sec of bandwidth for our voice call, with excellent quality. Without any real management in the downstream direction, the received voice quality was poor, with numerous dropouts as VoIP packets arrived late or with too much jitter.