Celestix FV930 Server Appliance
Price: Hardware: $3,995. Software licenses: 25 users $3,000; 50 users $5,000; 100 users, $8000; 250 users, $10,000.
Specifications: CPU: One 1.2 GHz Pentium III processor; Memory: 256 MB RAM; Peripherals: 20 GB hard drive, five Fast Ethernet ports; Software: Check Point Software’s VPN-1/Firewall-1 virtual private network and firewall software, certified to 200 Mbps throughput
Pros: Small form factor; excellent control panel; easy Web-based administration
Cons: Have to contact Celestix for hardware/Linux support, and Check Point for VPN-1/Firewall-1 support
The term “appliance” came into vogue in the late 1990s, and like many technology labels, it’s been massively overused. But look beyond the hyperbole, and you’ll see Celestix’s FV390 firewall device. It’s a stellar example of what a computing appliance should be.
The FV390 is a 1U-high (1.75-inch) box that looks like a fancy Ethernet switch. (Indeed, the hardware is very attractive. Celestix paid close attention to the device’s industrial design.) Instead, the FV390 is a self-contained enterprise firewall and virtual private network (VPN) gateway that runs Check Point Software’s VPN-1/Firewall-1 NG firewall software and Red Hat Linux.
As a premises firewall and VPN gateway — that is, as protection placed between your company’s Internet connection and LAN switch — Check Point’s software is an outstanding solution. And while the device contains ports for a keyboard, a mouse, video and USB, the ports are largely unnecessary for normal operation. You can administer many Linux settings with a great front-panel interface, and configure the Checkpoint software using any browser.
Inside the box is a 1.2 MHz Pentium III processor, a 20 GB hard drive, and 256 MB RAM. Outside the box are the KVM ports (which you won’t use), five Fast Ethernet jacks, a two-line, 40-character LCD panel, and a great big knob. The front panel is like a giant car radio: just turn the knob to set IP addresses, reboot the server, and start or stop the firewall. Press the knob in to lock in the setting. Now, that’s an appliance.
As mentioned above, the FV930 has five Ethernet ports. In the most simple enterprise model, you’d dedicate one port to your WAN connection and one port to your LAN (for connecting to a switch or router), and use Firewall-1 to filter traffic using stateful inspection and other algorithms to detect malicious activity. The Web-based interface makes it very simple to establish policies to determine what traffic is allowed to traverse which FV930 ports.
The other Ethernet ports could be used for setting up a demilitarized zone (DMZ) for placing Web servers, FTP servers, or other devices that should be accessible by the public. If the servers in the DMZ are compromised by crackers, they’re still firewalled off from the rest of your enterprise.
As a VPN server, the Check Point software can authenticate IPSec-compliant clients to (essentially) waltz them through the firewall. The VPN server allows you to use the public Internet as a bridge between two secured networks, or between a secured network and a remote user working at home. How’s that done? Remote clients are authenicated with digital certificates, and communication is encrypted. The VPN-1 part of the software handles all of that for you as well.
The only catch to the whole Celestix and Check Point solution is that you have to deal with both Celestix and Check Point. Celestix sells you the FV930 appliance with the Check Point software installed for $3,995, but does not include the licenses to use the firewall and VPN applications. You’ll have to buy those separately from Check Point or from your reseller. Be sure to factor the licenses into your budget. (Celestix expects resellers to offer bundles.)
Bottom Line: A Must Have
The Celestix FV930 is a well-designed and well-constructed Linux server appliance that’s preloaded with Check Point Software’s VPN-1/Firewall-1 security software, an excellent enterprise-class security solution for medium and large businesses. Configuration and maintenance is a snap via any Web browser and the appliance’s clever car radio-like front panel.
To protect your network and provide VPN access, the FV390′s combination of hardware and software is hard to beat, and is fully recommended.
Alan Zeichick is principal analyst at Camden Associates. You can reach him at firstname.lastname@example.org.