Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
D-Link’s DFL-2500 offers more network control than we expected, and does it at a good price for its class.
Strangely, the unit ships with all its ports configured to different network segments. This might be handy, but most will probably immediately reconfigure them. By default, only one port can connect to the management interface, and while this can be changed, it took a bit of trial and error to find it.
We were surprised that the HTTP connection to the management GUI makes no effort at all to secure the admin password – the login is passed in completely plain text over the wire. The unit does offer HTTPS connections, but the manual made no mention of this.
A pop-up wizard walks you through basic set-up. A nice touch is an automatic roll-back to the previous configuration if you fail to manually confirm that the interface is still accessible after any major configuration change.
To get the firewall working in a real environment, you need to spend time setting up definitions – networks, services, authentication groups and so on. These are all abstracted before being expressed in rules, so rules cannot be set up without a definition. This gets tiresome, but only because we are used to other products letting us skimp on what is, after all, much better practice. And the various pages all link together, making the process easy to use.
Apart from using syslog, we could find no way to log and report on the device’s activities, which is astonishing. Like the role definitions, best practice suggests that managing logs elsewhere is a better idea, but this is an omission that may raise some eyebrows.
The unit can remotely manage other boxes via its Zone Defense feature – to create enterprise-wide blacklists in the event of an IDS trigger, for example.
As well as its filtering capabilities, this is actually a surprisingly flexible router too, with more traffic routing features than we would expect. This will be useful to some environments, although we would normally expect the box to be behind a real router anyway, so it might be redundant.
And the routing features do make the process of setting up some rules more complicated than they need to be.
The system provides IDS and you can create custom rules, but not your own signatures.
This well-priced unit has plenty of features and is very flexible. The interface has rough edges and you need a bit of network know-how to really use it to its full potential, but in the right hands this would be a very good solution indeed.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.