- Easy to use and configure
- provides complex security for those who need it
- rich feature set
- complete gateway in a box
- Needs some familiarity with IP
- little or no configuration available for intrusion detection
- relatively expensive
In these high-risk times, firewalling your network is a necessity rather than a luxury. And with a small or medium-sized business network, it makes sense to use a separate, dedicated appliance to minimise configuration time. The alternatives are either to run a software firewall on one of your servers, which can lead to high configuration requirements, or hope that the firewall in your router is up to scratch.
The box itself is a standard D-Link design, with status lights on the front and three Ethernet ports to the rear -- LAN and WAN obviously, but also a DMZ (De-Militarised Zone) in which you can place your Web, mail or FTP servers. You would normally relax your Internet traffic filters for the DMZ, as they are applicable only to externally-accessible servers, not the whole network. This means uninvited traffic from the outside world never traverses your local network, making the LAN just that bit safer.
The DFL-700 provides complete firewall functions. Setup can be performed mostly using drop-down boxes (for instance, you select the IP service whose packets you want to either drop or allow), which makes setup easy and quick. You can create separate rules for any combination of the three ports in either direction. If you want to delve deeper, all service filters are configurable.
Should unauthorised traffic get as far as the LAN, an intrusion detection system allows you to log attacks, locate the source IP address, notify you by email and set up policies to restrict incoming traffic from specific IP address sources. Similarly, unwanted data can be prevented from entering the network based on IP address, content or both. You can set up your own black and white lists, providing content filtering if required. The system's default blacklist is set up to strip off all attachments that could open up vulnerabilities or carry viruses, worms or Trojans.
If you need to provide secure access to your network from outside the office, the DFL-700 allows you to set up a virtual private network (VPN), secured by the latest IPSec encryption technologies. Bandwidth management allows you to both limit and guarantee bandwidth for particular services such as Web browsing.
What D-Link has produced is more than just a firewall, though. It also supports network and port address translation (NAT and PAT), so you can hide and keep separate the IP addresses used on the LAN, transparent mode, routing mode and SPI. It allows you to authenticate users via certificates using a RADIUS server and a certificate authority, and encourages you to use encrypted HTTPS connections, especially for admin.
The box also includes a DHCP server that can allocate IP addresses to new network devices and a DNS server for translating IP addresses into friendlier hostnames, and vice versa. Its configurable routing tables also mean that it can become a gateway between the LAN and the public network. If you want a VPN connection to your network from elsewhere, or you have externally accessible servers, the DFL-700 can register with DynDNS services, which allow dynamically allocated public IP addresses to be located using DNS.
All events can be logged, and you can view reports of both events and CPU usage using graphically displayed statistics. The easily accessible help system is clearly written, Telephone support is available on an 0845 number between 9am and 6pm, and the product is covered by a two-year return to base warranty.
Most small and medium-sized businesses will find that the DFL-700 meets all but the most arcane requirements. And if your needs outstrip the DFL-700's capabilities, D-Link has said it will soon launch a DFL-1000 for more complex networks.