D-Link SMB Firewall

D-Link claims its NetDefend security appliances are unique: along with a complete UTM solution they offer the Zone Defence feature, which allows them to send commands to xStack switches to stop infections from spreading across the network.

The DFL-860 is the top dog of D-Link's UTM appliances and brings together an SPI firewall, IPsec VPNs, IPS, antivirus and content filtering, plus WAN failover.

The DFL-860 targets businesses of up to 150 users and offers a pair of WAN ports that support failover, a DMZ port and seven LAN ports. Installation gets off to a good start, since the web interface offers a quick setup wizard to get basic internet access available to the LAN.

From here, though, things become more complex. For example, the appliance supports a transparent mode but the document showing you how to do this is three pages long; for most other solutions at this price point you can achieve this by ticking a single box.

Network objects are created first since these define all your network elements, such as IP addresses, ranges and subnets to services, schedules, VPNs and ALGs (application layer gateways). Usefully, the appliance provides an address book for collecting details of interfaces, networks and subnets for easy access.

Rules contain service and schedule objects that are assigned to source and destination interfaces and networks, and describe an action such as allow, deny or apply NAT. Rule management is aided by folders, so you can organise rulesets based on the sources and destinations for which they're applied. Rules are maintained in lists and are applied in strict priority from the top.

Web-content filtering is difficult to set up as you create an HTTP ALG object with up to 31 categories selected within it to be blocked. You then need to create a service object for HTTP, assign the ALG object to it and apply this to the required network interface objects using a new HTTP NAT rule, which must be moved up in priority in the list.