August 6, 2003

A hot box: HotBrick Firewall VPN 1200/2

- by Russell Pavlicek -
The HotBrick Firewall VPN 1200/2 is a small but interesting Linux-powered firewall device with a dozen 10Base-T/100Base-TX LAN ports and
two WAN ports. With
a $699 list price, it can fit the budget of even modest organizations.

I am used to seeing Linux-based firewalls deployed on standard PCs, so I
was expecting what would amount to a PC
loaded into a special form factor. Instead, I received a small device
which weighed maybe 6 pounds, about the size of a carton of
cigarettes, only about 50% longer.

The unit, which is rack-mountable, is equipped with a 150MHz Brecis MSP2000 processor, 32MB of
RAM and 8MB of flash memory. It consumes just 5 watts of electricity, has
no obvious moving parts, and is as quiet as a stone.

The unit's capabilities are impressive. It provides support for
up to 20 VPN tunnels and a maximum of 5,000 concurrent connections. It
supports IPSec, PPTP, and L2TP with multiple encryption and authentication
schemes. It features a stateful packet filter, denial-of-service
protection, traffic control, and an intrusion detection system. Thanks to
its two WAN interfaces, it also has DMZ support -- a feature that is
missing from many firewall devices. For organizations seeking to
block certain Web sites, it has some access control capabilities, by URL and by
keyword. Not bad for something that looks like a cigarette carton on
steroids.

A less pleasant surprise was the lack of paper in the box. I found a couple of brochures, a
piece of paper with quickstart information, and another piece of paper
containing registration instructions and the URL for the manual in PDF
format, but no printed manual and other documentation.

The PDF manual proved to be more than adequate. It starts out with the
appropriate notion that the typical installer of this box is not a network
guru. Indeed, this device is most likely to be employed by small
offices that lack the technical talent to construct and manage a
firewall. The manual takes the user through configuration and
management on a screen-by-screen basis.

In fact, the first few pages tell the user which network cables to plug
in to connect a Windows 2000 PC (probably a good selection for a typical
desktop for a small office) to the HotBrick. It then goes through a
screen-by-screen description of how to configure Windows 2000 to use a
DHCP client. Of course, experienced Linux users can simply skip a few
pages and start up a DHCP client service on a Linux PC.

Once the client PC is connected to the HotBrick and the PC has received
its network address via DHCP, it is a simple matter to point a browser to
the HotBrick (using https, of course) and access the Web-based management
interface. Entering the appropriate username and password brings you to a
simple point-and-click interface for basic configuration of the HotBrick, setup of VPNs,
and more. The response time of the browser-based menus, though adequate for the task, is not
overly swift. They feel like pages served up by a first-generation
Pentium Web server.

I entered the Setup Wizard to configure the HotBrick. The first screen
has a simple set of choices: NAT only, NAT with DHCP client, and NAT
with PPPoE client. Remembering that this box is likely to be installed by
a novice user, I was a bit surprised to find little explanation of what each of these modes meant. I looked in the manual and found this explanation of NAT with DHCP client:

This mode is similar to the NAT with PPPoE Client network configuration
except that instead of using PPPoE, the Firewall VPN obtains its gateway,
external IP and netmask from a DHCP server. This is not to be confused
for using DHCP in your own LAN, but rather DHCP for configuring your
external real IP of the Firewall VPN. Like the PPP and PPPoE
configurations, there is no DMZ.

There is no explanation of technical terms
like NAT, PPPoE, or DMZ, which are likely to be incomprehensible to someone
installing this device in a small office. Why would a manual that goes
out of its way to show a novice user how to start a DHCP client under
Windows 2000 forget to define key terms for configuration?

The answer might be that the vendor wants you to consider having HotBrick manage the
firewall remotely. Remote management not only
solves a customer's problem of needing to comprehend the concepts
of NAT, PPPoE, and DMZs, it also provides key services such as
periodic reports and automatic software updates. And of course it creates a
revenue stream for a company that might not survive merely by selling
$699 devices. If you purchase the company's service at $39.95 per month, they'll take care of
the software configuration for you.

For a customer who wants to plug in a box, connect a couple cables, and
leave the management up to someone else, HotBrick seems quite reasonable. Otherwise, it is helpful to have access (by phone, if nothing else) to an experienced network
administrator.

If you manage the device yourself, you need to remember to
periodically update the system image -- is a simple process done from the System Services menu. Given that this device has no disk drive and is not based on the x86
architecture, it may be a bit harder to crack than a typical Linux
PC, but given enough time, even the best firewall is likely to be
subjected to exploits.

Overall impressions

The administration interface for the unit seems quite well designed.
There are some simple graphical displays that help you visualize basic network
topography. Most aspects of configuration are a combination of
point-and-click and fill-in-the-blank.

Log files can be reviewed through a simple interface. Color coding
visually highlights warning and error messages. The interface also
provides a useful search utility to isolate particular types of messages. You can even tailor which logs should be emailed to you at a customizable interval

On the whole, the unit appears to be well-designed, both physically and
logically. It could be especially useful for small offices that want to
outsource the management of the device to HotBrick.

Russell Pavlicek is a consultant and author dealing
with Linux in business. He is a panelist on The Linux
Show weekly webcast, and is a contributor to a number
of Linux Web sites. He formerly wrote the Open Source
column for InfoWorld magazine.

- Write for us - and get paid! -

Category:

  • Security
Click Here!