Launched in June last year, NetD’s SG-8 rack-mountable Unified Services Gateway is designed primarily to service large branch offices as well as small to medium-sized enterprises with between 500 and 1,000 users.

The SG-8 is priced at £9,995 + VAT for the basic system, but its hardware architecture and its software differs significantly from those of the current breed of unified threat management devices.

The SG-8 has a three-plane architecture with data, control and management planes, which gives an ability to start and stop individual software modules, such as the intrusion prevention system (IPS). NetD says services can be added to the system while it is operating, and that service failures can be insulated from other operations.

Initially we ran version 1.0 firmware, and there was no help facility available. Unfortunately even after upgrading the SG-8 to version 2.0.21.0, from an FTP site, there was still no help offered. The absence of a preconfigured firewall means that some expertise is needed to set policies to ensure protection.

The hardware of the SG-8 includes 10 module slots (two for switch fabric, two for the Services Engine and six for line cards), and the system we reviewed had eight Gigabit Ethernet ports for LAN use and four T1/E1 wide area network (WAN) ports. The dedicated services engine uses a 2GHz AMD Opteron processor, has 512MB of memory, expandable to 2GB, and also has two Gigabit Ethernet ports. For extra redundancy two more line cards can be used for installing another Services Engine.

Unlike other hardware systems, which usually route packets through firewalls and then apply security checks, the SG-8 supports what NetD calls OnePass packet processing, whereby the packet undergoes any decryption first and is held in memory while it is checked sequentially by the various modules active in the SG-8’s current software architecture. This avoids latency incurred through continually taking packets apart and reassembling them for further processing.

We could manage the SG-8 either remotely through a browser-based graphical interface or locally through a console port accessible through a combo serial-USB cable.

Users can set up the SG-8 via the browser or use the IOS-like command line interface. This is where the SG-8 has big advantages – since multiple best-of-breed devices managed remotely would each have their own management interface.

The SG-8 is shipping with software modules for routing, firewall, virtual private network (VPN), quality of service (QoS), Network Address Translation (NAT) and Layer 2/Layer 3 switching. Currently the only sensor certified for use with the SG-8 is Snort, once the open-source standard for IPS but now controlled by Check Point.

The SG-8 is capable of supporting up to 5,000 site-to-site IPSec VPN tunnels and can use 56bit DES, 168-bit triple-DES or 256bit AES encryption. NetD said Secure Sockets Layer (SSL) VPN and antivirus service modules will be available at a later date, and in future, firms will also be able to order pre-configured systems.