Billion BiGuard S20

Billion's BiGuard S20 can handle up to 20 SSL VPN tunnels while also offering dual WAN connections and supporting 30 IPsec VPNs. We're also looking at Billion's optional two-factor authentication solution, which uses tokens to generate one-time passwords (OTPs).

The appliance incorporates a stateful packet inspection (SPI) firewall and routing, allowing it to front a local network and manage its internet connection. However, as most businesses will already have a firewall, the appliance can be placed in a DMZ. The S20 provides eight switched fast Ethernet ports and a single Gigabit port for high-speed uplinks. You get a pair of Fast Ethernet WAN ports that can be configured for failover or teamed together for load balancing.

Initial installation is simple enough as the tidy web interface offers a quick-start option for configuring both WAN ports, where you can choose from point-to-point protocol (PPP) over Ethernet plus static or dynamic IP addresses. Patience is required at the first attempt to create SSL VPNs, as the process is somewhat convoluted, but once we'd done this a couple of times we quickly got the hang of it.

Groups are used to collect different types of LAN resources and make them available to users. You have plenty of choices for authentication using the box's local user database, but it also supports Active Directory, LDAP, NT domain and Radius servers. Each authentication method is defined as a different domain and groups keep users organised into the appropriate domain.

As remote users log in to the customisable portal page they are presented with the resources they are authenticated for. Three main resource types are provided, with the Network Extender loading an ActiveX plug-in to create an encrypted tunnel to all IP-based resources on the LAN. The plug-in creates a virtual PPP network adapter that takes its IP address from a pool on the appliance. If you do not want to grant such high-level access, you can define specific protocols and ports.

To provide access to specific resources you use application proxies created within each group. Applications range from RDP, VNC and FTP to HTTPS, CIFS and Citrix, and each entry requires the IP address or domain name of the local system providing the service. During user creation you decide whether each one can access the network place and any Extender services, while their group membership determines the proxies they can use. With the latter, you can even decide which proxies within the group they can access, making the Billion method highly flexible.

For testing we used Windows Server 2003 and Storage Server 2003 systems on the LAN to provide web, FTP and web mail services and placed some XP clients on the WAN side. We were able to advertise all these services as proxies to our remote clients and added remote management over RDP. Using the network places, they could browse the LAN and we granted some full access using the Network Extender.

The OTP component employs Authenex's ASAS server to provide Radius services to the appliance. Make sure you heed the manual's advice and use a completely fresh donor system as we encountered installation problems on Server 2003 systems that had been used for other tests. Initial setup is fairly simple, but integration is far from seamless as each user declared to the ASAS server must also be defined manually on the box to be able to decide what resources each one is allowed to use. That aside, we found the OTP feature worked well, making for a reasonably priced two-factor authentication system.

The firewall is quite versatile. Policies are used to add custom packet-filtering rules and MAC address filters plus virtual servers. Policies also bring quality-of-service features into play, where you define a flow direction, pick a service and apply guaranteed, maximum and minimum bandwidth in Kbps.

The BiGuard S20 offers an impressive range of features at a very competitive price. At this level of the market, Billion has little competition.