The TZ100W uses two levels of anti-virus protection: client-based and gateway. The Client Anti-Virus feature enforces the use of Anti-Virus software on all computers in each selected zone. Computers that don't have the required Anti-Virus software will receive the message in Figure 9 when they try to use the Web. Clicking on the Install VirusScan link will direct users to install McAfee Anti-Virus software. My test TZ100W came with five licenses for the Client Anti-Virus feature.
Figure 9: Client AV message
The Gateway Anti-Virus (GAV), Intrusion Prevention (IPS), and Anti-Spyware features provide centralized filtering of viruses, malware, and other undesirable programs and files that can infect a network via email, downloads or web surfing. As with the Anti-Spam feature, the value in centralized filtering is improved LAN and PC performance.
All three of these features are individually enabled by zone with multiple configuration options in their own submenus. These features all communicate with the SonicWall security network to keep a current database of security threats and signatures.
The GAV feature works by inspecting files as they enter the network and comparing them to a dynamically updated database of virus signatures. SonicWall’s documentation states this database, as well as the database for the Anti-Spyware feature, is maintained by their own “SonicAlert Team,” third-party virus analysts, open source developers and other sources. The TZ100W does the work for you and automatically checks for signature updates every hour. There is also an Update button allowing an administrator to manually trigger a database update.
SonicWall employs a four layer approach with its GAV service. Both incoming and outgoing emails are scanned for known virus signatures. Infected incoming emails are blocked, and infected outgoing emails are deleted. The GAV feature also filters HTTP downloads for known virus signatures and discards infected files. Last, since the GAV filtering is performed at the router level, emails destined for an internal email server are also filtered.
A simple test for checking network Anti-Virus protection is available at eicar.org. This site has safe test files available for download that should trigger Anti-Virus protection, but are not viruses. I tried downloading one of the files from eicar.org with GAV enabled and received the alert shown in Figure 10, verifying the TZ100W had done its job.
Figure 10: Gateway AV alert
My test TZ100W's IPS feature listed 48 different categories of attacks that it inspects in traffic flows. The key to the IPS security feature is it inspects packets at the application layer instead of just at the IP or Protocol layer where most firewall activity occurs. Further, SonicWall's IPS feature monitors network activity, looking for anomalies indicative of a network attack.
To run a basic test, I launched a port scan from another network at the WAN port of the TZ100W to see how it would be handled by the router. Figure 11 shows the log messages generated within the TZ100W, showing the TZ100W successfully detected the external port scan activity.
Figure 11: IPS log messages
There are three levels of IPS settings on the TZ100W, I had my test device set to detect High, Medium and Low Priority attacks for test purposes. Flagging Low Priority attacks is probably overkill, as the TZ100W flagged outgoing update activity from a SonicWall's CDP device with a Low Priority alert, erroneously identifying the activity as a possible IPS threat.
The TZ100W Anti-Spyware works by monitoring ActiveX components in browsers, scans emails and network traffic for recognized spyware signatures, blocks outgoing spyware traffic from leaving the network, and enables administrators to control network based program installation. As with the GAV feature, the key is the constantly updated database of signatures identifying known malware.
The TZ100W firewall rules are created in a nice matrix style display. Rules are defined based on source and destination zones, source and destination objects, and various pre-defined or custom services. By default, the firewall allows all traffic from the LAN to the WAN and blocks all traffic from the WAN to LAN. Further, Quality of Service (QoS) controls can be applied in firewall rules to each service as it flows from one zone to another.
Port Forwarding, or opening a port in the firewall and directing a traffic flow to specific service inside the network isn't in the firewall menu on the TZ100W, but in the Network menu under NAT Policies. For example, I created a customer service called “iperf” for TCP traffic on port 5001. Then, I set up the following NAT Policy to forward WAN-LAN iperf traffic flows to my laptop as shown in Figure 12.