WatchGuard XCS770R Email Security Appliance Review

ENEX Testlab Reviews by Matthew Hackling & Matt Tett


In order to improve productivity and minimise risk, most organisations need a reliable method of protecting their employees from unwanted email (spam) and malicious software (malware). In addition, it is also necessary to protect the corporate network by restricting access to inappropriate content.
Web and email content management has evolved. It used to require administrators to install security software onto servers running general purpose operating systems. The next step was a move to appliances with pre-installed operating system and software.
Over the years ‘Cloud-based’ email content management services have emerged. The latest addition, and acronym, to the competitive landscape is that of data leakage prevention (DLP) which complements the technology by attempting to prevent the release of confidential data via email, webmail or social networking websites.
WatchGuard has excelled over the years in producing security appliances in their trademark red that brighten up drab data centers around the globe. These appliances are known to be no-nonsense, cost effective, straight forward to administer and supported by easy to renew subscription services. WatchGuard’s devices are desirable due to their sturdy build quality, consistency, and practical management functionality.
WatchGuard claims the XCS770R’s key features are as follows:
• Combines both email and Web security with DLP in one appliance.
• Next Generation reputation service enabling IP, domain and URL blocking which halts the majority of spam at the connection level, saving bandwidth.
• On-box logging and reporting systems.
• Suited to large businesses and Managed Security Services Providers, with the ability to support 1000’s of domains, fully customise reports and user interface and granular deligated domain administration.
• The DLP engine can be used to provide anti-slander/cyber-bullying controls.
A patented feature, and key differentiator, of the XCS is queue replication providing message-level redundancy. WatchGuard have also included their SecureMail email encryption which is a great feature particularly considering its mobile capabilities (eg Blackberry reader app).
The XCS770R when it comes down to it is a rack mounted Intel quad-core Xeon based server with 4GB of RAM and two 500GB hard drives mirrored with RAID1. It runs a FreeBSD based operating system that is not accessible to the end user, but updated via the ‘secure connection’ feature of the appliance. It has four gigabit Ethernet ports, which can be used for the optional clustering features, or accessing an additional management interface. It has the option of configurationvia Web browser (the recommended method in the manual) or via a keyboard and monitor.
After installation, a feature set linked to the serial number of the appliance can be retrieved via an active internet connection or via ‘cut and paste’ from the WatchGuard website to enable the features of the appliance.
The most popular bundle we initially looked at included 30 days of trial of the McAfee antivirus engine and Brightmail’s email filtering tools (both optional add-ons providing alternatives or multi-layer security), in addition to the year of default Kaspersky antivirus and antispyware. We added a year of SurfControl based Web content filtering which proceeded smoothly and quickly.
Although this integrated anti-virus protection is turned on by default, the appliance is available as a single solution for both email and Web, scanning for malware and spyware is turned off by default. It appears that the appliance’s default configuration is intended to ease rapid integration and troubleshooting by enabling features one at a time to reduce the risk of unintended service interruption.
Basic configuration of the appliance is readily accomplished via the clean, easily navigable Web management interface, with a reboot only required following the change to networking interface related settings. Available settings for email and Web content management are easy to understand and operate.
We did note that the default setting is to block password protected email attachments and malformed email with no email notification (not even to the administrator), this is something to bear in mind when deploying for those conscientious admins out there.
Administration and Management of the appliance is relatively swift and straightforward through a single point of administration. The on box reporting provides an at a glance picture of the current status of the appliance and Web/email activity of the organisation.
We did note some delays in enabling Web content management for objectionable content due to the initial download of the database from SurfControl, but after the initial download it blocked access to objectionable content as expected.
There is also a function to train the DLP engine by uploading sample documents, for document fingerprinting, for example templates of confidential documents, and protects known confidential documents or parts thereof from being transmitted. The XCS can scan over 400 different attachments types — attachment control which adds value to this content scanning. Transparent, policy driven DLP, with multiple remediation actions that can be based on user, group or domain is another key feature.
Read more about key security challenges faced by many CSO's 
While touching the DLP side, it is worthwhile noting that the XCS has the ability to provide transparent, policy-driven DLP with multiple remediation actions. Policies can be based on user, group, or domain. WatchGuard has developed a unique ability to combine IP and domain reputation for more accurate scoring and connection-level management.
This core email content management functionality is enhanced by DLP features to restrict the egress of confidential email attachments and in message contents like credit cardholder information.
The ability to add basic Web content management provides the facility to restrict personnel from accessing objectionable websites, or potentially posting objectionable comments on social networking sites. There may be the option to wring additional DLP type functionality from the appliance to provide Web content management by keyword, however this appliance does not appear to provide the ability to easily restrict the egress of confidential information via Twitter or IM.
In conclusion, the question in our minds was has WatchGuard produced a useful appliance or has it just powder coated a rack mount server red? The answer is that WatchGuard has produced a well integrated product that’s suited to the core intended function of email content management for larger enterprises and service providers.
The XCS770R would be an excellent no-fuss solution for email content management for large business or an ISP due to its easy configuration, scalability and enterprise- class feature set.

Tags Enex TestLabemail securitywatchguardreviewsemail security appliancefirst looksWatchuard

Show Comments