What is our primary use case?
It's the Edge firewall for my business. I'm a small business IT consultancy and I'm subcontracted out to a larger organization. It's really just me working from home, which is a bit more permanent now, but we do have a couple of other side projects I work on with a couple of other partners. One of them is a financial trading solution, so we want Kerio to beef up the edge security to make sure that the solution itself was secured nicely because it meant building out a rack of a couple of rack-mounted servers and beefing up the solution.
Being an SMB, we do find that Kerio fits our needs. It fits nicely in that space because any time that I've been to an enterprise it's pretty much dominated by Cisco products. A product like this probably wouldn't get much air time to get in the door of a really big organization, whereas a small to medium-size enterprise where they're big enough to have some sort of IT presence, it would probably fit in nicely. With an enterprise that's my size that doesn't have an IT presence, then they'll probably use some sort of managed service solution.
We wanted to beef up the firewall and not just run off some sort of IoT style firewall that's built into a modem. It didn't seem to be adequate for our needs. So that's where we went into Kerio because at the time, we had some remote desktop services running and we were getting a lot of attempted cyber attacks coming out of China and a few other places. Kerio was one of the few that could actually geo-block, which was really quite handy.
How has it helped my organization?
Its primary job is to protect us and give us a degree of comfort. We're putting a lot of effort into creating a financial trading system. We want some comfort that it's secure behind the quality firewall and that's really what beckoned its purchase. The fact that we've not had any issue indicates that it must be doing that job reasonably well, and the fact that we don't get any of those attempted attacks from the block in China, because of geo-blocking, is probably the strongest feature for us. I wouldn't say it improves what we do because it doesn't affect what we do. It's really just security. It's a tool to improve our security profile for what we do.
We don't expose our remote desktop connected servers to the internet anymore. But when we did have that, because the security log is a really easy thing to set up, it would show you all the attempted, brute force attacks. That's now down to zero. We don't get any brute force attacks, but at the same time, we don't expose the Port 3389 out to the internet. We could achieve the same result with a domestic firewall in a domestic router. However, this gives us a degree of comfort that we can actually analyze any traffic that looks a bit suspicious, inbound, or outbound. That's a definite step change compared to what we'd have in an out-of-the-box type of router.
Security is there to slow things down and make things a bit tricky. That's its bottom line. If security is easy, it's probably being done wrong.
Certainly in the first few months of using it, it was quite time-consuming to get a configuration working that was reliable. Because I work from home, I originally had it protecting everything coming in and out of the home which didn't work well at all. It's protecting the home office and the server environment. Everything else just goes straight out of the domestic router out to the internet because we've got IPTV, with kids on devices. They don't need such a high level of protection. It would be nice to give them that because if you've got this perimeter that's protected by a really good quality product, you want to protect everything. But when we tried that, it seemed to struggle with the high volume of traffic that was being generated by the IP cameras, the IPTV service, and the myriad of devices and iPads that we have in the house. So we stopped using it for that purpose.
What is most valuable?
The top features are ones that we're not using yet but we soon will be because we've just had broadband upgraded in Australia. We've got something called the National Broadband Network, which is forced onto you, so you have to take it when it arrives. We'll be trying the high availability out soon. We tried that with some load balancing, it didn't quite work as we expected, but I think that was more of a configuration thing rather than a product thing.
The geo-blocking is essential because the partners we deal with are typically either in the US or Australia. We know where our traffic needs to come from and we don't post anything publicly that the general world needs to see. It's just a few discreet services that need to be hosted on this financial trading stuff.
The integration of Active Directory is very good as well. We don't use the VPN service. We use VNC. We get mixed results from the QoS, but that's another good feature. Really, dashboarding, track, and monitoring are the most important features for us as well.
We are about to test the high availability and failover protection because one of the issues we have is the device or the Hyper-V host seems to need a regular rebooting, which isn't an issue directly in itself, but it would be nice if it could do that on its own. We can't find a feature to do that. That's the complaint I'd have of that and the HA might solve that problem for us. So we'll give that a go.
Out-of-the-box, the overall comprehensiveness of the security features is pretty good. It's not just a firewall, it's kind of a firewall proxy, reverse proxy, everything out-of-the-box sort of solution. It's pretty comprehensive. I can't imagine wanting anything else, because for me as a consultant, it's not just about protecting the environment. It's also about having something that's commercial-grade because when you go in as a consultant, you need to be exposed to these tools and you need a lab environment to test these tools out. This is as close to a good commercial tool that you could possibly ask for.
In terms of the availability issue, I've considered that there are hardware options as well, which is nice. We're not sure if that will be an improvement over using Hyper-V, but that's to be decided.
What needs improvement?
The antivirus seemed to be a bit laggy on the connection so I disconnected that. It's definitely good. The only issue we've had with any sort of cyber attack seemed to be coming from a couple of distinct locations, people trying to get into known ports on remote desktops and stuff like that. The fact that we can block all that traffic is just great. It simplifies it.
The last time we used the antivirus, it seemed to slow down some of the connections. I didn't dig too deep into it, we just turned it off and it seemed to rectify the problems. It's hard to say whether it was that directly but it seemed to be creating a bit of overhead on the connections.
The reliability is its biggest downfall. I don't expect to be rebooting a product like this every couple of days. In fact, it's become a start of day thing just to reboot so it doesn't let me down in the middle of a team's call or something like that. It's quite slow as well. I could be on a team call and it would drop the connection. Then we'll get a warning that we've got poor call quality and as soon as you restart the device all the problems go away. There's clearly maybe some sort of memory leak problem or something in there that's affecting its reliability.
We've just had our national broadband network connection today, which is a high throughput connection. We will be reconnecting the entire household through the device, to see how it copes and we'll see if it improves anything.
For how long have I used the solution?
I have been using Kerio Control for two and a half years.
What do I think about the stability of the solution?
If I came across a client that was a small to medium enterprise, I'd probably recommend it, but a lot of them have a solution in place now anyway. It's hard to get those opportunities for new business in that regard, but I reckon it would probably scale quite well. I'm at 25 licenses, but that's only because we have so many devices in this house. It looks like it probably would scale. As I said, with that level of reliability, that probably would be an issue if you wanted to scale 100 to 200 licenses.
We did try the proxy feature, but once again, that failed miserably. It ran well for a few weeks and then it died on us, and it was really quite hard to diagnose what had gone wrong. We turned it off and went back to a previous configuration which was a bit disappointing. It comes back to that reliability, whatever it is that makes it conk out is clearly a problem.
How are customer service and technical support?
I used support once or twice when I hit the first license ceiling. I did log a support ticket in. They were fine. There were no complaints from that. They offer 24/7 support, via email. I don't think I actually phoned them up. It's pretty good. There are no real issues there.
Which solution did I use previously and why did I switch?
We tried a few different Windows-based products. That's how we found Kerio because it offered a Hyper-V solution and it also offered a hardware solution if you wanted. I'll try the software one first and see where we go. There were a couple of other products we used before. Originally, we used to use Microsoft, the ISA server back in the day because that got swallowed up by Fortinet and we didn't touch that.
There was another Windows product, WinGate. That has a really bad reliability problem. It would stay up but the connections were very slow going through that thing. Maybe it was poorly configured on my part, but it just seemed to be incredibly slow at managing the connections. We'd notice a very latent response from web pages and it never, even though it had a massive caching there for caching pages, it just seemed to never be as quick as bypassing the WinGate software. That wasn't virtualized. That was running on a native Windows server at the time so that was really quite poor in terms of performance.
How was the initial setup?
Given that it's a Linux deployment, the support it offered, like giving you a Hyper-V client out-of-the-box, is fantastic. It's a really clever idea because you're not then left with a painful configuration of spinning up some sort of Linux host and then trying to do an installation. The fact that it comes pre-packaged with Hyper-V images was a very smart and clever move because that made it a lot easier to get it going if you like. Getting that up and running was quick, it was just a configuration, and finding the right configuration was the hardest part.
The deployment was less than half an hour. It was very quick to get it up and running and get it operational. It was just fine-tuning that configuration to suit my environment that took the time, which I would expect of any device, no device is going to come out-of-the-box and just work like magic unless you've got a really simple environment. Whereas I've got a home environment, where it's just me as a small business, but I've got that many servers and hosts running.
Our strategy was to take it out-of-the-box and get it working.
The setup was pretty easy. The external remote control was really good and simple. It gave extra manageability on the road which was good. It was pretty straightforward.
In terms of maintenance, it's just me. In terms of my time, it doesn't take much time at all. I'll hardly make any changes to it. Now it's running fine. The only next thing I'll be doing is trying out the HOA.
What was our ROI?
With security, I don't think you can calculate ROI. It's not easy to call a return on investment with security products because anything security that's done properly is going to be a cost overhead. That's by its very nature. If security is quick or cheap it's probably wrong. I don't look at it as a return on investment, I see it as security. A bit like saying if I bought a new car and they said, "I can save you $500 if you say no to the airbags." For 99.9% of the time, you'd be saving $500, until one day it costs you lots of money and maybe your life. I see it the same way.
It's not an optional extra, it is an overhead that you have to pay if you want to secure an important asset. You've got to weigh up how important that asset is against how well you want to secure it, and that's where you say, "Well, it's going to cost you the price of a Kerio license, the price of a VNC license, sort of remote management. And that's what it costs to manage and secure properly those services." I'd say we've achieved that. It's hard to really put a return on investment with security.
What's my experience with pricing, setup cost, and licensing?
I think it is a bit on the pricey side, but it's okay. I've got 50 licenses which I think is $250 a year or something like that. It's not terrible. It's actually cheaper than what we pay for VNC. We probably could save money thereby utilizing the Kerio VPN and not VNC. For a firewall proxy solution, it's probably a bit on the higher side price-wise.
We have to provide our own Hyper-V host to spin it up or buy the Kerio hardware, but otherwise, there are no other costs.
What other advice do I have?
I'm experienced in networking, but I'm not a network engineer per se, I'm more software development. The fact that I was able to get it set up and going with minimal fuss was definitely a plus for the product. I've seen products before where you can get them running, you make the slightest configuration change, and the whole thing comes crashing down. It's quite a stable product in that respect and it does look after itself quite well. For example, risk proxying solution and buying a GoDaddy certificate to secure a couple of APIs was a piece of cake. It really didn't hurt us at all. I think the important lesson there is, if we had tried to do the same thing with a NETGEAR sort of a firewall with a built-in firewall product, I think we would have had a hard time. Kerio definitely has made it easier.
I'd say give it a look for sure. I'd totally recommend it.
I would rate Kerio Control a seven out of ten. If I didn't have to reboot it so often, then it would probably score a nine.
It's not a cheap product and it's not a particularly reliable product at the same time which tends not to be a good mix. Something like this should be able to cope with my entire household, every device I throw at it, and it should be able to cope with that fine. It clearly didn't two years ago. We'll try it again in about 24 hours and we have to hook up this high-speed connection to it and we'll see how well it performs there. Reliability is about the only qualm I have with the product.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?