Against
Simplistic configuration - no room for tweaking.

Verdict
With different offerings in the NetPilot family offering different maximum capacities (but the same software base), NetPilot is flexible enough to fit into any size organization, providing all the Internet connectivity and services you are likely to require.

Internet connectivity is seen as an essential element of the corporate computing infrastructure these days. Even the smallest of companies would be lost without email or the ability to surf the Internet.

However, connecting to the Internet is still more complex than it needs to be. Life has been made that much simpler in certain areas recently by the introduction of the network appliance - a hardware and software combination dedicated to a single task, such as web or mail serving.

Equiinet, a UK company, has taken things one step further by integrating all the functionality required by the average company when connecting to the Internet and combining it with a dedicated, custom-built hardware platform.

Currently based on a NetPC platform running a heavily modified Linux installation, the NetPilot is designed to be operated without a keyboard or monitor.

One of the nicest aspects of the NetPilot is that it actually includes every piece of hardware and software you will need to service a small to medium-sized office in terms of Internet connectivity and networking. Amazingly, for the price, it includes Internet routing and shared connectivity, firewall, web caching, web server, ftp server, email server, access control and URL filtering, DHCP server, Windows file and print server, DNS server, and management reporting.

In terms of connectivity, the basic machine typically comes with a 10base-T Ethernet card, ISDN card, serial port and parallel port.

The NetPilot is just about as idiot-proof as you can get when it comes to installation, taking less than half an hour from opening the box to browsing the web. A configuration wizard steps you through the necessary processes to get up and running, and the browser-based management interface makes it easy to modify and tweak the configuration as required.

The user accounts option is the key to the NetPilot's access control and web monitoring facilities. Enabling user accounts means that your users need to authenticate themselves to the NetPilot before they are allowed through the firewall, but it does provide the highest levels of control in exchange for this minor inconvenience.

Creating users and groups provides the opportunity to restrict activities (email only, web browsing only, or a combination of the two) as well as restrict browsing to specific sites (a "white list") or prevent browsing to undesirable sites (a "black list") on a per user basis. The site lists are maintained manually by the administrator.

If you don't want your users to have to authenticate themselves to NetPilot before they can browse the web, you can have a single default policy that applies to the whole organization. This can allow free access, or can restrict everyone by site or time of day. Extensive logs and activity reports are also available to show how users have been spending their time on the web.

User accounts are also required if you wish to enable the file and print sharing features of NetPilot, and built-in web caching provides the maximum performance for your users whilst minimizing connection charges. As well as the web server, ftp server, and file and print services, NetPilot also includes both SMTP and POP3/IMAP4 mail servers.

Once the SMTP server has retrieved mail from the ISP it can be forwarded on to an internal SMTP server directly, or the mail can be stored in the appropriate user mailboxes on NetPilot for retrieval using any POP3 or IMAP4 client.

As with the other aspects of the device, configuration and management of the firewall is entirely browser-based. If you are expecting the usual complex packet-filter rules definition, however, you are in for a shock, because - also in line with the other features of NetPilot - the firewall has been made as foolproof as possible.

Whilst the firewall is nowhere near the most sophisticated offering of its kind that we have seen, it is certainly the only one we have ever come across that can literally be plugged in, have a couple of boxes checked, and be up and running and every bit as secure as some of its more expensive competitors in less than ten minutes!

To achieve this it places heavy restrictions on what traffic is allowed through the firewall by making a few major assumptions. The first is that no traffic at all is allowed from the external network to the internal protected network. The second is that outbound traffic is unrestricted (though a single checkbox can restrict traffic to the more common ports such as POP3, Telnet, etc.).

The only exception is web traffic, which is blocked on port 80 but enabled on port 8000. This forces all outbound traffic through the NetPilot proxy server, and means that users' browsers need to be configured to use a proxy.

IP addresses of all outbound connections are hidden using NetPilot's IP masquerading feature - also known as network address translation (NAT) - where each outbound address is changed to the external address of the NetPilot itself.

All the NetPilot's services - web server, ftp server, mail server - run on the NetPilot box itself, which provides the equivalent of a demilitarized zone (DMZ). CGI scripts and the ftp server run in a "virtual NetPilot" space within the device providing additional protection.

As you can see from this, it is fairly easy to make configuration simple when you make such sweeping restrictions. However, these settings are perfectly adequate for most installations, and the firewall stood up to our most persistent attempts to break through it or disable it using denial-of-service attacks. At least the fact that configuration options are limited means that the risk of security holes due to poor configuration is eliminated.

For those who absolutely must go further, Equiinet has responded (reluctantly) to user pressure and implemented port forwarding in the latest release.

As NetPilot is largely controlled by software, future product enhancements can be downloaded from the NetPilot web site free of charge and quickly applied via a straightforward option in the maintenance menu. Already planned for a future release is an IPsec-compliant VPN option.

NetPilot is suitable for a wide variety of end-user companies, ranging from single site companies who have never used the Internet to large corporations who want an efficient way for their branch offices to connect.
  

SC On-Line
SC Magazine
www.scmagazine.com