October 20th, 2017 by Adam Armstrong
SonicWall NSA 2650 Review
The SonicWall Network Security Appliance (NSA) 2650 (and the rest of the NSA line) provides threat prevention and security to mid-sized networks, branch offices, and distributed enterprises. Like the full NSA line, the 2650 leverages SonicWall’s patented Reassembly-Free Deep Packet Inspection (RFDPI) engine and the new SonicOS 6.5 operating system. The NSA 2650 has ample connectivity with 22 ports: one console and 1GbE management port, four 2.5GbE SFP ports, four 2.5GbE ports, and twelve 1GbE ports. The firewall also comes with room for expansion, consisting of an expansion module as well as a 16GB storage module with room for an optional power supply to add further redundancy.
The NSA 2650 is stated to deliver high-speed threat prevention over thousands of encrypted and unencrypted connections. From the NSA 2600 to the NSA 2650, maximum SPI connections increased from 500K of the 2600 to 1 million and maximum DPI connections went from 250K to 500K. And where the NSA 2650 really shows improvement over its predecessor is the DPI SSL connections. With the NSA 2600, the DPI SSL connections were 1,000 for both the default and maximum, whereas the NSA 2650 has a default of 12,000 DPI SSL connections and a maximum of 13,500 connections.
The NSA 2650 can deliver a high level of security while also delivering higher performance. The best firewall in the world is no good if it is choking off performance of the total bandwidth coming into an organization; the company won’t get any malware, but they won’t get any work done either. Comparing the NSA 2650 to the preceding NSA 2600, one can easily see a significant increase with the former. For example, the firewall inspection throughput went from 1.9Gb/s to 3Gb/s with the NSA 2650. The performance doubled in three of the throughputs: the Full DPI throughput, Application inspection throughput, and IPS throughput (the first went from 300Mb/s to 600Mb/s and the other two went from 700Mb/s to 1.4Gb/s). In anti-malware inspection and IMIX throughput, there was an increase from 400Mb/s to 600Mb/s and 600Mb/s to 700Mb/s respectively. The NSA 2650 also comes with a markedly improved VPN performance with a throughput of 1.5Gb/s compared to the 2600’s 1.1Gb/s.
Another aspect of speed in a network is its WiFi performance. Although the technology is improving, current WiFi speeds will always be lower than directly connected speeds. The SonicWall NSA 2650 can be coupled with the SonicWall SonicWave 432i (a 802.11ac Wave 2 wireless access point). The 2650’s 2.5Gb/s ports match the latest WiFi standards, delivering the fastest performance possible to the ACs. This means that a user working on their mobile device will receive the same level of protection while still seeing fast response times on their devices.
Other new advantages of the NSA 2650 over the 2600 include 12 1GbE ports, 50 percent more now than the previous edition’s eight 1GbE ports. There is an option for redundant power supplies to add an element of higher availability to the firewall. The NSA 2650 also has 16GB of onboard storage, which when enabled by future software updates, will support for various features including logging, reporting, signature updates, backup and restore, and more. Also, the newer firewall has four 2.5GbE SPF ports which provides an advantage over RJ45, as SPF ports can stretch upwards of many miles whereas RJ45 only runs about 100 meters. This is critical in organizations where their cabling stretches up and down multiple floors or operates in interference prone areas.
The heart of SonicWall’s firewall protection is its RFDPI engine. According to the company, RFDPI is a single- pass, low latency inspection system that performs stream-based, bi-directional traffic analysis at high speed without proxying or buffering. This effectively uncovers intrusion attempts and malware downloads while identifying application traffic regardless of port and protocol. RFDPI is able to identify and prevent advanced threats that typically use advanced evasion techniques. While this can prevent many threats, the engine can also be configured for inspection only.
The SonicWall NSA 2650 is available now as a standalone product or it can be paired with TotalSecure Advanced 1-year protection. The NSA 2650 can be picked up for as low as $2,495. Additional software packages listed below are offered:
- NSA 2650 TotalSecure Advanced Edition (1-year)
- Advanced Gateway Security Suite – Capture Advanced Threat Protection service, Threat Prevention, Content Filtering and 24x7 Support for NSA 2650 (1-year)
- Capture Advanced Threat Protection service for NSA 2650 (1-year)
- Threat Prevention–Intrusion Prevention, Gateway Anti-Virus, Gateway Anti-Spyware, Cloud Anti-Virus for NSA 2650 (1-year)
- Silver 24x7 Support for NSA 2650 (1-year)
- Content Filtering Service for NSA 2650 (1-year)
- Enforced Client Anti-Virus & Anti-Spyware based on user count
- Comprehensive Anti-Spam Service for NSA 2650 (1-year)
SonicWall NSA 2650 specifications:
- Operating system: SonicOS 6.5
- Security processing cores: 4
- 4 x 2.5-GbE SFP
- 4 x 2.5-GbE
- 12 x 1-GbE
- 1 GbE Management
- 1 Console
- 1 Expansion Slot (Rear)
- 16 GB storage module
- SSO users: 40,000
- Maximum access points supported: 48
- Firewall inspection throughput: 3.0 Gbps
- Full DPI throughput: 600 Mbps
- Application inspection throughput: 1.4 Gbps
- IPS throughput: 1.4 Gbps
- Anti-malware inspection throughput: 600 Mbps
- IMIX throughput: 700 Mbps
- TLS/SSL Inspection and Decryption (DPI SSL): 300 Mbps
- VPN throughput: 1.5 Gbps
- Connections per second: 15,000/sec
- Maximum connections (SPI): 1,000,000
- Maximum connections (DPI): 500,000
- Default/Maximum connections (DPI SSL): 12,000/13,500
- Site-to-site tunnels: 1,000
- IPSec VPN clients (max): 50 (1,000)
- SSL VPN NetExtender Clients (max): 2 (350)
- Encryption/Authentication: DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B Cryptography
- Key exchange: Diffie Hellman Groups 1, 2, 5, 14v
- Route-based VPN: RIP, OSPF
- IP address assignment: Static (DHCP PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP Relay
- NAT modes: 1:1, many:1, 1:many, exible NAT (overlapping IPS), PAT, transparent mode
- VLAN interfaces: 256
- Routing protocols: BGP, OSPF, RIPv1/v2, static routes, policy-based routing
- QoS: Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1p
- Authentication: LDAP (multiple domains), XAUTH/RADIUS, SSO, Novell, internal user database, Terminal Services, Citrix, Common Access Card (CAC)
- VoIP: Full H323-v1-5, SIP
- TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS, IEEE 802.3
- Certifications: ICSA Firewall, ICSA Anti-Virus, FIPS 140-2, Common Criteria NDPP (Firewall and IPS), UC APL
- High availability: Active/Passive with State Sync
- Power supply: Dual, redundant 120W (one included)
- Fans: Dual, Fixed
- Input power: 100-240 VAC, 60-50 Hz
- Maximum power consumption (W): 74.3
- MTBF @25°C in hours: 146,789
- MTBF @25°C in years: 16.76
- Form factor: 1U
- Dimension: 1.75 x 19.1 x 17 in (4.5 x 48.5 x 43 cm)
- Weight: 13.56 lb (6.15 kg)
- Environment (Operating/Storage): 32°-105° F (0°-40° C)/-40° to 158° F (-40° to 70° C)
- Humidity: 10-90% non-condensing
Design and Build
The SonicWall NSA 2650 is 1U rackmount device with a short 17" depth. Along the front of the device, starting from the left, is the branding, LED indicator lights, Console port, 1GbE management port, 2 x USB 3.0 ports, 4 x 2.5GbE SFP ports, 4 x 2.5GbE ports, and 12 x 1GbE ports.
Flipping around to the rear of the device is ventilation and power supplies on either end (or the spot for an optional power supply). The dual fans are roughly in the middle, and to the right of those are the expansion module and storage module.
The expansion slot it easy to get to and is entirely tool-less. It opens up, allowing users to add cards such as 10GbE to the back of the firewall. The storage slot is a bit trickier to get to (it requires a screwdriver) but this makes sense, as no one wants the storage to be knocked loose when it is in operation.
The storage card contains a 16GB M.2 SSD which allows features such as logging, reporting, signature updates, backup and restore, and more. These items aren't yet enabled in SonicOS 6.5, but will be available in later versions.
To add higher availability to the firewall, there is an option for an additional PSU. It is fairly easy to get to: take one screw off of the side and slide the top off to access the PSU slot. Then slide the new PSU in and plug it into the unit and lock the other side through the back.
The SonicWall NSA 2650 leverages the SonicOS operating system. A full review of the operating system, which spans across the entire SonicWall portfolio, will be coming in a separate review.
SonicWall’s NSA 2650 is a 1U firewall with the aim of protecting mid-sized networks, branch offices, and distributed enterprises. With 22 connection ports (counting the console and management), the 2650 also offers significant connectivity improvments over its predecessor, the NSA 2600. The NSA 2650 also adds SFP ports for farther reaching areas, as well as 2.5Gbps ports for supporting newer and faster Wave2 access points that support greater connection speeds. In terms of performance, SonicWall has also made dramtic improvements across the board. Connection throughput has doubled with the newest model such as the Full DPI throughput, Application inspection throughput, and IPS throughput. In some instances the NSA 2650 support as much as 13 times the connections than the NSA 2600. At the heart of the firewall’s security is SonicWall’s patented RFDPI engine and the just-released SonicOS 6.5 operating system, which offers a huge step up in look and feel and ease of management. Overall the new NSA 2650 has a lot to offer, with plenty of room for expansion for a growing mid-size organization.
The Bottom Line
The SonicWall NSA 2650 is ideal for mid-sized organizations that need to protect themselves from threats while keeping performance high and being ready to natively support the latest wireless standard.