Even with the extensive testing (accompanied by the necessary extensive configuration and management that goes with spending weeks on a device's console), we weren't able to work with every single feature on each system. The supercool feature that we couldn't try out on the WatchGuard was the drag-and-drop VPN setup. As long as the console is able to get an encrypted link to both firewalls, you can do a drag and drop from the branch office to the home office for VPN setup.
Speed to burn
With a proxy-oriented architecture such as the Firebox's, you expect to take a hit in absolute packet-passing performance. Typically what you lose in throughput you gain in security, thanks to the proxy's ability to obscure the details of the devices inside the network from the outside world, making it nearly impossible for external devices to connect to them directly. So we were surprised to discover that the Firebox was the fastest UTM in our test -- faster even than the SonicWall, which costs three times as much.
Though the Firebox proved faster than the SonicWall when under attack, its ability to turn away those attacks paled in comparison. The Firebox blocked only 33 percent of the malware we threw at it, while the SonicWall notched a 96 percent success rate. Like the other UTMs in our test, the Firebox does not provide a significant level of protection against vulnerability-based exploits.
However, the Firebox certainly provides a level of protection greater than its 33 percent success rate would indicate. In order to run our Web, FTP, and e-mail vulnerability exploits, we had to loosen up the Firebox's firewall rules and allow ICMP traffic. In other words, we had to run the Firebox in a way that WatchGuard does not recommend. The result was that the box was exposed to more attacks than if we had followed the vendor's best practices. If we had run the Firebox with tighter rules, would it have blocked as many of the exploits as the SonicWall? Our gut tells us no, but it would have been a better horse race.
Our short take on the WatchGuard Firebox? It forces you to adopt procedures that should be part of your best practices anyway. If you want something that will slide into a network and let traffic flow until you get all your firewall rules figured out, you'll be completely frustrated by the Firebox. If you want to deploy a secure system in a secure way, though, WatchGuard has provided a box that will work with you to make (and keep) your network safe. It's a strong and granular firewall that offers a lot of control. Just keep in mind that the success of its UTM function is highly dependent on using its firewall features to tightly lock down the types of traffic that are allowed to pass.
Astaro Security Gateway ASG425
|Pros||Client/server-based management system allows true offline editing of configuration. High throughput even when handling attacks. Can turn on additional in-the-box features through licensing.|
|Cons||Blocked only a third of the attacks in our test. Complex user interface. Desperately needs wizards for common setup tasks (public server, VPN). Must be online for initial setup, to download updates and user interface.|
|Cost||Base price: $5,990. Price as tested: $9,299 including Gateway AV/IPS, WebBlocker URL filtering, and spamBlocker anti-spam.|
|Platforms||1U appliance with eight Gigabit Ethernet ports, 1U appliance with five Gigabit Ethernet ports, firewall, VPN, anti-malware, IDS/IPS, Web content filtering, and spam blocking.|
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
It's all about knowing how to build an open source community -- plus experience running applications in...
Win7 Update scans got you fuming? Here’s how to make the most of Microsoft’s 'magic' speed-up patch
The proliferation of insecure devices in every facet of our lives will have consequences far beyond the...
From a simple platform for beginners to an expert-level development workbench, there's an IDE for most...
You don't need to buy a new phone to add hours to your battery. All you need is to flip a few switches...
Look to these clever open source tools to keep secrets out of source code, identify malicious files,...