UTM appliances whip blended security threats

Unified threat management appliances combine multiple perimeter protections with mixed results

For example, I was able to create a “test” content filter for my exposed Web server using a predefined Web server IPS policy and then by choosing to add anti-virus filtering. Admins can use the canned IPS and content filter rules or create new ones to meet specific needs. My only complaint is that I had to hop among three different areas of the admin console in order to manipulate and assign a content filter.

The security services available in the M30 are very good, using a mix of best-of-breed and in-house developed services. For anti-virus and anti-spam, ServGate uses McAfee’s scanning engines. For Web filtering, SurfControl is included. All licensing for these third-party tools is handled by ServGate and included in the total price. Because the M30 has a local hard drive, files and messages can be quarantined instead of simply discarded.

As opposed to WatchGuard’s Firebox Core, ServGate’s EdgeForce M30 provides anti-virus scanning for SMTP, HTTP, POP3, and FTP traffic. The M30 passed my anti-virus test with flying colors, managing the 160MB file transfer and stripping out the virus.

ServGate’s IPS, which is based on the open source Snort signatures, allows for a good deal of flexibility when creating content filters. The list of rules is nicely broken up into categories such as “exploit,” “P2P,” and “Web attacks,” which simplifies creating IPS rules for content filters. In all of my penetration tests, ServGate’s IPS rules and policies held firm and prevented any unauthorized access.

Remote monitoring and reporting is very well done using Global Manager. It provides a nice platform for maintaining all aspects of the M30 from a centralized datacenter. A single Global Manager system can handle as many as 200 EdgeForce devices. Look for greater scalability in the next release.

SonicWall Pro 2040

The SonicWall Pro 2040 comes with four 10/100Mbps interfaces for network connectivity and a host of solid firewalling services. Installation and initial configuration was the easiest out of our group, thanks to some handy setup wizards. Setup required only a few minutes to get the appliance online and passing traffic. Policy management is relatively straightforward, again assisted by helpful wizards. VLAN support, although missing from this release, will be available soon.

The Pro 2040 doesn’t leave anything out in terms of firewall features. Its stateful inspection engine comes with a vast array of predefined services and allows for the addition of custom services. For quicker rule creation, individual services can be grouped into a single object. As opposed to Astaro and WatchGuard, SonicWall does not rely on any application proxies. This means the Pro 2040 can apply anti-virus filters and all other protections to any type of traffic.

Firewall policy management is made easier through the use of a new “matrix” view of the access rules. I was able to filter my view quickly to zero in on a specific set of physical interfaces and the rules associated with them. For anyone who has to maintain a large rule set, this feature will ease your administrative burden significantly. Support for dynamic DNS is included, as is QoS, but VLAN support won’t be available until the next OS release. Dynamic routing is also missing from this release; RIP and OSPF will be available in the next version.

VPN capabilities are adequate in the Pro 2040, providing IPSec site-to-site and client-to-site PPTP and support for SonicWall’s own VPN client. Cipher choices aren’t as wide as that in the Astaro 220, but with 3DES and AES256, encryption strength should not be a problem. As with policy creation, a VPN policy wizard walks admins through the initial tunnel definition.

SonicWall’s security services are a combination of third-party and internally developed products. Network anti-virus (client-side) is handled through an agreement with McAfee, whereas gateway AV (real-time TCP stream scanning) is handled by SonicWall’s own scanning engine. Anti-spyware scanning uses signatures developed in-house and through a “secret” third-party alliance, and content filtering is done with SonicWall’s system or in conjunction with an N2H2 or Websense server.

SonicWall’s security services are applied globally; they don’t allow for per traffic flow assignment. For instance, for outbound traffic, I could enable all security services, but I couldn’t define a specific combination of services for a specific type of outbound traffic. The ASG 220 and WatchGuard Firebox do allow this fine-grained approach to security enforcement.

In terms of overall effectiveness, however, the Pro 2040 was one of only two appliances to successfully handle a virus-infected 160MB file copied via FTP. Besides the SonicWall and ServGate boxes, the other UTM appliances either failed to complete the transfer or failed to scan for the virus.

IPS services are provided through a combination of in-house and Snort signatures. Deployment is very flexible with global and individual network zone assignments. As with the IPS found in the EdgeForce M30, signatures are grouped in categories and admins can enable/disable individual signatures. As with all of the UTM products, I couldn’t sneak any penetration attack past the Pro 2040.

Logging and reporting are included in the appliance, but to get the most detailed information on users and traffic patterns, admins will want to use SonicWall’s ViewPoint package, available at additional cost. Remote monitoring and administration is done through the SonicWall Global Management System. Be advised that SonicWall GMS requires an Oracle or Microsoft SQL Server database (neither is included).

WatchGuard Firebox X2500 Core

The Firebox X2500 Core has eight 10/100Mbps interfaces stuffed into a glossy red 1U chassis that looks more Ferrari than firewall. Along with the show there’s plenty of go. The Firebox wraps a stateful firewall around application proxies to build a solid security appliance that can keep the bad guys out while allowing granular outbound policies. The reporting and monitoring tools are some of the best anywhere. Initial configuration of the Firebox took a bit longer than most, but I still had the unit online in less than an hour.

As does the SonicWall Pro 2040, WatchGuard’s Firebox comes from a strong firewall background, and it shows in the X2500. Through a combination of packet filters and application proxies, admins can craft a security policy specific to the network’s needs. When defining policies, though, it is important to understand the traffic that will be passing through the Firebox and which security services need to be applied to it.

If the traffic is defined using a packet filter, there is no provision for scanning the traffic for viruses or other questionable activity. The only way to analyze the traffic is to push it through an application proxy. The Firebox does come with proxies for HTTP, FTP, DNS, SMTP, and generic TCP traffic, so the most common traffic will be covered, and there is no limit to how many different proxy definitions you can use. I created a variety of different HTTP policies using proxies, each one with specific security settings and rules.

UTM services are available in the Firebox, but all services aren’t available to all proxies. In some cases, the omission makes perfect sense; there is no need for Web content inspection on SMTP traffic. But for others, it could be a problem. For example, FTP traffic can be checked for validity and protected by IPS, but there is no facility for scanning FTP’d files for viruses. AV scanning is also missing from the HTTP proxy, although it does check for malware. The SMTP proxy is the only one that will scan for viruses.

Intrusion prevention is set up on a global basis and is handled by the TCP proxy. IPS worked well in my tests, preventing Core Impact from exploiting any of the exposed servers. WatchGuard’s IPS can block traffic from any address that it identifies as the source of an attack, which is an interesting feature. During my penetration tests, I had to keep changing the IP address of my attack PC because the Firebox would deny its communications.

Dynamic routing is the best out of the group, featuring RIP v1 and v2 and also OSPF and BGP (Border Gateway Protocol). VPN services are also strong with IPSec site-to-site and client-to-site chores handled by PPTP, L2TP, and WatchGuard’s own mobile VPN client. QoS is available, although not as full-featured as Fortinet’s. Dynamic DNS is not supported.

WatchGuard shines in reporting and monitoring, with a mix of tools that provide an excellent view into the appliance’s health. Admins will spend much of their initial time in the Fireware Policy Manager defining policies and services. For day-to-day monitoring, the Firebox System Manager is the tool to use. WatchGuard’s ultimate geek toy is HostWatch, a real-time graphical traffic viewer.

Not all roses

Each of the five appliances does a very good job of keeping the bad stuff out while providing a fine level of control over user’s activity. Improvement is needed, however, in how anti-virus protection is handled. Viruses can enter on just about any protocol now, so not being able to scan all types of traffic isn’t going to cut it.

Sometimes it is a difficult task to rank a group of products, especially when only little things separate one from another. In the end, the results came down to just how complete the UTM services were in each appliance. The ServGate EdgeForce M30 and the SonicWall Pro 2040 completed all of my testing with flying colors, earning them the top scores in our roundup. Both of these appliances demonstrated excellent protection against attack and also applied all core UTM services across the various traffic types.

For situations where additional physical interfaces are required and FTP traffic isn’t a priority, the Fortinet 400A would be a good pick. Its rich features do come with a rich price tag, however. WatchGuard’s Firebox Core comes with a full range of services, as does the Astaro Secure Gateway, and if FTP traffic isn’t part of the network’s day-to-day traffic, these too should be considered viable solutions.

InfoWorld Scorecard
Setup (10.0%)
Reporting (15.0%)
Value (10.0%)
Management (15.0%)
UTM services (25.0%)
Firewall/VPN (25.0%)
Overall Score (100%)
Astaro Security Gateway 220 8.0 8.0 8.0 8.0 8.0 8.0 8.0
Fortinet FortiGate 400A 8.0 8.0 8.0 9.0 8.0 9.0 8.4
ServGate EdgeForce M30 9.0 8.0 9.0 8.0 9.0 9.0 8.7
SonicWall Pro 2040 9.0 8.0 9.0 9.0 9.0 9.0 8.9
WatchGuard Firebox X2500 Core 8.0 9.0 8.0 9.0 7.0 9.0 8.3
| 1 2 Page 4