UTM appliances whip blended security threats
Unified threat management appliances combine multiple perimeter protections with mixed results
My penetration tests included a series of attacks using well-known and well-documented exploits for each service. I targeted the attacks against the exposed services, all of which attempted to either take the service offline (DoS) or run code on the server. Core Impact made these tests extremely easy to set up, but even more importantly, it allowed the same tests to be repeated for each UTM appliance. The results proved that each firewall was more than capable of preventing a direct attack, and not once was my targeted server interrupted. During each attack phase, I kept an eye on the firewall’s logs to monitor developments as the attack took place.
Click for larger view.
Astaro Security Gateway 220
The Astaro Security Gateway 220 packs its UTM punch into a chassis loaded with eight 10/100Mbps Ethernet inter¬faces. The ASG 220 has a 40GB hard drive that is also used for Web caching and quarantining of spam and virus-infected objects. Setup and policy creation was not as straightforward as Fortinet’s or SonicWall’s but didn’t take more than an hour to complete. Astaro does, however, have one of the better built-in reporting engines.
Putting together the various inbound and outbound access rules takes a few extra clicks to complete, requiring the admin to create packet filter and dynamic NAT rules in order to allow valid inbound traffic. Other appliances, such as ServGate and SonicWall, take care of this extra step. Outbound policy can be defined different ways using the various proxies to mix and match users, hosts, and destinations along with content filters to provide just the right blend of threat management.
The ASG 220 comes with a full line of standard routing features and can be set up in transparent mode with all eight interfaces bridged — the only unit that can do that. I like having the capability to set up different subnets on the various physical interfaces and to create policies among them, including VLANs. The 220 also works with dynamic DNS and RIP (Routing Information Protocol) v1 and v2. QoS is available per policy but is limited to normal, low, or high settings.
Defining the various security policies for inbound traffic required a mix of packet filters, proxies, and NAT definitions. As opposed to SonicWall, which does the heavy lifting for you, Astaro requires admins to create each packet filter rule and match it with a manually created NAT rule in order for traffic to flow in to exposed Web services. This requirement doesn’t limit the functionality of the policy; it just adds a little additional administrative overhead.