UTM appliances whip blended security threats
Unified threat management appliances combine multiple perimeter protections with mixed results
Astaro’s core UTM features are built as part of the application proxies. For example, virus scanning will check inbound and outbound traffic through the SMTP proxy and can quarantine suspicious messages for later analysis. The HTTP proxy provides content filtering on client-requested traffic and uses Cobion URL filtering lists to mitigate casual surfing. Unfortunately, anti-virus scanning isn’t available for FTP traffic unless admins enable the HTTP proxy in standard mode and use a browser to copy files over FTP. A true FTP proxy will be available in the next release and will include anti-virus scanning.
IPS is well represented with a list of more than 4,000 detection signatures. IPS rules are grouped by attack type, which allows for quick and easy management. During my penetration tests with Core Impact, I was never able to exploit any of the services exposed through the ASG 220. Every attack was turned away and logged for later inspection.
Any self-respecting UTM appliance will have a full complement of VPN services, and the ASG 220 is no exception. It has a wide range of cipher strengths and hash algorithms allowing for very flexible deployment. Also included is Microsoft PPTP (Point-to-Point Tunneling Protocol) for client-to-site road warriors. Similar to policy definition, IPSec policy required a little more effort to complete.
The well-rounded reporting engine in the ASG 220 provides a wide variety of graphical charts as well as raw log files. There are two additional packages, the Report Manager and the Configuration Manager, that allow for centralized reporting aggregation and policy management.
Fortinet FortiGate 400A
The FortiGate 400A ships with six 10/100Mbps Ethernet interfaces and combines slick policy management with routing capabilities usually found only in bigger hardware. UTM services are complete, as are VPN and dynamic routing services. Remote management is performed through the FortiManager console, and local logging, although included, could be improved. Initial setup and configuration took less than 30 minutes to complete, and FortiGate’s IPS proved to be up to the task of stopping all the Core Impact attacks I threw at it.
The most expensive UTM box in our roundup, the FortiGate boasts a very flexible and powerful routing engine. Each of its six interfaces can be a member of a different IP network with distinct routing policies and RIP v1 and v2 settings. In fact, unique among the appliances tested, the FortiGate allows each physical interface to have its own DHCP server. One of the most interesting features is that the appliance can be divided into two virtual domains. This feature essentially splits the firewall into two logical devices. Physical interfaces and policies are each assigned as members of a specific domain.
Firewall access policies in the 400A allow for many different situations without being overly complex to define. I found it easy to create address assignments for specific services and to create security policies based on each type of traffic. Access policies are not automatically ordered, as they are by the SonicWall Pro 2040, but it is easy to reorder them from the UI.
The 400A works with site-to-site IPSec VPNs and also PPTP and L2TP (Layer 2 Tunneling Protocol) client-to-site connections. Encryption strength ranges from DES to AES256 (Advanced Encryption Standard 256-bit) for maximum security. Fortinet’s QoS support is among the best, with the capability to prioritize traffic and manipulate the Diffserv values.