UTM appliances whip blended security threats
Unified threat management appliances combine multiple perimeter protections with mixed results
All of the expected security services are in the 400A, and as opposed to Astaro and WatchGuard, Fortinet allows anti-virus scanning to be assigned to traffic other than SNMP. Services are enabled and assigned specific actions in a Protection Profile. Profiles can be a specific mix of services tailored to a type of traffic. For example, I created a profile only with anti-virus and IPS enabled and used it as a protection policy for FTP traffic. Admins can create many different profiles, each for a specific need.
The anti-virus service, although better than most, has its limitations. There is an upper limit on the maximum file size that can be scanned as it passes through the FortiGate. If the file exceeds 50MB — the upper limit for the model I tested — admins have the choice of denying the transfer completely or ignoring the oversized file and passing it without scanning it. This size limitation applies to all forms of traffic.
Fortinet maintains its own signature lists for anti-virus, IPS, Web, and spam filters, and updates can be scheduled hourly to make sure the latest definitions are online. In addition to signatures, the IPS uses anomaly detection to protect exposed systems. Admins can create custom signatures or simply use the included list. As with all of the solutions tested here, Core Impact couldn’t find a crack in Fortinet’s IPS.
Reporting and logging services are average. Five different logs are included, but for the best results, admins will want to ship the information off to either a Syslog or WebTrends server. For centralized management, Fortinet’s FortiManager is the platform to use. It allows for direct remote management as well as report and log aggregation.
ServGate EdgeForce M30
ServGate’s EdgeForce M30 appliance comes with three 10/100Mbps interfaces and a 20GB hard drive used for Web caching and many of its core security services. Setup and configuration of the M30 was straightforward; I had the unit online with a default outbound policy in less than 30 minutes. The M30 came in as the lowest-cost appliance in our group, and policy creation and maintenance were not overly difficult.
The M30 is based on purpose-built hardware. At its heart is a stateful inspection firewall that provides good all-around protection. As do Fortinet and WatchGuard, ServGate provides dynamic routing, such as RIP v1 and v2, and static routing, as well as dynamic DNS. QoS is included, but it isn’t nearly as complete as the support found in Fortinet. VLAN support will be available in the next release of the ServGate OS.
VPN services are also well supported with various flavors of site-to-site IPSec and PPTP, and ServGate’s VPN client handling client-to-site chores. Admins can choose between cipher strengths up to 3DES and AES256.
Creating inbound policy for my protected resources required first defining a virtual IP alias for each service and then plugging them in to the appropriate IP mapping policy. Part of the policy creation includes what content filter to apply to the inbound traffic. ServGate’s content filters are based on IPS rules and the additional security services such as anti-virus.
For example, I was able to create a “test” content filter for my exposed Web server using a predefined Web server IPS policy and then by choosing to add anti-virus filtering. Admins can use the canned IPS and content filter rules or create new ones to meet specific needs. My only complaint is that I had to hop among three different areas of the admin console in order to manipulate and assign a content filter.