UTM appliances whip blended security threats
Unified threat management appliances combine multiple perimeter protections with mixed results
SonicWall’s security services are a combination of third-party and internally developed products. Network anti-virus (client-side) is handled through an agreement with McAfee, whereas gateway AV (real-time TCP stream scanning) is handled by SonicWall’s own scanning engine. Anti-spyware scanning uses signatures developed in-house and through a “secret” third-party alliance, and content filtering is done with SonicWall’s system or in conjunction with an N2H2 or Websense server.
SonicWall’s security services are applied globally; they don’t allow for per traffic flow assignment. For instance, for outbound traffic, I could enable all security services, but I couldn’t define a specific combination of services for a specific type of outbound traffic. The ASG 220 and WatchGuard Firebox do allow this fine-grained approach to security enforcement.
In terms of overall effectiveness, however, the Pro 2040 was one of only two appliances to successfully handle a virus-infected 160MB file copied via FTP. Besides the SonicWall and ServGate boxes, the other UTM appliances either failed to complete the transfer or failed to scan for the virus.
IPS services are provided through a combination of in-house and Snort signatures. Deployment is very flexible with global and individual network zone assignments. As with the IPS found in the EdgeForce M30, signatures are grouped in categories and admins can enable/disable individual signatures. As with all of the UTM products, I couldn’t sneak any penetration attack past the Pro 2040.
Logging and reporting are included in the appliance, but to get the most detailed information on users and traffic patterns, admins will want to use SonicWall’s ViewPoint package, available at additional cost. Remote monitoring and administration is done through the SonicWall Global Management System. Be advised that SonicWall GMS requires an Oracle or Microsoft SQL Server database (neither is included).
WatchGuard Firebox X2500 Core
The Firebox X2500 Core has eight 10/100Mbps interfaces stuffed into a glossy red 1U chassis that looks more Ferrari than firewall. Along with the show there’s plenty of go. The Firebox wraps a stateful firewall around application proxies to build a solid security appliance that can keep the bad guys out while allowing granular outbound policies. The reporting and monitoring tools are some of the best anywhere. Initial configuration of the Firebox took a bit longer than most, but I still had the unit online in less than an hour.
As does the SonicWall Pro 2040, WatchGuard’s Firebox comes from a strong firewall background, and it shows in the X2500. Through a combination of packet filters and application proxies, admins can craft a security policy specific to the network’s needs. When defining policies, though, it is important to understand the traffic that will be passing through the Firebox and which security services need to be applied to it.
If the traffic is defined using a packet filter, there is no provision for scanning the traffic for viruses or other questionable activity. The only way to analyze the traffic is to push it through an application proxy. The Firebox does come with proxies for HTTP, FTP, DNS, SMTP, and generic TCP traffic, so the most common traffic will be covered, and there is no limit to how many different proxy definitions you can use. I created a variety of different HTTP policies using proxies, each one with specific security settings and rules.