UTM appliances whip blended security threats
Unified threat management appliances combine multiple perimeter protections with mixed results
UTM services are available in the Firebox, but all services aren’t available to all proxies. In some cases, the omission makes perfect sense; there is no need for Web content inspection on SMTP traffic. But for others, it could be a problem. For example, FTP traffic can be checked for validity and protected by IPS, but there is no facility for scanning FTP’d files for viruses. AV scanning is also missing from the HTTP proxy, although it does check for malware. The SMTP proxy is the only one that will scan for viruses.
Intrusion prevention is set up on a global basis and is handled by the TCP proxy. IPS worked well in my tests, preventing Core Impact from exploiting any of the exposed servers. WatchGuard’s IPS can block traffic from any address that it identifies as the source of an attack, which is an interesting feature. During my penetration tests, I had to keep changing the IP address of my attack PC because the Firebox would deny its communications.
Dynamic routing is the best out of the group, featuring RIP v1 and v2 and also OSPF and BGP (Border Gateway Protocol). VPN services are also strong with IPSec site-to-site and client-to-site chores handled by PPTP, L2TP, and WatchGuard’s own mobile VPN client. QoS is available, although not as full-featured as Fortinet’s. Dynamic DNS is not supported.
WatchGuard shines in reporting and monitoring, with a mix of tools that provide an excellent view into the appliance’s health. Admins will spend much of their initial time in the Fireware Policy Manager defining policies and services. For day-to-day monitoring, the Firebox System Manager is the tool to use. WatchGuard’s ultimate geek toy is HostWatch, a real-time graphical traffic viewer.
Not all roses
Each of the five appliances does a very good job of keeping the bad stuff out while providing a fine level of control over user’s activity. Improvement is needed, however, in how anti-virus protection is handled. Viruses can enter on just about any protocol now, so not being able to scan all types of traffic isn’t going to cut it.
Sometimes it is a difficult task to rank a group of products, especially when only little things separate one from another. In the end, the results came down to just how complete the UTM services were in each appliance. The ServGate EdgeForce M30 and the SonicWall Pro 2040 completed all of my testing with flying colors, earning them the top scores in our roundup. Both of these appliances demonstrated excellent protection against attack and also applied all core UTM services across the various traffic types.
For situations where additional physical interfaces are required and FTP traffic isn’t a priority, the Fortinet 400A would be a good pick. Its rich features do come with a rich price tag, however. WatchGuard’s Firebox Core comes with a full range of services, as does the Astaro Secure Gateway, and if FTP traffic isn’t part of the network’s day-to-day traffic, these too should be considered viable solutions.