The ASG 220 comes with a full line of standard routing features and can be set up in transparent mode with all eight interfaces bridged — the only unit that can do that. I like having the capability to set up different subnets on the various physical interfaces and to create policies among them, including VLANs. The 220 also works with dynamic DNS and RIP (Routing Information Protocol) v1 and v2. QoS is available per policy but is limited to normal, low, or high settings.

Defining the various security policies for inbound traffic required a mix of packet filters, proxies, and NAT definitions. As opposed to SonicWall, which does the heavy lifting for you, Astaro requires admins to create each packet filter rule and match it with a manually created NAT rule in order for traffic to flow in to exposed Web services. This requirement doesn’t limit the functionality of the policy; it just adds a little additional administrative overhead.

Astaro’s core UTM features are built as part of the application proxies. For example, virus scanning will check inbound and outbound traffic through the SMTP proxy and can quarantine suspicious messages for later analysis. The HTTP proxy provides content filtering on client-requested traffic and uses Cobion URL filtering lists to mitigate casual surfing. Unfortunately, anti-virus scanning isn’t available for FTP traffic unless admins enable the HTTP proxy in standard mode and use a browser to copy files over FTP. A true FTP proxy will be available in the next release and will include anti-virus scanning.

IPS is well represented with a list of more than 4,000 detection signatures. IPS rules are grouped by attack type, which allows for quick and easy management. During my penetration tests with Core Impact, I was never able to exploit any of the services exposed through the ASG 220. Every attack was turned away and logged for later inspection.

Any self-respecting UTM appliance will have a full complement of VPN services, and the ASG 220 is no exception. It has a wide range of cipher strengths and hash algorithms allowing for very flexible deployment. Also included is Microsoft PPTP (Point-to-Point Tunneling Protocol) for client-to-site road warriors. Similar to policy definition, IPSec policy required a little more effort to complete.

The well-rounded reporting engine in the ASG 220 provides a wide variety of graphical charts as well as raw log files. There are two additional packages, the Report Manager and the Configuration Manager, that allow for centralized reporting aggregation and policy management.

Fortinet FortiGate 400A

The FortiGate 400A ships with six 10/100Mbps Ethernet interfaces and combines slick policy management with routing capabilities usually found only in bigger hardware. UTM services are complete, as are VPN and dynamic routing services. Remote management is performed through the FortiManager console, and local logging, although included, could be improved. Initial setup and configuration took less than 30 minutes to complete, and FortiGate’s IPS proved to be up to the task of stopping all the Core Impact attacks I threw at it.

The most expensive UTM box in our roundup, the FortiGate boasts a very flexible and powerful routing engine. Each of its six interfaces can be a member of a different IP network with distinct routing policies and RIP v1 and v2 settings. In fact, unique among the appliances tested, the FortiGate allows each physical interface to have its own DHCP server. One of the most interesting features is that the appliance can be divided into two virtual domains. This feature essentially splits the firewall into two logical devices. Physical interfaces and policies are each assigned as members of a specific domain.

Firewall access policies in the 400A allow for many different situations without being overly complex to define. I found it easy to create address assignments for specific services and to create security policies based on each type of traffic. Access policies are not automatically ordered, as they are by the SonicWall Pro 2040, but it is easy to reorder them from the UI.

The 400A works with site-to-site IPSec VPNs and also PPTP and L2TP (Layer 2 Tunneling Protocol) client-to-site connections. Encryption strength ranges from DES to AES256 (Advanced Encryption Standard 256-bit) for maximum security. Fortinet’s QoS support is among the best, with the capability to prioritize traffic and manipulate the Diffserv values.