UTM appliances whip blended security threats

Taking one part stateful inspection firewall, one part intrusion prevention, and equal parts anti-virus, anti-spam, anti-spyware, and content filtering, UTM (Unified Threat Management) appliances blend traditionally separate security services into a single device, providing not only comprehensive protection against Internet-based threats but also streamlined access to policies and reporting.

Now, instead of jumping between separate security tools and management UIs, admins need only go to one place to manage and monitor these systems. Updates are scheduled and initiated from a single console, reports are viewed from one appliance, and policy is managed from one device.

By moving all of these security services into a single device, UTM appliances are supposed to reduce the admin’s workload; ease-of-use is one of the main selling points. A well-crafted UI can make short work of checking for signature updates, recent activity, and alerts. All of the solutions I tested provided “at a glance” monitoring and management, although some did it better than others. For the datacenter folks, all of the appliances can report back to all common reporting systems, including Syslog and SNMP tools, and all have their own branded central management tool.

A possible argument against UTM appliances is that security guys can no longer pick specific solutions for each defense; they have to use the UTM vendor’s bundled products. If, for example, the enterprise has standardized on CA’s anti-virus and anti-spyware products but wants another vendor’s firewall/VPN, there is no way to integrate the two systems into a common management platform.

For most, this argument is moot. The security services bundled together are typically “best of breed” services in their own right. For example, Astaro uses a combination of Kaspersky and open source signatures for virus protection, whereas WatchGuard and ServGate employ McAfee AV. I don’t believe any security administrator is going to stop using desktop anti-virus or anti-spyware protection and rely solely on the network edge device. UTM’s goal is to stop the threats before they can enter the network, with desktop protection as the last line of defense.

Take your places, please

For this round up of UTM solutions, we requested the model most suited for branch-office deployment. For us, that meant the smallest rack-mountable device that supports all core UTM features and can be managed centrally from the corporate datacenter. We ended up with a range of products from Astaro, Fortinet, ServGate, SonicWall, and WatchGuard, all 1U appliances and more than up to the task. Symantec, Secure Computing, and TippingPoint were invited but were not able to participate due to various scheduling conflicts. 

I ran each appliance through a series of test scenarios similar to what any protected office might experience. I placed each firewall in front of a Windows SBS (Small Business Server) 2003 server running Outlook Web Access, the standard SBS remote workplace portal, SMTP mail services (Exchange), and an FTP server. I created inbound policies designed to expose yet protect each service. I then tried to exploit these services using Core Impact from Core Security Technologies.

My penetration tests included a series of attacks using well-known and well-documented exploits for each service. I targeted the attacks against the exposed services, all of which attempted to either take the service offline (DoS) or run code on the server. Core Impact made these tests extremely easy to set up, but even more importantly, it allowed the same tests to be repeated for each UTM appliance. The results proved that each firewall was more than capable of preventing a direct attack, and not once was my targeted server interrupted. During each attack phase, I kept an eye on the firewall’s logs to monitor developments as the attack took place.

One other test was to stress the virus scanning capabilities of each UTM box. To do this, I copied a 160MB virus infected zip file from a “public” FTP server into my protected network from a Windows XP system using Internet Explorer as the FTP client. Only SonicWall and ServGate were capable of handling the file copy correctly without ignoring the virus in the file. I was amazed to find that not all UTM solutions can scan for viruses in all types of traffic in all situations. This is an area that many vendors need to work on.

Astaro Security Gateway 220

The Astaro Security Gateway 220 packs its UTM punch into a chassis loaded with eight 10/100Mbps Ethernet inter¬faces. The ASG 220 has a 40GB hard drive that is also used for Web caching and quarantining of spam and virus-infected objects. Setup and policy creation was not as straightforward as Fortinet’s or SonicWall’s but didn’t take more than an hour to complete. Astaro does, however, have one of the better built-in reporting engines.

Putting together the various inbound and outbound access rules takes a few extra clicks to complete, requiring the admin to create packet filter and dynamic NAT rules in order to allow valid inbound traffic. Other appliances, such as ServGate and SonicWall, take care of this extra step. Outbound policy can be defined different ways using the various proxies to mix and match users, hosts, and destinations along with content filters to provide just the right blend of threat management.

The ASG 220 comes with a full line of standard routing features and can be set up in transparent mode with all eight interfaces bridged — the only unit that can do that. I like having the capability to set up different subnets on the various physical interfaces and to create policies among them, including VLANs. The 220 also works with dynamic DNS and RIP (Routing Information Protocol) v1 and v2. QoS is available per policy but is limited to normal, low, or high settings.

Defining the various security policies for inbound traffic required a mix of packet filters, proxies, and NAT definitions. As opposed to SonicWall, which does the heavy lifting for you, Astaro requires admins to create each packet filter rule and match it with a manually created NAT rule in order for traffic to flow in to exposed Web services. This requirement doesn’t limit the functionality of the policy; it just adds a little additional administrative overhead.

Astaro’s core UTM features are built as part of the application proxies. For example, virus scanning will check inbound and outbound traffic through the SMTP proxy and can quarantine suspicious messages for later analysis. The HTTP proxy provides content filtering on client-requested traffic and uses Cobion URL filtering lists to mitigate casual surfing. Unfortunately, anti-virus scanning isn’t available for FTP traffic unless admins enable the HTTP proxy in standard mode and use a browser to copy files over FTP. A true FTP proxy will be available in the next release and will include anti-virus scanning.

IPS is well represented with a list of more than 4,000 detection signatures. IPS rules are grouped by attack type, which allows for quick and easy management. During my penetration tests with Core Impact, I was never able to exploit any of the services exposed through the ASG 220. Every attack was turned away and logged for later inspection.

Any self-respecting UTM appliance will have a full complement of VPN services, and the ASG 220 is no exception. It has a wide range of cipher strengths and hash algorithms allowing for very flexible deployment. Also included is Microsoft PPTP (Point-to-Point Tunneling Protocol) for client-to-site road warriors. Similar to policy definition, IPSec policy required a little more effort to complete.

The well-rounded reporting engine in the ASG 220 provides a wide variety of graphical charts as well as raw log files. There are two additional packages, the Report Manager and the Configuration Manager, that allow for centralized reporting aggregation and policy management.

Fortinet FortiGate 400A

The FortiGate 400A ships with six 10/100Mbps Ethernet interfaces and combines slick policy management with routing capabilities usually found only in bigger hardware. UTM services are complete, as are VPN and dynamic routing services. Remote management is performed through the FortiManager console, and local logging, although included, could be improved. Initial setup and configuration took less than 30 minutes to complete, and FortiGate’s IPS proved to be up to the task of stopping all the Core Impact attacks I threw at it.

The most expensive UTM box in our roundup, the FortiGate boasts a very flexible and powerful routing engine. Each of its six interfaces can be a member of a different IP network with distinct routing policies and RIP v1 and v2 settings. In fact, unique among the appliances tested, the FortiGate allows each physical interface to have its own DHCP server. One of the most interesting features is that the appliance can be divided into two virtual domains. This feature essentially splits the firewall into two logical devices. Physical interfaces and policies are each assigned as members of a specific domain.

Firewall access policies in the 400A allow for many different situations without being overly complex to define. I found it easy to create address assignments for specific services and to create security policies based on each type of traffic. Access policies are not automatically ordered, as they are by the SonicWall Pro 2040, but it is easy to reorder them from the UI.

The 400A works with site-to-site IPSec VPNs and also PPTP and L2TP (Layer 2 Tunneling Protocol) client-to-site connections. Encryption strength ranges from DES to AES256 (Advanced Encryption Standard 256-bit) for maximum security. Fortinet’s QoS support is among the best, with the capability to prioritize traffic and manipulate the Diffserv values.

All of the expected security services are in the 400A, and as opposed to Astaro and WatchGuard, Fortinet allows anti-virus scanning to be assigned to traffic other than SNMP. Services are enabled and assigned specific actions in a Protection Profile. Profiles can be a specific mix of services tailored to a type of traffic. For example, I created a profile only with anti-virus and IPS enabled and used it as a protection policy for FTP traffic. Admins can create many different profiles, each for a specific need. 

The anti-virus service, although better than most, has its limitations. There is an upper limit on the maximum file size that can be scanned as it passes through the FortiGate. If the file exceeds 50MB — the upper limit for the model I tested — admins have the choice of denying the transfer completely or ignoring the oversized file and passing it without scanning it. This size limitation applies to all forms of traffic.

Fortinet maintains its own signature lists for anti-virus, IPS, Web, and spam filters, and updates can be scheduled hourly to make sure the latest definitions are online. In addition to signatures, the IPS uses anomaly detection to protect exposed systems. Admins can create custom signatures or simply use the included list. As with all of the solutions tested here, Core Impact couldn’t find a crack in Fortinet’s IPS.

Reporting and logging services are average. Five different logs are included, but for the best results, admins will want to ship the information off to either a Syslog or WebTrends server. For centralized management, Fortinet’s FortiManager is the platform to use. It allows for direct remote management as well as report and log aggregation.

ServGate EdgeForce M30

ServGate’s EdgeForce M30 appliance comes with three 10/100Mbps interfaces and a 20GB hard drive used for Web caching and many of its core security services. Setup and configuration of the M30 was straightforward; I had the unit online with a default outbound policy in less than 30 minutes. The M30 came in as the lowest-cost appliance in our group, and policy creation and maintenance were not overly difficult.

The M30 is based on purpose-built hardware. At its heart is a stateful inspection firewall that provides good all-around protection. As do Fortinet and WatchGuard, ServGate provides dynamic routing, such as RIP v1 and v2, and static routing, as well as dynamic DNS. QoS is included, but it isn’t nearly as complete as the support found in Fortinet. VLAN support will be available in the next release of the ServGate OS.

VPN services are also well supported with various flavors of site-to-site IPSec and PPTP, and ServGate’s VPN client handling client-to-site chores. Admins can choose between cipher strengths up to 3DES and AES256.

Creating inbound policy for my protected resources required first defining a virtual IP alias for each service and then plugging them in to the appropriate IP mapping policy. Part of the policy creation includes what content filter to apply to the inbound traffic. ServGate’s content filters are based on IPS rules and the additional security services such as anti-virus.

For example, I was able to create a “test” content filter for my exposed Web server using a predefined Web server IPS policy and then by choosing to add anti-virus filtering. Admins can use the canned IPS and content filter rules or create new ones to meet specific needs. My only complaint is that I had to hop among three different areas of the admin console in order to manipulate and assign a content filter.