CheckPoint, Watchguard earn top spots in UTM shoot-out

When it comes to unified threat management appliances aimed at the SMB market, vendors are finding a way to fit additional security features into smaller and more powerful appliances.

In 2013, we looked at nine UTMs. This time around we reviewed six products: the Calyptix AccessEnforcer AE800, Check Point Software’s 620, Dell/Sonicwall’s NSA 220 Wireless-N, Fortinet’s FortiWiFi-92D, Sophos’ UTM SG125 and Watchguard Technologies’ Firebox T10-W. (Cisco, Juniper and Netgear declined to participate.)

We observed several megatrends across all the units that we tested:

• Small is beautiful. Boxes are getting smaller and more powerful. You don’t need a 19-inch rack-sized unit any longer unless you have the need for connecting to a lot of cables or to buy something bigger that is designed to support a very large network. Throughput and features have gone up as the size of the box has diminished, too.

• Big-ticket firewall features are entering the SMB UTM space. Even these smallest UTM models offer features that are often found in the largest of enterprise firewalls. Today’s typical UTM box includes application awareness, APT screening, and real-time threat visualization tools. While most small businesses don’t have skilled IT staffs to handle all of these features, they are still nice to have.

• Cloud management tools are more prevalent. Several vendors work with various add-on features to scan files for potential malware, or to off-load management features into the cloud. For example, WatchGuard works with Lastline’s cloud-based anti-malware tools, Sophos and Fortinet have cloud-based tools too.

• Mobile VPN clients now available. The VPN features on these boxes used to be more of an afterthought, but most of the vendors have beefed up their remote access features. Most products now have more of a selection of VPN types. They also offer the ability to support the built-in or open source mobile IPsec VPN clients of the latest phone and tablet operating systems. That is good news if you want to craft your own mobile device management alternative solution to at least protect data in transit with a smartphone. However, getting phones to work with these boxes is still somewhat of a chore. A few UTM vendors, such as WatchGuard and Calyptix, have added their own tools, clients, or configuration files to make establishing mobile connections easier, while others support the OpenVPN mobile clients.

• Better botnet containment. Fighting botnets is a cat-and-mouse war of attrition, but several vendors, including CheckPoint and Dell, have added specific policies to try to better contain these nasty forms of malware.

• Better enterprise wireless management tools. WatchGuard, Fortinet, Dell and Sophos all have beefed up their wireless management features so you can deploy multiple access points around your office and manage them centrally from a single set of screens.

Winners

All six of these units will do fine for securing small offices of 25 people, but CheckPoint and WatchGuard stand out as the top vendors in this review. They have solid features, great user interfaces, and coverage across the multiple security technologies that form the basis of what UTM means today. Both also offer relatively inexpensive boxes for small offices with low annual subscription fees.

+ ALSO ON NETWORK WORLD Leading-Edge UTM: What C-Level Execs Need to Know +

The others, though, aren’t all that far behind. Dell and Fortinet have very tired Web-based interfaces that are in need of a complete overhaul. Sophos has great features but its interface has gotten a bit unwieldy too. And Calyptix shows a lot of promise and has a great way to price its box that the others should follow.

Here are the individual reviews (watch a slideshow version of this story):

Calyptix

We tested the AE-800, which comes with four wired Ethernet ports that can be arranged in various VLANs or as a single flat network running version 3.1.15. None of the Calyptix boxes come with wireless access points. That could be a plus if you are worried that you will inadvertently leave your network open to wireless exploits or a minus if you have to deal with buying an additional wireless access points.

Calyptix has the simplest pricing: You get everything they offer without having to purchase individual subscriptions for particular features or for a certain number of users, and it also includes unlimited business hour phone support. If you have relatively modest needs (meaning don’t have a lot of exacting security requirements) and are on a budget, this might be the right box for you.

We found that Calyptix has the least intuitive web UI, with a complex series of menu buttons across the top and left-hand sides, and the UI itself seems somewhat old-fashioned and a bit cryptic. They do get kudos for providing hotlinks to help texts for further explanations of their configuration settings though. Graphical elements are sparse: most menus are fairly text-heavy.

The Security menu is divided into four sections: Network, Web, Email and Instant Messaging. The latter is just a simple radio button to block traffic with each of the major IM protocols. Again, if you want more subtle controls, you will need to look elsewhere. Web filtering can white/black list particular URLs, and there is a place to test whether a domain will be blocked by your settings. You can also block particular file types from entering your network through users’ web browsers, such as PDFs or Word files, with a few simple menu selections.

The AE-800 does support load balancing to multiple WAN connections, but getting that setup will require some effort at navigating several menus to prioritize outbound traffic and set up firewall rules accordingly. Recent updates to their firmware include more accurate and faster antivirus scanning. Another nice feature is its best practices analyzer: it will look over all your settings and suggest ways to improve them.

VPN support is somewhat limited, but has an interesting usability feature. Most other vendors have a long list of files that describe particular client software versions. Calyptix puts all of its VPN client tools and configuration settings into one ZIP file, and you generate this file for each specific user. This is done using the web UI.

Currently, their VPN supports only IPsec and passthrough PPTP connections using OpenVPN for Windows, OS X and iOS. It also uses FEAT VPN for Android v2.1 or later devices. You’ll want to review carefully the setup instructions that are included as part of the ZIP file, because of the several steps involved. But at least they put all the information together in one place.

One downside is that only the administrator has rights to the entire box, meaning if you want to have someone else have partial rights you can’t. Delegation of sub-admin rights is expected in an upcoming release. Another is that Web traffic doesn’t go through the anti-virus scanner, but can be filtered by URL or content.

Reports can be scheduled on a daily, weekly or monthly basis, and can be sent via email or just collected in the unit’s own archive. The first year’s price for our unit was $999, with subsequent years costing $449. While not the least expensive, this is close to the bottom.

CheckPoint

When we looked at UTM devices in 2013, CheckPoint was far and away the best product. While it still has strong features, the others, in particular WatchGuard, are catching up. We tested an early version of the 620, which comes with eight wired Ethernet ports that can be arranged in various VLANs or as a single flat network and running vR77 of firmware. It features support up to four different wireless SSIDs.

CheckPoint has been our favorite in terms of ease of initial setup and its user interface is still the best by far. Commands are intuitively laid out, there is ample use of graphical elements and just by clicking on a couple of buttons you can easily create protective policies. For example, adding a guest wireless network takes just a few mouse clicks and with an obvious link on the wireless settings screens. You can segregate wireless traffic for better protection with another mouse click.

Since we looked at its product in 2013, Check Point has added new security features such as anti-bot protection, which shares the same protective structure as anti-virus policies. They have also added mobile VPN clients to their mix of LL2P, SSL and IPsec VPNs. One nice feature is a link to the instructions on how to install and configure them from the Google Play or Apple iTunes Stores.

CheckPoint has beefed up its application controls, with more than 6,000 application policies, the most by far of any of the products we reviewed. You can quickly search through these and with a couple of clicks define a custom set of rules, such as 10 ways to regulate Facebook behavior across your network. Our only complaint is that they are tucked under the Users tab, making them initially hard to find. And with one click, you can place bandwidth limits on apps that can tend to hog it, like peer-to-peer networks and file sharing tools. This is one of the reasons why we continue to like what CheckPoint offers.

CheckPoint doesn’t offer much in the way of reporting options, with overall summary reports for fixed time periods. But at least you can query its log files if you are trying to track down something suspicious.

One downside is that an administrator has full access rights to the entire box; you can only assign a secondary admin for read-only access. CheckPoint has added a more capable cloud-managed security service for more granular management. This is useful for ISPs who want to centrally manage and support security policy management, firmware upgrades and automatic backups across multiple boxes. We briefly tested this feature.

Pricing is $598 for the wireless version that we tested, with a very low annual subscription fee of $100. This provides great value for the money.

Dell/Sonicwall

We tested the NSA 220 Wireless-N, which comes with seven wired Ethernet ports that can be arranged in various VLANs or as a single flat network and running v5.9 firmware. Dell continues to be in the middle of the pack: it isn’t the most feature rich or have the most intuitive user interface, but it does deliver solid protection.

For example, others have more capable VPNs or offer more wireless options. If you used Sonicwalls before the Dell acquisition, you will find your way around their menu structure just fine. But if you are new to the brand, you will wish for a new interface that is more usable, graphical, and simpler.

A case in point: Dell offers more than six different dashboards and at least as many setup wizards. These dashboards will show you in real time what is going on across your network, both from a bandwidth consumption as well as a threat analysis perspective. The wizards handle common tasks, such as setting up a switch port group or your wireless access. Navigating among all these choices can be daunting and take some time, which sort of defeats their purpose. On the other hand, once you run through the wizard, you probably don’t need to ever see it again.

Another example: Dell doesn’t offer the best support for VPNs, but they have widened their IPsec coverage somewhat and include mobile VPN clients for Android and iOS.

All Dell UTMs have integrated wireless access points, which exhibit this odd dichotomy. For example, you can schedule the times you want your wireless coverage to be active and you can manage an entire distributed network of wireless access points across your entire enterprise (which are both things just a few competitors have in their products), but configuring the wireless connection is somewhat cumbersome, requiring you to step through a series of several menus. You can set up multiple SSIDs with different security and access profiles though.

Dell has had the ability to set up specialized sub-admin accounts for some time, so you can delegate particular management tasks or have administrators view configuration settings in read-only mode. This is also missing in a few competitors’ products.

Dell has made several functional improvements in its UTM code in the past year, and most of them are under the covers: adding distributed DoS flood and botnet protection, improving IPv6 support, allowing deep packet inspection with no limits on file sizes and adding bandwidth management on a per user or per IP address basis to identify and eliminate network hogs.

Another new feature is the ability to detect rogue access points so you can get a handle on who might be leaking data. They have included this as part of its intrusion detection screens. Several others have this feature, including Fortinet and Watchguard. Dell has also enhanced the cloud-based antivirus scanner to get the latest updates via an online repository. Finally, they have beefed up their real-time network traffic analysis so you can see which applications are active across your network and then add firewall rules to manage their use.

Pricing for the Dell is high, at an initial cost of $1,860, but a more reasonable recurring cost of $615 after the first year.

Fortinet

We tested the 92-D, which comes with 14 wired Ethernet ports that can be arranged in various VLANs or as a single flat network and includes four PoE ports and running v5.2.2 firmware.