Bake-Off: Unified Threat Management Appliances

You can squeeze a whole lot of security out of a good Unified Threat Management (UTM) product, because these appliances carry up to a dozen intrusion-prevention and network-protection safeguards all in one box. For the most part, solution providers like to install a UTM device at a small- to midsize-business client site and let it handle jobs typically taken on by several hardware and software solutions. ClearPointe Technology has taken that strategy and run with it.

The Little Rock, Ark.-based managed service provider gathers threat data from all the UTM appliances it has deployed at client sites. That data is collected at ClearPointe's security operations center (SOC) and passed along to the company's network operations center (NOC) to arm the MSP with up-to-the-minute details about possible security threats originating from various places around the globe.

Of course, few systems integrators or MSPs have operations on the scale of a ClearPointe, whose NOC was recently certified by the MSP Alliance for outsourcing by other VARs looking to provide managed services without making a large, up-front investment. Still, even if one isn't tapping UTM appliances for all they're worth like ClearPointe, the devices are growing in popularity with solution providers and their customers.

The way to measure the growth of demand for UTM appliances isn't in sales of the various products from vendors like Fortinet, Astaro, eSoft and SonicWall, said Gartner analyst Greg Young. "Putting a single number on the size of the market is very difficult. There are 10 or 12 possible safeguards put on these devices. And in recent years, there's been a steady growth of putting new safeguards into UTM devices. The actual growth is in how many subscription services they enable on a device," he said.

On a typical UTM box for an SMB client site, those safeguards would include a firewall, antispam and antispyware software, and various antiphishing, network security, and worm-detection and isolation tools. Web and e-mail security might also be available on a UTM appliance, but keep in mind that even the smallest IT environments can probably handle those tasks better with a purpose-built solution, warns Tom McArthur, president of Waltham, Mass.-based managed security services provider Storbase.

So, what should you look for in a UTM appliance? In the following pages, CRNTech's Test Center puts three of the most popular devices through their paces. But first, a quick word of advice from Deepak Thadani of Sysintegrators. The New York-based security specialist has had plenty of experience listening to UTM vendors, and Thadani offers an interesting view on what to avoid.

"With those manufacturers who look at training as a profit center, it's a painful process. With those who just want to get you up to speed, it's easy. Different manufacturers look at VARs in different ways. Some look at us as customers, and they're looking to make money off us. But those who look at us as partners are trying to enable us and empower us to go out and sell solutions," Thadani said. "So, when it comes to training on a UTM appliance, give me a break. It should be a one- or two-day class. Anything more, forget it."

Methodology
CMP Channel engineers configured and installed three UTM appliances—Astaro's Security Gateway 110/120, eSoft's InstaGate 604 and SonicWall's TZ 180. All three UTM appliances are designed for small corporate offices or companies with simple network configurations. After installing the appliances, engineers tested various security, network and firewall features. While the three vendors included a wide array of configurations based on what they think is important to secure, engineers placed greater value in their scoring on key features such as intrusion detection and content inspection. What's more, engineers looked at other revenue sources that the appliances and vendor support programs can provide to SMB solution providers.

Next: Astaro Security Gateway 110/120

Astaro Security Gateway 110/120
While there are many vendors that specialize in content filtering and other application-level security, only a few vendors can truly claim that they have a UTM solution. Astaro is one.

The Astaro Security Gateway 110/120 Version 7 arrives with the most security management features of all the products we reviewed. Solution providers will find Astaro's Gateway appliance the most flexible to use in most network environments, simply due to its many options and configurations available for each of its network and security features. However, many SMB networks probably won't use most of them.

Astaro's Security Gateway is designed to scale up from small offices all the way to an enterprise. Solution providers servicing large customers can get the security gateway software and install it on Intel-based servers or place it into a virtual appliance running VMware. The appliance's features are GUI-based, so small solution providers do not have to be security or command line experts to run it. However, the appliance comes with an SSH interface for those that want to use the command line.

Astaro's dashboard interface is structured quite well. When logging in for the first time, solution providers can check when the last software revision was updated. Astaro's update service requires constant access to the appliance so that critical software, such as virus signatures and intrusion-protection patterns, are updated quickly. The appliance informs administrators if rebooting is required, and updates software automatically or manually if Internet access is sporadic. Setting up the appliance takes about 10 steps.

However, the submenus provide many details that aren't always easy to follow. Some menus require in-depth knowledge of complex networking setups. CMP Channel engineers highly recommend reading the appliance's administration guide. By contrast, some steps, such as VPN-site-to-VPN-site connectivity rules are handled automatically. Solution providers do have to wrestle with packet rules and figure out the protocols. Some higher-level interfaces, such as Web security, are extremely useful and do not require following submenus. Solution providers can check a customer's top domains, active users and traffic, and even determine which user is hogging network bandwidth.

As solution providers start enabling modules, they have to follow different rule sequences. They also can create definitions on the fly. The rest of the setup process is similar to eSoft's and SonicWall's. The Web admin GUI is highly configurable, so solution providers will find Astaro ideal when administering remote sites. The gateway appliance provides user authentication or can attach to external services such as VeriSign.

A good feature is the automatic backup. After creating a backup of its configuration, the appliance can send the file via encrypted e-mail off-site. In case of a successful zero day attack, backup configurations allow solution providers to get up and running in minutes.

Unlike some of its competitors, the appliance provides remote access clients for IPSec and SSL VPN. In addition, end users can go in and manage their e-mail by creating white lists and marking off incorrectly marked e-mails.

The appliance's networking interfaces are just as comprehensive as its security features. Solution providers can set up IP schemes, bridging/routing, link aggregations, DHCP, network address translations and DMZs. Everything that's created on any interface is off until an administrator allows it. Link aggregation groups can eliminate redundant NIC connections.

Solution providers don't have to be experts when activating the appliance's security features. The Astaro appliance provides simple steps when starting intrusion-detection and Web-filtering modules. Astaro provides a list of commonly used environments and applications that can be activated based on actual applications running on a network. Many of the protection measures that are installed on the appliance are based on rules.

Solution providers can change internal logos, disclaimers and various other text messages and can do the same for Web and e-mail proxies. They can also put HTTP and HTTP proxies, so that users can get custom messages.

Astaro's licensing model is channel-friendly. Solution providers have full control at all times over features that are activated through the appliance. Astaro arrives with SNMP services to manage multiple gateway boxes. The appliance supports high-availability and load-balancing configurations from two to 10 active appliances connected together.

The base license covers all of the network functionality, such as firewalls, intrusion protection, VPN gateway, services for proxies and services for VoIP. The appliance comes with a special license for hot standby clustering.

Additional licenses activate Web-content filtering, antivirus protection, antispyware and end-user profiles. Another license is for e-mail security, which provides protection for SPAM, adware or attachments. E-mail security works on SMTP and POP 3.

Next: ESoft InstaGate 604

ESoft InstaGate 604
Solution providers servicing SMBs with UTM appliances need to have relevant information at their fingertips to make rapid decisions on incoming threats. To take action, the information needs to be comprehensive but easy to absorb. ESoft's InstaGate 604 UTM appliance does it quite well.

InstaGate's user interfaces are simple and clear, and do not overwhelm solution providers with too much detail. Like the other vendors in the review, the first pane shows a general status of the system and the network. ESoft calls this pane the ThreatMonitor.

ESoft has invested in firewall and intrusion-prevention technologies, as well as proxy-based tools, which is good for Web filtering and preventing virus attacks. In addition, InstaGate supports e-mail filtering.

All major security decisions are left up to the appliance. Solution providers only have to turn most settings on. At its core, InstaGate uses a bimodal scanning technique that takes advantage of both methods to scan data streams in the most efficient way it can, depending on traffic load.

Unlike its competitors, the InstaGate appliance comes with a hard drive, which can be used to store content or run third-party servers such as Exchange. This is a good feature for customers that don't have the resources to maintain multiple servers.

The e-mail filtering capabilities only provide the basic blocking mechanism. E-mail filtering settings, for instance, support regular expressions and a couple of other simple blocking features, including a file attachment filter that is based on file types. File attachments can be routed to eSoft for virus and spyware analysis.

The SpamFilter settings come with many options to block content. Solution providers need to understand many of the rules and feature settings that are part of an antispam solution. For instance, turning on a Bayesian self-teaching tool allows the appliance to identify the difference between spam and legitimate messages. The Bayesian tool uses its own internal scoring mechanism. However, solution providers can restrict the Bayesian tool from accessing certain IPs, which then forces them to maintain whitelists.

The appliance decides which type of scanning to perform based on the threat at hand and what settings have been turned on. The antivirus (AV) features are able to maintain network file flow automatically. In addition to network scanning, InstaGate's Gateway AV settings can scan e-mail SMTP ports.

Even though solution providers have fewer options when managing the AV and antispyware Gateway features, they can override the appliance from scanning major external ports. This option is useful when testing Web applications. Unfortunately, custom ports cannot be scanned. The AV Gateway only supports scanning exemptions based on IP.

InstaGate's Intrusion Prevention features reflect today's dynamic threats, which have many signatures and come from many sources. Therefore, Intrusion Prevention combines network, e-mail, Web and network settings into one pane. Solution providers can turn off a number of P2P and chat clients, set up IP boundaries to protect networks and servers, and add rules that aim to detect possible intrusions. The intrusion rules are based on predefined categories, such as Network Trojan Detected, Attempted Denial of Service, User Privilege Gain and Web Application Attack. Turning everything on is useful when figuring out what the appliance is able to detect.

InstaGate also supports VPN-to-VPN sites, PPTP VPN and remote user VPN through third-party VPN clients. What's more, the appliance supports SIP and VoIP RTP protocols. Solution providers are able to manage quality of service on VoIP, as well as many other network-protocol services.

InstaGate has a built-in router that can configure network settings for an entire organization. The appliance even supports fail-over for dual WAN connection types. Simple routing features are also available. InstaGate's alerts and reports are comprehensive. Solution providers are able to receive daily reports on just about every option that's turned on. Reports on quotas of all sizes and types can be marked as alerts.

Next: SonicWall TZ 180

SonicWall TZ 180
Many solution providers servicing SMBs may not have a lot of expertise in security. This is where a powerful UTM tool such as SonicWall's TZ 180 comes in. Though less capable than the wireless TZ 190, the TZ 180 beats most competitors in the UTM space. The TZ 180 arrives with the most comprehensive set of UTM security features.

At its core, SonicWall appliances are able to scan content of realtime data streams without having to buffer files in memory and slow down inspections based on file size. Whenever the TZ 180 performs deep-packet inspections, network throughput is not noticeably affected. Engineers tested the appliance by downloading various size files and found little change in access and data transfer time.

Other UTM appliances on the market have to depend on hard drives, or vendors have to increase memory for buffering, or impose limits on the size of the files that are inspected. Traditional packet inspection algorithms can check headers efficiently because the files are small. However, scanning entire packet structures requires that every bit is covered, so algorithms have to perform extremely fast.

The TZ 180 is a second-generation UTM product. The company has tweaked the software so it's able to keep up with business-class cable and DSL connections. TZ 180's deep-scanning process checks the packets for signatures that match its database. In addition, the TZ 180 is able to provide stateful packet inspection. SonicWall's TotalSecure solution for the TZ 180 includes one year support for AV, antispyware gateway and intrusion-prevention services. SonicWall works with solution providers during subscription periods. The TZ 180 also offers a year of content-filtering services, which includes protection against phishing attacks. SonicWall updates its appliances regularly with lists of phishing sites.

The TZ 180 is extremely simple to install. The installation steps are wizard-driven once the appliance is registered. For this review, SonicWall activated most gateway services, a desktop and server software service, and various support services. On MySonicWall.com, solution providers are able to manage different UTM products and maintain various licenses.

The services-management features on the site are simple to follow. When working with multiple products, solution providers can create groups to simplify administration. However, when managing multiple customers, it's easier to create product groups as well as user lists.

Unlike the other vendors in the review, the appliance virtually automates the entire installation process. In a matter of minutes, solution providers can have an entire network running under the TZ 180 box. Like other competing UTM appliances, The TZ 180 combines the features of a small-office router with standard firewalling and network settings.

However, the TZ 180 is far simpler to use than its competitors. Every major configuration is wizard-driven. Through wizards, solution providers can activate various VPN policies, intranet-server configurations and segment a LAN. Out of the box, TZ 180 arrives with a comprehensive set of quality-of-service VoIP features that cover most SIP and H323 settings.

Engineers found the arrangement of the TZ 180's main security dashboard bloated and too distracting. All of the monitoring features are spread out on various other panes, forcing users to navigate to different panes to check various statuses.

Next: Four Key Players: Unified Threat Management

4 Key Players: Unified Threat Management