Review: Putting UTM To The Test

The X6500e appliance comes with tightly controlled default configurations, so solution providers can simply turn it on and deploy it. As tested, the X6500e appliance arrived with inbound traffic shut off and open LAN ports. To get the box up and running, reviewers connected a test PC on the Firebox's trusted port and installed the WatchGuard System Manager client, which collects information from all Fireboxes on a network. The System Manager is the place to go to drill into each appliance.

WatchGuard's approach to creating and managing firewall policies is unique in the UTM space. Because the WatchGuard System Manager client needs to be installed on a remote PC, all of the other monitoring and management tools that come as part of System Manager also work from a remote PC. Policy Manager is one of those tools.

Policy Manager is extremely flexible when troubleshooting live Fireboxes, configuring applications or just experimenting with settings. With Policy Manager, solution providers can also create policies without connecting to live Fireboxes. In fact, they don't even have to be connected to a LAN, so they can take their work home. The configuration files can be saved locally into an XML file. When connected to a box, any changes made to a policy are immediately implemented.

When putting the X6500e into operation for the first time, default proxies and packet filtering rules immediately prevent intruders from snooping on a LAN. The company is careful in striking a balance between what's blocked and what's accepted, so that users are not drastically affected and can do business on the Internet without being disrupted.

However, some behaviors and file downloads are immediately curtailed. Out of the box, the X6500e blocks executables, SCR and CAB files. A lot of the files that are blocked by default are also known to carry malware.

First-time users that need to create a filter rule for HTTP or for other protocols can reuse other filter policies that arrive in the box. The architecture is extensible. Reviewers recommend looking at WatchGuard's System Manager User Guide, which has a list with explanations of all of the default policies. The guide is also important in understanding how proxy policies work.

WatchGuard's proxy policies are unique in the UTM space and go well beyond simple filter policies to protect client and server communication. Proxies use regular expressions to analyze content at the packet level. For instance, a typical HTTP proxy rule can strip out cookies that come from any DoubleClick domain.

With this rule in place, DoubleClick won't be able to track users behind a Firebox. From an administration standpoint, proxy rules save time because they centralize management and eliminate most client browser configuration. Regular expressions can even evaluate browser configurations. For instance, solution providers can create a rule to stop browsers that don't have image viewing turned off from displaying images from Google's search results.

What's more, proxy rules reduce network traffic because they block packet content at the firewall. Web site packets also don't have to travel through other Layer 7 features, so latency is also reduced. WatchGuard's regular expressions also are programmable. In fact, the other two vendors examined here cannot match WatchGuard's proxy programming versatility. The company has fostered a community of solution providers in its forum that trade regular expressions. Solution providers can create proxy expressions that force Internet users to only access certain files on specific directories. The advanced functionality can protect server applications running on LANs that are part of Web applications.

To track traffic information, Firebox System Manager includes a Traffic Monitor tool for managing Firebox appliances. Traffic Monitor is a realtime display of the log coming out of the box. The log information is updated continually as traffic passes through the firewall. WatchGuard's monitoring is unique because it allows solution providers to interact with it in realtime.

Realtime monitoring also helps solution providers respond to end-user requests immediately. For instance, if part of a Web page fails to come up, solution providers can go into the Traffic Monitor and see exactly why a Firebox denied a particular packet. Assuming that an image in the page in question had a virus, solution providers can tell users not to travel to that Web site.

With WatchGuard's Traffic Monitor, solution providers are going to be more aware of network traffic than with most other UTM appliances on the market. The tool can even identify trends in malware such as malicious code hidden in Web pages that are picked up as users download content from legitimate Web sites. This trend is now referred to as drive-by downloads. More important, solution providers can give end users an honest response, something that's rarely done nowadays.

Next: Fortinet FortiGate 1000A