Bake-off: Unified Threat Management

Sophos' WS1000
The WS1000 management interface also has a dashboard view. Information on virus updates, Web traffic, bandwidth consumption and traffic patterns—like spikes during the day—are all visible. Web traffic is represented in a gauge-type format, sort of like an odometer with a throughput reading that goes from 1 to 1,000 kbps. Latency is also represented this way on a scale from 1 to 1,000 ms. It is a quick and easy way to get an overview of bandwidth details and a nice deviation from standard pie charts and graphs. This same type of detail is what is great about the logging capabilities with intrusion detection.

A feature that really caught our eye was the URL test. On this home page, there is a field in which a systems administrator could input a URL. The WS1000 will report back on that URL, giving the site category it falls under (for example, Gambling or Adult) and also will report the security risk for that site. To test, reviewers entered the Web address of a known hacking site, which was correctly identified and classified as a high-security risk. This is a great tool for an Admin to check on a site that he or she may be unfamiliar with and appropriately configure access or denial in the Web-filtering policies.

Although the dashboard is full of good information, it was difficult to see a way to customize it as an Admin may not need to have all the information displayed all the time.

The WS1000 really shines when it comes to scanning capability. Sophos Labs scans every day for high-risk sites and updates its product based on this. Finding the latest threats is what this vendor is all about, and these folks take that very seriously. The WS1000's scanning capability differs from other scanning technologies, such as reputation scanning. Instead, the vendor uses behavioral genotype scanning, which catches unknown and zero-day threats by analyzing content pre-execution and analyzing the behavior of the code, like picking up on the intent of the code rather than what the code has done.

Sophos' research labs make the claim that one in five Web sites are being infected every 5 seconds and that this figure is up from its finding last year of every 14 seconds. Seventy-eight percent of hacked sites, according to the vendor, are legitimate sites.

This, Sophos makes the case, is the very heart of why its scanning technology is more effective than reputation scanning. At these rates, reputation filters would not be able to catch the latest infected sites. Sophos' filters were able to detect the recent "Storm Worm Virus" where other solutions had failed.

The WS1000 provides full content scanning; that is, content is scanned as it leaves the network. Data coming back from the Web server is scanned real-time, so there was very little latency during testing.

The appliance also engages in true file-type scanning—a spoof-proof technology that only looks at the file's extension.

The WS1000 features in-the-box reporting. Reports can be set up to go back to Sophos for analysis or can be sent directly to a VAR. This means that comparing intrusion detection attempts in your network with the type of threats Sophos is seeing is a great advantage.

Next: eSoft's InstaGate 404e