Bake-off: Unified Threat Management
UTMs, as the name suggests, are all-in-one-security solutions. They use a multicomponent approach to dealing with threats, often comprised of antimalware, antispam and intrusion-detection capabilities. UTMs often differ in which features they are strongest. The Test Center examined a number of different UTMs over the past year against a variety of scenarios. This report looks at three of the better performers to see how they match up given today's threat landscape.
The contenders include SonicWall's Network Security Appliance 2400, Sophos' WS1000 solution and eSoft's 404e device. All of those products received high marks from reviewers during UTM bake-offs this year, yet the goal for this bake-off was to determine which of the three solutions performed the best intrusion detection, logging of intrusion attempts and remediation.
SonicWall's NSA 2400 The Network Security Appliance 2400 is a very good appliance and it efficiently does the job as an all-in-one network security solution. The NSA 2400 offers granular control, flexible dashboard views and some really top-notch customer support.
The dashboard feature in the management interface stands out. The page can report threat statistics on a global scale. It can consolidate all threats being reported by devices reporting back to SonicWall's network, or can just report on the local NSA 2400 alone. The dashboard gives numbers on "Top Viruses Blocked," "Top Intrusions Prevented" and other threats. There is also the ability to create an on-the-fly PDF file of either the global or local dashboard.
The ability to list current top intrusions is very useful. Along with the appliance's robust, in-the-box reporting capabilities, it adds up to strong intrusion detection. The reports not only can be saved locally, but can be uploaded to SonicWall's tech support. A minor complaint: After uploading a diagnostics report, the system confirmed that the report was successfully sent, but there was no readily discernible way to verify the exact data sent and to whom it was sent.
The NSA 2400's firewall stands out as providing remarkably granular configuration that is not a headache to set up; there are a multitude of native services that firewall rules can be configured for from Citrix to Zeb Telnet.
Next: Sophos' WS1000 Sophos' WS1000 The WS1000 management interface also has a dashboard view. Information on virus updates, Web traffic, bandwidth consumption and traffic patterns—like spikes during the day—are all visible. Web traffic is represented in a gauge-type format, sort of like an odometer with a throughput reading that goes from 1 to 1,000 kbps. Latency is also represented this way on a scale from 1 to 1,000 ms. It is a quick and easy way to get an overview of bandwidth details and a nice deviation from standard pie charts and graphs. This same type of detail is what is great about the logging capabilities with intrusion detection.
A feature that really caught our eye was the URL test. On this home page, there is a field in which a systems administrator could input a URL. The WS1000 will report back on that URL, giving the site category it falls under (for example, Gambling or Adult) and also will report the security risk for that site. To test, reviewers entered the Web address of a known hacking site, which was correctly identified and classified as a high-security risk. This is a great tool for an Admin to check on a site that he or she may be unfamiliar with and appropriately configure access or denial in the Web-filtering policies.
Although the dashboard is full of good information, it was difficult to see a way to customize it as an Admin may not need to have all the information displayed all the time.
The WS1000 really shines when it comes to scanning capability. Sophos Labs scans every day for high-risk sites and updates its product based on this. Finding the latest threats is what this vendor is all about, and these folks take that very seriously. The WS1000's scanning capability differs from other scanning technologies, such as reputation scanning. Instead, the vendor uses behavioral genotype scanning, which catches unknown and zero-day threats by analyzing content pre-execution and analyzing the behavior of the code, like picking up on the intent of the code rather than what the code has done.
Sophos' research labs make the claim that one in five Web sites are being infected every 5 seconds and that this figure is up from its finding last year of every 14 seconds. Seventy-eight percent of hacked sites, according to the vendor, are legitimate sites.
This, Sophos makes the case, is the very heart of why its scanning technology is more effective than reputation scanning. At these rates, reputation filters would not be able to catch the latest infected sites. Sophos' filters were able to detect the recent "Storm Worm Virus" where other solutions had failed.
The WS1000 provides full content scanning; that is, content is scanned as it leaves the network. Data coming back from the Web server is scanned real-time, so there was very little latency during testing.
The appliance also engages in true file-type scanning—a spoof-proof technology that only looks at the file's extension.
The WS1000 features in-the-box reporting. Reports can be set up to go back to Sophos for analysis or can be sent directly to a VAR. This means that comparing intrusion detection attempts in your network with the type of threats Sophos is seeing is a great advantage.
Next: eSoft's InstaGate 404e eSoft's InstaGate 404e Reviewers sent a Trojan virus to a server under InstaGate's protection. InstaGate blocked the virus, and the activity was immediately logged under Anti-Virus in Threat Monitor, which identified the Trojan signature file and the client to which it was sent.
The device has system firewall policies already in placedictating rules for IPSEC, PPTP and Web access. These system policies cannot be modified, but an administrator can add his or her own customized firewall policies. Quality of Service policies can be defined. Priority and rate limits can be set.
Setup is easy with the interface. Setup and management are accessed through an SSL connection via a Web browser. Setup time depends on how many SoftPaks have been purchased to install. For testing, reviewers installed the gateway antivirus, intrusion prevention and site-filtering SoftPaks.
Installation ends with the device synchronizing with the SoftPak Director, a platform from which the appliance receives real-time software and signature.
The Bottom Line First, it's worth mentioning that eSoft's device is tailored more for the SMB space while Sophos' and SonicWall's are more enterprise products. That said, the Instagate 404e has a lot of pep when it comes to detecting and blocking intrusion attempts. SonicWall is our pick for this bake-off because it can detect intrusion attempts and log them in a detailed way. Also the ability to see your data against what SonicWall is seeing in the wild is invaluable.