Unified Threat Management Device Roundup

Cyber-attacks are constantly evolving and the attack methods used are constantly adapting. In a similar way, the traditional layers of defence have grown increasingly complex and interrelated. The convergence of security technologies to a single appliance; the Unified Threat Management (UTM) device is a logical approach and can go a long way towards managing security in most organisations.

A typical UTM device offers far more than just firewall functionality. A good UTM device is extremely valuable on many levels. They can help prevent end-users from accessing inappropriate web sites, by using inbuilt URL filters. UTMs can aid employee productivity by limiting internet access and enforcing the business’s usage policy. They can help prevent malware outbreaks by scanning and blocking suspicious content at the gateway. They can help stop spam email from reaching end users. They can provide a Virtual Private Network (VPN) tunnel for secure communications between separate business sites, and can enable secure connections to trusted third parties such as out-of-office employees, customers and partners.

A properly configured UTM device helps ensure the inadvertent actions of their employees or deliberate activities of attackers is controlled. In the on-going game of cat and mouse between cyber-attacker and corporate defender, UTM devices are a powerful weapon.

In this review we’ll be providing an overview of the features and functionality of five commercially available UTM devices. We’ll put each device through its paces, testing the firewall components and taking a close look at their security configurations.

How We Tested

This review concentrates on the core functionality offered by each device. We tested five devices that are marketed towards small-to-medium enterprises.

• Astaro Security Gateway 110
• Check Point Safe@Office 1000N
• Netgear ProSecure UTM 50
• SonicWall NSA240
• WatchGuard XTM 810

Firstly, each UTM device was deployed in typical way, by connecting each device simultaneously to the internet and a protected internal network. Client and server machines were set up on the newly protected network, they were given free rein to access the public internet. Our main aim was to accurately represent a (basic) real-world environment.

Secondly, each UTM device was examined in detail - inside and out. We performed a thorough TCP network scan (covering all ports; 0 to 65535 inclusive) over the internet to get a realistic attacker perspective. We then conducted a full TCP port scan on the protected internal interface to discover which ports were open or detectable from the LAN. It should be noted that evasion, stealth, and UDP scanning techniques were considered out of scope in this review due to time limitations and to avoid any false positive results.

Finally, we applied custom outbound firewall rules to test the accuracy of the devices’ outbound security policies.

Page Break

Astaro Security Gateway 110

The Astaro Security Gateway 110 (ASG 110) is one of many hardware security appliances available in Astaro’s Security Gateway range. This model is designed to protect a small office of up to 10 users with a maximum firewall throughput of 200 Mbps. It can be easily upgraded to the ASG 120 model, which supports up to 50 users.

The ASG 110 is not a rack mountable device. It’s targeted at SMBs so is only slightly bigger than a Nintendo Wii, (45mm x 270mm x 183mm). This diminutive box features a 1.5 GHz Intel-compatible CPU and an 80 GB hard drive for quarantine and log storage. Aiding management, the ASG 110 includes a VGA port, two USB ports and a console port accessible via a DB9 to RJ45 cable.

It includes four 10/100 Mbps network ports; allowing one adapter to be dedicated to the LAN and another to the WAN, with the remaining two ports available for DMZ configuration and high availability/clustering.

The firewall boasts Stateful Packet Inspection (SPI) as well as deep packet inspection - designed to remove any suspect traffic in transition from the WAN to the LAN.

A solid range of security services are available including gateway anti-virus scanning, DoS protection, anti-spam, intrusion prevention, URL filtering, web applications firewall to aid in exploit protection, IM/P2P blocking, and a VPN component.

Installing the device is a straightforward process; no administrator will take long to get it up and running. It can be easily configured by connecting a client machine to the LAN port using a standard RJ45 Ethernet cable. The DHCP server is not enabled by default so administrators will need to assign the first client computer using a static IP address. Once connected, the setup wizard can be initiated via Astaro’s Web GUI which uses an HTTPS encrypted protocol.

The Astaro ASG 110 is shipped with good out-of-the-box security. It will not permit any outbound network traffic, however, if the outbound firewall rules are not correctly defined during the initial setup phase, internal nodes will be denied access to the internet and other services.

During the initial setup, it requires an administrator’s email address and will use this address to automatically send a daily ‘Executive Report’ and ‘Configuration Auto Backup’ files. This daily report provides a good summary of network events from the last 24 hours, including statistics for resource usage (CPU/RAM) network usage (inbound and outbound requests) and network security (dropped packets and services). They are easy to read and are available in graph, tabular, and charted formats.

Astaro’s Security Gateway 110 solution is quickly set up, administrators should find daily management tasks straight forward.

RRP: Unit cost $868 AUS plus $1059AUS for a one-year licence.

Warranty: 1 year standard, extended when subscriptions are renewed.

positive

• Easy to setup and maintain
• Excellent automated reporting system.

negative

• Lacks gigabit NICs
• Only has 4 networking ports

summary
Astaro’s Security Gateway 110 offers a lot of benefits to the small office and it will seamlessly integrate within a wider network of other Astaro devices. We particularly liked how its GUI includes drag and drop firewall rules – making it easy to get to grips with the entire process.

Page Break

Check Point Safe@Office 1000N

Check Point’s Safe@Office 1000N is the fastest product in its Safe@Office wired UTM range. Check Point claims the 1000N’s maximum firewall throughput is 1000Mbps, which is astonishing for a UTM marketed at the small business market.

The Safe@Office 1000N is a compact product, measuring 31 mmx200 mmx128mm. Its casing is a very bright orange and yellow, easy to spot amid other technical kit. Although not rack mountable, it is possible to wall-mount this unit, and the necessary fixings are included as standard.

As far as features go, six 10/100/1000Mbps network ports are provided for high speed data transfers. One adapter is dedicated for a WAN connection, four for LAN connections, with a spare available for configuring as either a DMZ or WAN failover. This appliance also features a ‘load balancing’ system, which, if enabled, makes use of two internet connections simultaneously to maximise network efficiency.

Installation is straightforward - attach an Ethernet cable between its LAN port and a workstation client and enable the workstation to obtain an IP/DNS address via DHCP. Then using an internet browser, navigate to http://my.firewall which will activate the set up wizard. A great feature of this UTM is that it does not ship with the administrator password already set; instead, the install process requires the administrator to choose one. After setting the password, the wizard prompts the user to enter the WAN networking details.

In most cases, it should only take about 20 minutes to get the device online – which is great. And although not immediately obvious, the unit is then also manageable over an HTTPS encrypted connection, in addition to the less secure standard HTTP channel.

By default, the firewall is set to allow most outbound traffic and deny all inbound traffic from the WAN which is the industry gold standard. Adding new firewall rules is an easy procedure, achieved using a short wizard.

The Safe@Office 1000N also features anti-virus, anti-spam, DoS protection, intrusion prevention, and port scan protection components. Its reports/logs are not as well presented as some other solutions, but the detail of packet filtering information it provides is very good.

Overall the unit is simple to use, most settings can easily be turned on or off using a virtual lever - making the experience of administration less daunting. Of course there are more advanced options on offer too. This product will appeal to both intermediate- and novice-user equally.

RRP$1112 AUS

Warranty: 1 year

positive
• Fast networking
• Good level of out of box security
• Simple but effective GUI

negative
• Doesn’t offer as many network ports as other units within this price range

summary
The Check Point Safe@Office 1000N is an outstanding UTM with compact design, fast networking and low cost.

Page Break

Netgear ProSecure UTM 50

The Netgear ProSecure UTM 50 is the top end appliance in Netgear’s Prosecure UTM family. This model is designed to protect a small-to-medium sized business and has a maximum stated firewall throughput of up to 950Mbps.

The ProSecure 50 is a standard 1U rack mountable device (44mm x 440mm x 260mm). Brackets are included with the device as standard.

For management tasks, the Netgear ProSecure UTM 50 has one USB port at the front and a console serial port at the rear. It has eight 10/100/1000 Mbps network ports, two of these are dedicated to WAN networking, with the remaining six available for LAN connections. Alternatively, one of the LAN ports can be configured as a dedicated DMZ. Having two dedicated WAN ports is advantageous for two reasons. Firstly, the device can be configured to load balance web requests – using two separate ISP connections simultaneously to improve its bandwidth. A second advantage is that the WAN connections can be configured to ‘primary WAN mode’, which uses one WAN network for all internet requests - reserving the remaining connection as a backup line in the event of the primary WAN connection failing.

By default, Netgear’s ProSecure UTM 50 is shipped with all outbound traffic enabled. Administrators will need to add LAN to WAN firewall rules to ensure their individual security policies are enforced. This solution includes a firewall, making use of Stateful Packet Inspection (SPI) methods to detect unwanted network traffic.

The Netgear ProSecure UTM 50 has many network security features on offer including intrusion detection and prevention systems, DoS protection, port/service blocking, stealth mode, TCP/UDP flood blocking mechanisms, and WAN/LAN ping response controls. Its additional security components include anti-virus scanning, anti-spam, URL filtering, IM/P2P blocking, and VPN capabilities.

This device ships with a local DHCP service enabled (by default) making it easy to set up and configure. The ProSecure UTM 50 is configurable over a secure HTTPS channel using a standard web browser. Administrators have the flexibility of configuring the device using setup wizards or manually. There are three setup wizards that can be used; the primary wizard (for core networking configuration and security settings); the IPSec VPN wizard; and the SSL VPN wizard.

Administrators can specify a mail server and email address to receive admin notifications from the Netgear appliance. The monitoring dashboard also provides administrators with a range of security events that include counters for spam, malware, port scans, URL’s accessed, and IM/P2P blocking statistics - all of which, is presented in tabular format accompanied by graphs for a easy analysis.
The Netgear ProSecure UTM 50 makes it simple to handle every day network administration; however, the GUI is not as easy to use or as innovative as some of its competitors (for example, the Astaro Security Gateway 110).

RRP: $1319 AUS

Warranty: 2 year

positive
• High speed networking
• Dual WAN networking options for load balancing of web requests or for a backup WAN connection
• Easy to follow setup wizards

negative
• The web interface looks a bit dated

summary
The Netgear ProSecure UTM 50 provides a well balanced gateway security solution for mitigating a wide scope of threats. This unit is competitively priced, can easily accommodate the network traffic of a small/medium office, but is not as easy to use as other units in this test.

Page Break

SonicWall NSA240

The SonicWall NSA240 is SonicWall’s entry level appliance from its NSA range. The NSA 240 has been designed to suit a small office network (up to 50 users) with a maximum firewall throughput of 600 Mbps.

The NSA240 packs a dual core 500MHz Mips64 Octeon processor, 256MB of RAM and 32MB of flash memory, encapsulated within a 40mm x 272mm x 195mm case. It’s not rack mountable mainly due to the slim-line design and its target audience.

This model features include a console port accessible by a DB9 to RJ45 cable, as well as two USB ports for management tasks. It has nine network ports, three 10/100/1000Mbps interfaces and six 10/100Mbps connections, which is a great specification for a unit in this price range. Two of the faster gigabit interfaces are dedicated to handling LAN and WAN traffic, with the third customisable as either a DMZ or as a secondary LAN/WAN connection. Its six 10/100Mbps interfaces can each be tailored to promote secondary LAN, WAN, and DMZ roles as required. If a secondary WAN zone is configured it is possible to enable the device to load balance web requests between both gigabit WAN ports. Alternatively, the additional WAN network may be used as a failover should the primary WAN connection cut out. It’s a really versatile arrangement.

SonicWall’s NSA240 features an additional, and fairly unique, WAN failover mechanism - an optional 3G cellular modem. If the wired WAN connections all fail, this wireless 3G internet connection will kick in, decreasing the amount of downtime.

The NSA240’s firewall is able to manage inbound/outbound network access for LAN, WAN, DMZ, VPN and SSL VPN roles. The primary firewall uses Stateful Packet Inspection (SPI) with an option to supplement this technology with Deep Packet Inspection (DPI) for more thorough traffic analysis. The device features SYN/RST/FIN flood protection in order to detect related malicious network traffic.

Other optional features include ‘Application Intelligence and Control’, ‘Intrusion Prevention’, ‘Gateway Anti-Virus and Anti-Spyware’, ‘Enforced Client Anti-Virus and Anti-Spyware’, ‘Content and URL Filtering (CFS)’, ‘ViewPoint Reporting’, ‘Comprehensive Anti-Spam Service’, and ‘SSL Inspection (DPI SSL)’ capabilities.

The automated reporting features aren’t really as good, or as easy to set up as some of the other solutions under test. However, the ‘Security Dashboard’ provides an excellent summary of viruses, spyware, intrusions attempts, and IM/P2P traffic statistics. ‘Security Dashboard’ data are exportable to a PDF file, which adds a professional touch to its reporting.

The SonicWall NSA240 has a clear and easy to understand Web GUI, administrators have three methods of viewing its firewall rules; ‘All Rules’, ‘Matrix’, and ‘drop-down boxes’. We gravitated towards the ‘Matrix’ mode because it provides a well organised view of the security rules currently in place.

RRP: $1934 AUS

Warranty: 1 year

positive
• Customisable network ports
• Excellent web GUI
• Multi-WAN failover options to minimise down time

negative
• Automated reporting features aren’t as straight forward as other solutions.

summary
The SonicWall NSA240 provides administrators with a high speed customisable gateway device, which has several optional failover mechanisms designed to significantly reduce downtime.

Page Break

WatchGuard XTM 810

The XTM 810 (XTM 810) is WatchGuard’s entry level UTM device from its XTM 8 Series firewall appliance range. Even so, this big red machine is capable of achieving a claimed maximum firewall throughput of 3Gbps (which is almost mandatory for servicing its medium-sized business market of up to 1000 users).

The unit is a fairly standard size for a 1U rack mountable device, measuring 44mm x 430mm x 407mm. The rack mountable brackets are included as standard.

The XTM 810 is equipped with a 2.66GHz quad core processor, 2GB RAM, and 1GB flash memory. The unit boasts a serial port for a console link and two USB ports for further device connectivity. It features an LCD status display and four buttons for menu navigation. This solution has ten 10/100/1000Mbps network card interfaces, which allows an administrator to perform custom networking for LAN, WAN, and DMZ zones. The XTM 810 can be configured for multi-WAN operations, allowing administrators to specify two or more external lines – a useful feature for adding in multiple failover connections and for load balancing external traffic requests (to maximize networking efficiency and availability). 

The device is armed with a ‘Default Packet Handling’ system, which is comprised of DoS protection and SYN/IKE/IPSEC/ICMP/UDP flood attack prevention. It also boasts port probe detection systems that can identify inbound port scanning techniques, making it difficult for potential attackers to conduct full scans from a single source.

Optional security licenses include Application Control, Reputation Enabled Defence, SpamBlocker with Virus Outbreak Detection, Gateway AV/IPS with Virus Quarantine, WebBlocker with HTTPS URL filtering.

Administration of the device is possible in two ways, either by using its bespoke WatchGuard System Manager application or, for ease of use, the ‘Fireware XTM Web UI’. The ‘Fireware XTM Web UI’ dashboard offers an administrator CPU/memory usage statistics as well as an overview of the network configuration.

There is a detailed reporting system available, but administrators will need to set up a separate WatchGuard Reporting Server (based on PostgreSQL database) in order to fully utilise the device’s reporting services (the software is included). Through the reporting server, there are a wide selection of data available, ranging from anti-virus reporting to URL’s filtered. Reports are exportable to either HTML or PDF format, which comes in handy for distribution.

While this unit is not as simple to use as some of other UTMs in this review, its principles of operation are quite similar. A competent network administrator will soon get to grips with this product and, dare we say, learn to love it more and more over time.

RRP: $8177 AUS for the WatchGuard XTM 810 with 1-yr LiveSecurity

Warranty: 1 year

positive
• Highly customisable
• High speed network ports
• URL filtering with added HTTPS filtering

negative
• Quite expensive for smaller organisations
• Extra hardware is required for the reporting server

summary
The WatchGuard XTM 810 is a serious piece of security equipment, it’s not for the faint-hearted. The XTM 810 performed admirably throughout our evaluation, and is well regarded for medium-sized business networks with a large user base.

Page Break

Testing Results

Test Analysis

In an ideal world we would expect every UTM device to have zero ports (and so no internal services) detectable via the internet. But as the results table shows, only three out of the five appliances achieved this, good results from Watchguard, SonicWall, and Check Point.

Astaro’s and Netgear’s products didn’t quite manage this goal, but each device only exposed a single port and both vendors’ reasoning is sound, the ports were available for remote administration. Additionally, each of vendors had put security controls in place to help prevent unauthorised access to devices through these exposed ports. Netgear’s ProSecure UTM 50 does not allow remote users to authenticate with the device from the WAN, unless specified by the LAN based administrator. Astaro’s Security Gateway 120 employs its 'block password guessing' feature. This deters unwanted brute force attacks by blacklisting IP addresses after three failed authentication attempts.

Generally, we'd expect to find some standard ports open by default because devices would be unusable without some basic access to begin with. In terms of customised outbound firewall policy rules we evaluated, each device fully complied with the rules we modified. For example, we internally blocked the SSH protocol on port 22 and allowed HTTP traffic requests on port 80 without issues.

Page Break

Overall

There is a plethora of UTM solutions on the market with many designed specifically for the small-to-medium sized business. Before choosing a UTM it‘s important to consider a number of factors. The cost of purchase is always fundamental, yet the total cost of ownership, including on-going support and management functions needs to be a part of your decision. Your unique security requirements may also impact cost, especially for additional licenses to unlock specific components such as anti-virus or VPN engines. The number of users within your organisation and the network performance characteristics of the device under consideration can also be key deciding factors. A UTM alone is not a sliver bullet; it should be carefully selected and implemented in line with organisational security policies, and deployed as part of an overall information assurance strategy.