Product Group Tests
Firewalls (2006)July 10, 2006
We rate Secure Computing’s TSP 7300 as our Best Buy. It is a solid, well-featured performer and although the product did lack some of the more advanced features we expected, the company is actively building these into it, plus its roadmap is excellent. Astaro’s Security Gateway wins the first of our Recommended awards with its good features and multiple device management. And we also rate Fortinet’s FortiGate-1000A as a Recommended product, with solid firewall performance backed up by excellent content filtering.
Traditional network edge firewalls are fast giving way to devices that provide unified threat management in one box. Jon Tullett tested nine products with a broad range of features for networks of all sizes.
Although stateful packet inspection is a fully mature and stable concept in network security, the firewall market itself is not at all static. The steady evolution toward unified threat management (UTM) is producing products with increasingly broad feature sets, a trend which was very much in evidence in this test. Although still ostensibly network edge firewalls, most of these products included VPN, anti-virus, anti-spam, content filtering, intrusion detection and more.
This is an interesting shift, since even last year we saw a definite divide between enterprise-class firewalls and separate, best-of-breed content filtering. While many customers will still deploy their defenses in this way, some will prefer the UTM approach, and the firewall manufacturers have had to move quickly to keep abreast of this demand.
Application proxies have really come into their own in content protection, and are now very much a standard feature in firewalls. Malware protection and content policies can be applied to proxied web and email traffic, making the firewall an integral part of active security and compliance, rather than just a glorified router acting as a sieve.
We reviewed the firewalls by setting up a network mimicking a sample enterprise, then set up standard configurations to provide normal network services. We also tested VPN tunnels, detection and response to attacks (such as denial-of-service), and more advanced features such as quality of service restrictions, complex content filtering rules, and the product’s resilience to attacks directed against the firewall itself.
The firewalls were connected between our test network LAN and an external segment with nodes posing as branch office sites, remote workers and attackers. The internal network included a DMZ containing public web and mail servers and a LAN with workstations, including some posing as malicious insiders.
We looked for enterprise features such as VLAN support, quality of service (QoS) and VoIP, and were pleased to see that most of the devices being tested provide some sort of bandwidth limit or QoS support. With web-based applications and web services on the rise, and VoIP in more common use, we expect to see more edge devices offering fully capable traffic prioritization, class-based queues and bandwidth limits to ensure that business-critical traffic is not only filtered, but guaranteed at least a working minimum of operating bandwidth.
We didn’t only test how secure each product was against external attack. We probed them internally – attacking the configuration interfaces from within "trusted" segments – to see if a malicious insider could bypass security, either to avoid content filtering or to allow a full-blown network attack. The insider risk cannot be completely avoided (a suborned firewall administrator is a simple worst-case scenario), but it can be mitigated with role-based delegation and strong auditing, so we paid particular attention to these.
As well as delegated administration, we also investigated policy management across multiple devices. Large enterprises (or any with a network of branch offices) need to manage consistent policies across multiple-edge devices. This is an area where the all-pervasive web GUIs tend to fall down: most do not offer facilities to push policies out to other devices.
Although this test focused on core packet filtering and network protection, we did spend time on each product looking at how well-integrated the other features were. It is one thing to glue 10 different features together in a single chassis, but more difficult to provide a unified management interface that can consistently apply policies and definitions across the full suite, and provide integrated reporting and analysis.
Given the very active role that firewalls play in overall security, you would expect to see plenty of emphasis on reporting and event analysis out of the box, but there are two schools of thought. On the one hand, admins do need better correlation and reporting on any product they are managing. But full-scale analysis and reporting can be an intensive job which will only absorb resources that a heavily loaded device might not have to spare – you are probably better off logging to a remote server and performing offline analysis. So while some of these products lacked the more advanced log management features of others, it was not too much of a concern.
As for the high-availability features of the enterprise devices being tested, most offer at least failover capability which, in most cases, is easily configured. But beyond one-to-one failover, more powerful clustering and loadbalancing is still not pervasive, and few of these products offered much here.
All products in this group test
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Senior Network Security Engineer, London, £68-85k + package
Infosec People - England, London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- The information security implications of M&A deals
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Is BYOD your company's norm? Beware the ghosts of data past this Christmas
- Over 400,000 phishing sites have been detected each month in 2016
- TalkTalk customers urged to get routers swapped over hacker fears
- Report: Mirai 'is just the tip of the iceberg'
- Avalanche takedown involved searches in 40 countries