Product Group Tests

Unified threat management (2007)

by Peter Stephenson July 12, 2007
products

GROUP SUMMARY:

Strong performance and ease of use mean SonicWall's Pro 5060 gets our Recommended accolade.

ESoft's InstaGate 604, a highly capable and easy-to-manage appliance is this issue's Best Buy

Unified threat management products are maturing as a group and have much more functionality than they did even a year ago, despite the "single point of failure" issue. Peter Stephenson reports

Last year, this magazine looked at multipurpose appliances and found that there were a few that met the definition of a unified threat management (UTM) tool. We were critical of the hype surrounding the emerging category of UTM and pointed out that to be a true UTM, according to IDC anyway, the product must include, at minimum, a firewall, intrusion detection and prevention and anti-virus functionality. At that time many products claiming UTM status really were only multipurpose appliances. These products tended to have a lot of anti-malware capability and nothing else.

This year, as with many of the product groups we have reviewed in 2007, the UTM group is maturing rapidly and, in fact, is taking marketshare from the multipurpose products. The result is a true UTM set-up that comes with a lot of anti-malware capability.

There is good news and bad news here, however.

The bad news is that a UTM device creates a single point of failure. It also creates a bit of a dilemma for security architects. If one purchases a first-rate UTM, especially one with a lot of anti-malware capability, how does one justify purchasing an additional anti-malware gateway? While I suspect that by this time next year there will be almost no pure anti-malware gateways on the market (we're almost there now), today there are a few very competent anti-malware gateways available. From my perspective, the justification for a first-rate anti-malware gateway (such as Trend's offering) is a no-brainer. Not only does that approach provide relief from the single-point-of-failure problem, it allows the two products to do what they do best.

The good news is that the UTM devices we tested here are all very effective. In fact, in some cases, the testers were hard-pressed to find significant differentiation between some products, to the extent that the dashboards even look similar. There can be no doubt that this product category is taking off.

We found some very interesting results in our testing. For example, when we decoupled the firewall from the IPS, we generally found that the UTM stopped our attacks anyway. That was good news because we had tested products in the past that needed the firewall to be running for the IPS to be effective. That's a bad thing and we generally spank products that have that fault.

Another thing that we found was that most products sensed our scans and simply blackballed us. As far as our scanner was concerned, the target simply disappeared from the network. When we attempted penetration from a different address, the products resisted each individual attempt competently. This is a significant improvement over previous years.

Generally speaking, the UTM market is solidifying and, accordingly, the products are becoming well-defined. For the foreseeable future, it's my bet that this convergence of UTMs and anti-malware gateways will define perimeter defence. The UTM developers already have the anti-malware functionality, although it may not stand up to comparison with some of the better specialised gateways. It remains for the anti-malware people to add UTM capability. Look out for that during the next 12 to 18 months.

How we tested
We used our newly implemented attack pod to test these products.

The attack pod consists of two scanners and a penetration tool combined with a command-and-control centre. We used Nessus 3 and NetClarity scanners, and the penetration tool is Core Impact. We are adding the Mu 4000 vulnerability-analysis tool to the pod but we did not have it implemented fully in time for these tests.

NetClarity and Core Impact are premier tools of their types. Both are rated "approved for SC Labs" and we love having them in our test suite.

Because we have tested the anti-malware capabilities of all of these UTMs in the past, we did not focus on such things as catch rates. We were interested, however, in how well the A-M capabilities meld with the core UTM functionality. We also were interested in reporting and how easy the product was to manage.

In general, just about any of these products will do a credible job of protecting your organisation.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US