Product Group Tests
Anti-malware gateways (2010)
Our Best Buy this month is Barracuda Web Filter 310. It provides solid malware protection at the gateway and is excellent value for money.
We rate ProSecure STM 600 Recommended for its ease of use and consistent quality.
Full Group Summary
Anti-malware gateways just get easier and easier to use, according to Peter Stephenson.
There are so many issues that you need to address when looking for an anti-malware gateway that we could not possibly identify them all in a short review. All of these products offered the opportunity to provide a seamless set-up and transparent user experience.
There are several things you need to consider if you decide to buy this type of device for your organisation.
Firstly, how are you going to use the gateway? You can deploy it directly inline after your firewall (on the inside) so that the last thing packets see before hitting your intranet is the gateway.
Alternatively, you can deploy it as a sort of reverse proxy, after the firewall but as a front end to an anti-malware server. This is a bit less straightforward and not all products require such a server. Most are updated directly to the appliance. That can pose a throughput problem and using an out-of-line product is a bit controversial. However, in this case users must pass through the firewall, the gateway and the public AV server. That really is an unwieldy solution to the malware problem.
So, exactly what should we expect from one of these devices? First, the most effective products probably are inline. That poses the potential challenge of performance. Second, there is the matter of supported protocols. An anti-malware gateway is of little use if users can set up peer-to-peer connections with untrusted sites and those connections are not monitored for malware. If the gateway supports HTTPS, SSL must be decrypted in order for the gateway to have any real utility. Then the gateway must re-encrypt after it scans the decrypted contents of the packets.
What about outbound protection? This is, in some cases, getting very close to data leakage prevention. This type of protection picks up malware - such as spyware - that is phoning home to dislodge its payload of harvested information on the target network.
Another issue is how you plan to deploy the system physically. This year we saw virtual, as well as physical appliances. Virtual appliances are a somewhat recent phenomenon, at least in security tools. They are usually ISO files that are intended to be opened in a virtual environment such as VMware. Sometimes these are complete in the ISO file, which means that one can install the product without the VMware system because its run-time is included. The other way is to require an existing VMware implementation.
Physical appliances were more common and these are easier to install and manage. They can also pose some challenges in a virtual environment since they are required to interface with the virtual world.
One of the most important characteristics of a gateway is what you are paying for. Like any other device that comes either as an appliance, virtual appliance or software, anti-malware gateways are priced accordingly. This year we found everything from straightforward physical appliance pricing to pay-as-you go annual licence fees, which can hide some high prices. For example, the virtual gateway appliance may require that you purchase hardware and you need to know exactly what hardware is going to fit the bill. If you go too small, you risk performance hits. Some larger servers can be pretty pricey and we strongly advise against mixing anti-malware applications with other applications on the same server.
One more issue needs to be considered in your choice of products: what is your organisation's current anti-malware strategy? The optimum solution to the malware problem is usually a combination of a gateway and some sort of endpoint product. If that is your choice, does your security architecture require the gateway and the endpoint product to work together?
Finally, as part of that strategy you will need to define what type of centralised, or regionalised, management you need. Make sure that your gateway can be managed in any manner you wish.
The bottom line, as always, is how the product you select fits your needs and into your architecture. This is not quite as simple as it sounds but, as in the case of any inline product, it is critically important.