Check Point UTM-1 136
Strengths: Quality range of security features. Much needed anti-spam service performs very well, excellent reporting and monitoring tools
Weaknesses: Muddled documentation and tricky installation
Verdict: An easily customised UTM appliance, offering a wealth of security measures along with very good web filtering and anti-spam performance
Check Point's UTM-1 appliances have always offered strong security measures, but anti-spam has been absent for too long. The latest R70 remedies this, and brings in the concept of software blades.
A problem with some vendors' licensing schemes is you can pay for features you neither want nor need. If you want web content filtering, you have to have anti-virus, IPS measures and so on, making it difficult to keep costs down. Check Point's software blades allow you to pick precisely what you want.
The UTM-1 136 on review comes with all blades included so you get a firewall, IPsec VPNs, IPS, URL filtering and anti-virus plus anti-malware and anti-spam. The total package comes to a very reasonable £2,935 but if you wanted you could buy the UTM-1 132, which has the firewall and IPsec VPN blades and only add those you require.
This compact appliance is clearly aimed at deployment in small and peaceful offices as its finned chassis acts as a heatsink, so with no internal fans it's completely silent. You get a quartet of Gigabit ports for various LAN and DMZ duties and a single Fast Ethernet port for the WAN connection. Check Point operates an unlimited user-licensing scheme although the company does recommend a maximum of 70 users for this appliance.
Installation did not get off to the flying start we'd hoped for, as the appliance had been supplied with the R65 software version, which had to be upgraded to the new R70. This is carried out from the web management interface, which also runs a wizard for setting up basic network parameters for the LAN and WAN ports.
Check Point's SmartConsole is then downloaded from the appliance, which installs a whole heap of management and monitoring utilities. Most activity is around the SmartDashboard utility, which is used to create and deploy security policies. It's a tidy affair with tabbed folders for each software blade and from the firewall tab you create rules to permit or deny access to selected services.
Rules contain source and destination objects, services and time schedules and logging can be customised individually. You choose from actions such as permit, deny or drop and you can also enforce user and session authentication within a rule. Rule-building is made easier with the use of network objects as you create these for nodes, networks, services, users and groups and drop them directly into the relevant location in the rule.
The feature formerly known as SmartDefense is now integrated into the IPS software blade, where it provides proactive protection against worms and probes, along with web and application vulnerabilities. As you'd expect, protection against DoS attacks, port scans and anti-spoofing is included, while the Security Center provides swift access to critical updates and security advisories.
The IPS tab also includes both the Web and Application Intelligence features, which provide extra levels of security. You can use these to enforce policies that control IM apps and block file transfers, video or audio - or stop users from accessing them at all.
The blades are accessed from the appliance's properties page, where you switch them on and then go to the relevant tab to set them up. Web filtering offers a choice of over 40 URL categories that can be blocked or allowed. You can also add custom black and white URL lists plus network exceptions which allow you to add network objects that are exempt from this process.
The filtering blade delivered in our real world tests: we Googled for online bingo sites and, with the gambling category blocked, we were denied access to 41 of the 45 sites visited. Clients can be redirected to a custom warning web page and all transgressions are logged and can be viewed from the SmartView Tracker console.
The anti-spam service is provided by Commtouch, which we've always found delivers in the performance stakes. This vendor works with a wide range of ISPs where it creates hashes of every mail passing through their servers, allowing it to provide a method of easily identifying spam. As the appliance scans inbound traffic, it computes hashes for each email and then compares them with an external Commtouch server.
To test Commtouch we configured the appliance to scan mail from live accounts, tag spam messages and pass them all on. A test client running Outlook had rules set up to place tagged and suspect messages in separate folders. After a few days on the default settings, we saw a perfect 100 per cent performance for spam identification, with only two messages incorrectly tagged as suspect.
Small office UTM appliances usually do not offer support for SSL VPNs, but Check Point goes beyond the call of duty as this component is very sophisticated. It does take a while to set up, as you need to activate the appliance's visitor mode, create special firewall rules for remote access and define LAN resources. Remote workers are presented with a login web portal and, once authenticated, receive an ActiveX network extender, which creates a secure tunnel and assigns a virtual IP address.
Installation and deployment could have been made easier for us, but the UTM-1 136 impresses greatly with the sheer number of security features on offer. The software blades are a great idea as they allow you to customise the appliance precisely to your requirements and the essential anti-spam service performs extremely well.