Product Group Tests
Enterprise appliances (2005)
Best Buy/Recommended The test was almost too close to call, but we felt that by the closest of margins, the Finjan Vital Security Appliance NG-5100 got the Best Buy because it had the slightly better management interface. We liked its novel clustering methods, too. Two products receive our Recommended awards: the Fortigate-800 for its simplicity and effectiveness; and the Blue Coat ProxySG 200. We were amazed that something so small and quiet could hold its own against much bigger (and noisier) rivals.
Full Group Summary
With enough funds, most organizations would opt for single, top-of-the-range security tools to tackle each type of threat, but multi-purpose devices are now offering a real alternative, as Rob Jaques discovers.
With an ever-increasing number of threats and vulnerabilities to deal with in the network infrastructure, the security needs of today’s enterprise are unrecognizable from just a few years ago. Indeed, US- CERT’s list of vulnerabilities suggests that it is doubling year on year since 1998. The increasingly diverse nature of corporate networks, as well as that of the threats, means companies need increasingly diverse security products to keep those networks in check.
Also, the fight has moved on from keeping out the kids chasing fame and notoriety. Today’s main threat might come from organized crime, but might also come from competitors keen to plant a trojan within your infrastructure to gain access to confidential data.
Enterprises have shifted towards using appliances to fight a range of threats, particularly multi-purpose security devices that combat more than one type of attack. These have their origins in the small business sector, where lack of financial and human resources made them ideal, but increasingly, they are being used in the larger enterprise, keen on server consolidation, lower costs and ease of management. Organizations want to put bandwidth through one device to clean it up and make it suitable for use within the infrastructure.
We tested nine multi-function security devices. Some will cover a wide range of different disciplines, while a few combine a couple of functions within a single box.
Some are more suitable than others, however, and by delving deep into the management of each product, and studying their performance, we have been able to pick one or two that you will not be able to beat.
When we started testing, we had in mind a scenario where the security professional wanted an appliance that, once set up, could be easily managed and upgraded to counter new threats as and where they inevitably arise.
We were particularly interested in the ‘clean pipe’ idea – meaning that an organization could, in theory, plug a cable from the internet in one side, and packets would go through the box and pop out the other side free from anything that could harm the corporate network. In theory, the fewer boxes that packets have to go through, the quicker that clean data gets to the user.
Most of the products tested did indeed do this, but unfortunately to differing degrees of success. Most security professionals have a lot on their plate without having to worry about setting up appliances to work as intended.
When deciding who should get our Best Buy and Recommended awards, we tried not to fixate on how easy it was to set up the products tested, because most of them would be set up by the vendor’s engineers or by their reseller. What we did not ease up on was how easy it was to actually manage the device once installed.
We believe a box is only as good as the rules you set up on it to protect the infrastructure. So we selected the devices provided by Fortigate and Finjan as among the best for the simplicity by which the security professional can set them up and enforce rules. Their management interfaces proved to be the best tested, and the reporting and overview gave an important insight in the state of health of our test network.
We also looked for each device’s ability to enforce corporate policy. It seems that almost all the boxes provide policy enforcement as long as it came with the box itself. We would like to see more explicit evidence in future group tests of the appliances working with external policy servers.
That aside, we were reasonably pleased with all the products tested. They all carried out basic tasks very well and defended against everything we could throw at them. As well as this, they had to be capable of bearing up under the heavy loads expected at the enterprise level. Again, with some minor exceptions, the products managed to carry out these tasks without too much hassle.
We also discovered that most of the appliances obeyed the rule that achieving competence in many different areas comes at the price of excellence in none, but again, you get what you pay for.
Most of these products carry out all the functions you need “well enough,” but they are certainly not the best you can buy. For that, you will still need a dedicated, single-function appliance.
However, you still get a good deal when you purchase the devices we have tested here, so any security professionals with tight budgets could do a lot worse than consider them. In fact, we look forward to revisiting these appliances next year, when we hope a couple of them will give the so-called “best-of-breed” products an even better run for their money.