Strengths: Easy deployment, policy-based security, effective anti-spam and web content filtering, lots of users
Weaknesses: No spam quarantining or HTTPS content filtering
Verdict: A solid all-round UTM appliance that delivers a good range of enterprise level security features
NETASQ has been designing all-in-one solutions since its inception over ten years ago. It recently announced three new appliances, including the U6000, which claims to be the first carrier-grade UTM solution.
Issues holding enterprises back from replacing multiple point solutions with UTM appliances have centred around performance and the U6000 aims to satisfy these demands with a claimed throughput of 5Gbps. Physically, this 4U rack system looks up to the job as it comes with a 3GHz 5160 dual-core Xeon processor with 4GB of memory. Storage is the only area that comes in for criticism as instead of the latest SAS drives, the U6000 uses a pair of older 73GB Ultra320 SCSI hard disks.
Network connectivity options are extensive, as the appliance comes with a pair of embedded Gigabit Ethernet ports augmented by a quad-port Gigabit card. There are plenty of expansion slots allowing the U6000 to support up to 24 interfaces with a mixture of copper and fibre. HA (high availability) is included with support for active/passive configurations.
The U6000 offers three modes of operation: it can route traffic between the various interfaces, act as a transparent bridge or use a combination of both. We had no problems slotting it into the lab network as a transparent bridge and found the quick-start wizard particularly helpful. Web browser management is not supported as NETASQ provides its software suite, which comprises the Unified Manager, Realtime Monitor and Event Reporter tools.
The Unified Manager provides a very tidy interface and you start by configuring the various network interfaces for LAN, WAN and DMZ duties. Next, you create objects to represent network entities which can be anything from IP addresses, ranges and hosts to services, protocols and users. For the latter, the appliance supports LDAP, offers a number of authentication methods including RADIUS servers and allows users to be placed in groups.
A key feature of all NETASQ's appliances is their intrusion protection capabilities. The ASQ (advanced security qualification) engine employs three modes comprising protocol inspection, which keeps an eye out for dubious activities, behavioural and statistical analysis and a total of 20 signature databases. NETASQ's hardened FreeBSD kernel is designed to reduce overheads for all scanning activities as it carries out all NAT, VPN and firewall functions and then passes traffic to the anti-spam, anti-virus and web filtering proxies resulting in fewer processes.
A list of contextual signatures covers everything from SQL injections and malware activity to dubious web content and cross-site scripting. The signatures are updated automatically and you can view each entry and decide whether to block or allow it. Email notifications can be tied to each entry and the originating host placed in quarantine.
The engine uses plug-ins for protocol analysis where the packet payload is examined for conformity. We had 20 plug-ins provided and these do not function as proxies but operate at the kernel level for improved performance. Plug-ins are enabled by default and set to auto-attach to traffic as determined by the engine's protocol detection.
Policies tie everything together and are used for traffic filtering, NAT, enforcing implicit rules and applying QoS. For traffic filters and NAT you can create up to ten rule sets or slots each and use schedules to determine when they are active. We found filters easy to create as you select a physical interface, pick a protocol, add a source and destination from your objects list and decide on an action. All objects are listed in the filter creation interface and drag and drop allows them to be swiftly added to rules.
Transparent proxies handle anti-spam and web content filtering and these are controlled by their own policies. Anti-virus scanning can be applied to all proxies and the default ClamAV engine upgraded to Kaspersky. For web content filtering you get NETASQ's own URL list, which can be upgraded to the Optenet service. Anti-spam is based on the Vade Retro engine, which uses DNS blacklist and heuristic analysis plus domain blacklist and whitelist filtering. The inbound mail proxy is transparent and cannot quarantine suspect mail on the appliance's hard disk. It can only tag the subject line with a spam score of one to three.
To test this feature we left the appliance filtering live mail from multiple accounts for a week and configured our clients to drop tagged messages into separate folders. The performance was very good, as at the end of the test we calculated a spam detection rate on the default settings of 93 per cent, whilst false positives were slightly over one per cent. The Optenet URL filtering database offers nearly 50 different categories and performance was also impressive. After blocking the gambling category we Googled for online bingo sites and of the 100 visited we only got through to three, of which two were secure sites.
The U6000 delivers a comprehensive UTM solution with performance high on its agenda. Policy based security makes for easy configuration and NETASQ's licensing scheme adds extra value, as it includes all components with no user restrictions.