Panda Virtual GateDefender Performa
Strengths: Good value, easy installation, plenty of security measures, high performance, no per-user licensing, scales easily with demand
Weaknesses: Limited IM and P2P app controls
Verdict: Panda delivers a complete virtual UTM appliance offering an excellent range of perimeter security features and very good value
Businesses can cut costs by virtualising their security appliances, and Panda's latest Virtual GateDefender Performa (VGP) looks to offer some big savings. It provides all the same UTM features as Panda's Performa hardware appliances and scales from as few as 50 users to up to 10,000.
Security features are extensive as VGP provides anti-spam, anti-malware, web filtering and IM, P2P and VoIP controls. HTTPS scanning is also provided as standard, and performance has been improved for malware detection by moving it into the cloud and teaming it up with a local cache of previously detected malware.
Panda's licensing scheme simply applies bandwidth restrictions, so the 500-user licence gives you a throughput ceiling of 180Mbps HTTP traffic and 2,200 concurrent connections. These limits can be opened up by applying upgrade licences as required.
VGP supports VMware ESX Server 4.0 and above, but smaller businesses can reduce costs by using the freely available VMware Server 2.0. All Performa appliances, whether virtual or physical, are designed to function as transparent gateways and must be deployed behind an existing firewall. Your VMware host will also need two physical network ports free.
For testing we loaded it on the lab's ESX Server 4.0 system, where we imported the supplied OVF template as a new virtual machine (VM). The installation manual is nice and clear about network configuration so we had no problems creating a second virtual switch on our host and assigning it to the VGP VM.
You also need to make sure both ports are set to promiscuous mode before dropping the host system between your firewall and LAN. We found management identical to the standard Performa appliances, with the well-designed web interface opening with a smart graphical summary of the main security functions plus appliance performance and traffic throughput.
Access security is also good as all administration is restricted to a single IP address. Other users can be created who are only allowed to change protection profiles or produce reports and monitor appliance status.
Panda's protection profiles require you to create network definitions for IP addresses, LDAP servers, users and domains. These contain custom settings for each security module and are used in definitions allowing a wide range of AUPs to be applied to different users, groups and systems. A default policy gives immediate protection for all users, and you can then refine this with your own profiles.
Profiles can also be applied to AD users and groups downloaded from LDAP servers. You can even apply profiles to selected groups of email users.
VGP also has the ability to protect other VMs running on the same host system. We had VMs on our ESX host running OSes ranging from Windows 7 to Server 2008 R2, and once they had been assigned to the correct virtual switch they all came under Panda's protection.
Panda uses a choice selection of hosted service providers with the top-performing Cloudmark looking after anti-spam. Inbound and outbound mail can be scanned, and messages classed as spam and probable spam may be blocked, tagged or quarantined on the virtual appliance.
Commtouch provides more than 60 URL categories to block or allow. It performed very well in our tests, with our clients blocked from most undesirable websites.
The IM/P2P/VoIP security module can be activated in multiple profiles, and users or specific systems exempted from scanning by entering their details in whitelists. Control can only be applied to a comparatively small list of apps, and they can only be completely blocked or allowed. You can't, for example, control individual functions such as logons, chat and file sharing.
Anti-virus scanning can be applied to wide range of protocols and, as the appliance can scan outbound mail, it will delete messages it thinks have been generated by internal viral activity. VGP can also use the virtual appliance's hard disk to quarantine suspect messages it can't disinfect.
VGP offers detailed protection reports for all protocols along with information on detected spam, blocked sites, malware and IM and P2P activity. Reports are also available for system events, certificate errors, plus the appliance's explicit proxy and data can be refined with filters.