Product Group Tests

Unified threat management (2008)

Group Summary

ESoft's InstaGate 604 stood out as an easy-to-manage, highly customisable full-scale UTM. We award it our Best Buy.

Our Recommended award goes to the Astaro Security Gateway 320 for offering fully loaded gateway security at an excellent price.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Unified threat management has come a long way since the cobbled-together devices of the early days. Economy, security and ease of use characterise today's offerings. Peter Stephenson reports.

What I find most interesting about the maturing unified threat management (UTM) market is that the fundamental concepts have not changed much since these tools became popular as an economical way to protect the perimeter. However, two important things have changed: their functionality is increasingly tightly coupled and the number of functions they can do has grown significantly.

Starting with the second point, we saw larger feature sets this year than in the past. Borrowing from IDC, we define a basic UTM as a device that has, as a minimum, an IDS/IP, anti-virus gateway and firewall. Not all the products that claimed to be UTMs had this basic functionality. The main features beyond the basic we found interesting were specialised anti-malware, including anti-phishing and spam protection.

We see this as a two-edged sword. The more you expect the box to do, the more performance is required. For very large networks innovative perimeter architectures are needed to ensure performance and compensate for a single point of failure.

That said, for many SMEs, this growth in anti-malware features is a big plus, and it's where we see the real changes taking place in this product group.

As to feature sets and their interconnection, in years past UTMs looked like devices made out of several products cobbled together under a single interface. The interfaces were awkward and the products worked, but sometimes with a lot of difficulty. Now they are the easiest group test we do. That translates to the best rate of maturing of any product group we see.

Today, the interfaces are slick and we really are looking at a single product with multiple functionalities working seamlessly together. All test subjects were appliances that set up quickly and easily. While I wouldn't go quite as far as to say that these products follow a standard approach in terms of setup and user interface, they are about as close together as I have seen anywhere. This makes support very easy, especially if you have inherited UTMs from multiple vendors, perhaps through mergers and acquisitions.

How to buy a UTM
Start with your requirements and the size of your network. The architecture for placing UTMs on very large networks is important. I generally recommend multiple UTMs on enterprises with lots
of individual networks placed geographically apart.

Most of the devices we looked at can be managed centrally, and some can communicate and correlate data into a single analysis. If you have a geographically disbursed enterprise, make sure the system you select can do correlation from several individual devices.

As for traffic size, that depends on what you expect the UTM to do. If you are filtering something that comes in very high volumes, such as spam, make sure the device you select can handle your volume without performance hits. Sometimes, architecturally, it makes more sense to buy the extra product - in this case, an anti-spam tool - than to try to make one device do everything without any performance degradation.

How we tested
We built a typical network and inserted the UTM on its perimeter. We implemented all of the product's available functions and connected to the recommended additional services such as a DNS server. We tested performance in two ways.
First, we attacked the products with our suite of vulnerability and penetration tools (NetClarity and Nessus vulnerability assessment plus Core Impact penetration testing tools) with the firewall turned on and tightened up as per the vendor's recommendations.

Our second set of attacks was against the product with the firewall turned off. Universally,
we found these products resist our efforts well.

Prior to the attack testing, we followed the manufacturer's recommended setup procedure. Once that is done, most products allow a web connection over an out-of-band port or connection from a Java console. From that interface you can configure the product, create rule sets, apply policies and select reports.

We had no products that resisted setup and configuration, an improvement over previous years. Overall, our impressions were that the UTM really is coming into its own, and it won't be long before it will take over as the staple in perimeter protection.

Mike Stephenson and John Aitken contributed to both group reviews this month

- For details on how we test and score products, visit

All Products In This Group Test