Contents
It is interesting to consider the progress the humble firewall has made over recent years, from its first rudimentary software incarnations using simple rule-based systems, to the current fully-converged security appliances addressing a plethora of threats and policies.
These days it is actually difficult to source a purely stand-alone firewall. In fact, most routers cover this basic function and we even see network switches that adopt this role at a port-by-port level.
Two or three years ago, security vendors were beginning to find their feet with first- and second-generation converged security devices. Today, these devices are complete packages, and they ceased to be just firewalls a long time ago. Now, they are commonly known as security appliances or by the flashy name Unified Threat Management (UTM) devices. UTMs cover everything from firewall (stateful and deep packet inspection), to spam, virus, anti-spyware, content filtering and more.
Recent developments in this space have seen vendors aggressively pushing into the traditional networking routing and switching space — further converging these technologies to deliver increasingly integrated network-and-security devices. This does not mean a few IPs pointed in the right direction, these vendors are tackling big network issues such as Quality of Service (QoS), packet shaping and bandwidth management — issues that cost businesses and CIOs time and money.
From a management perspective, increasingly converged solutions mean things can be seen more simply, particularly if you are managing a large and widely distributed enterprise. If you are considering single solutions, these devices are able to single-handedly address a large part of your security and networking needs. They can help reduce cost, complexity, integration and management issues. The flip-side is that all your eggs are in the one basket. If the bad guys find a way in, they're right in, so there is still an argument supporting the onion layer approach.
Planning your security environment
Considerations when planning your security environment (apart from understanding your legacy systems and what actually needs to be replaced) include ensuring you are fully aware of your current exposure and your risk. Your exposure and risk changes over time and needs to be monitored regularly. It also needs to be audited regularly to ensure your current levels of protection are appropriate for the information you are securing. A tip is to look at your existing security measures to ensure that they are not overkill — they may be deployed better elsewhere, protecting more important and more valuable data. The majority of enterprises understate the value and security of their information assets. Still, there is little point spending $50,000 on a security solution to protect $10,000 worth of information. Protection must be commensurate with the value of the data it is protecting and the likelihood of it being attacked.
The next step is to ensure you have a detailed knowledge of your network and the systems that need to be protected. No security solution is going to help an enterprise that has a weak understanding of their communications infrastructure. Most importantly, you need to be fully aware of how your systems interconnect with external points. This is much more than just the internet and Wide Area Network (WAN) connections. People sync their PDAs using high-speed network connections; others wander in and out with USB devices; and wireless technologies abound. Audit, audit, audit; and document your work. Draw the map, define the risks, check and double check.
Once the value, risks and environment are known, it is time to start your procurement cycle. While we love to think that readers rush out and purchase anything we recommend in our reviews, your own evaluation and research also needs to be done for your specific environment. Environments are often similar, but no two networks are identical, and neither are technical resources, training, budgets and so on. Information security is not to be taken lightly.
If you have completed your risk assessments correctly you will be in a much better position to ignore security consultants' and vendors' fear, uncertainty and doubt (FUD) tactics and focus directly on finding a solution to protect your environment.
Isolating the product that's right for you
Evaluating security products is something Enex does at our lab on a regular basis, for many clients.
You should be able to create a shortlist based on your understanding of your own environment and risk requirements. Take a look at as many vendor's product feature-tables as you can and from those, create a list of mandatory requirements and then your wish list of features. Narrow the field, but don't just think features, look at the vendor's claims around your mandatory items.
Two critical considerations that are often overlooked are administration/management and interoperability. Make sure you consider management, it is no good if you find the perfect fit device but need to deploy 40 of them to branch offices if the vendor has an inadequate management system (yes, it has happened). Nor is it ideal if your network engineers need a degree in quantum physics to configure and administer it. The chances of misconfiguring it and leaving the door open leap upwards. Interoperability is also a consideration that is often overlooked. Do you have legacy equipment that this system will need to work with? Create a list of the products and application connecting to (and through) this security system. Ensure that key protocols are fully supported.
Once your shortlist is drafted, contact the vendors and ask them specific questions that relate to your requirements. The ones that tick most boxes should be brought in for demonstration and be subjected to real physical testing that simulates your scenarios and requirements. Testing methodologies and accepted practices for performing penetration testing and evaluation of security systems is an issue worthy of a separate discussion. There are as many theories as there are the solutions and environments.
Two factors often overlooked that need to be tested as part of any evaluation are performance and fail-over/redundancy.
Performance must be looked at from the perspective of ensuring the solution is going to handle traffic without creating bottlenecks — particularly with all the features that you want to use enabled.
Fail-over/redundancy should be examined from two positions. Firstly, is the product fail-safe? If it crashes, does it open everything up to the world or does it block everything off? Blocking everything off, while extremely inconvenient, is a lot better than opening everything up.
Secondly, redundancy: how well does the device perform in a high availability configuration? This ranges from the basics such as having multiple fans and power supplies through to complete secondary devices. How smooth is the transition? How do they stack and connect together with the rest of the network? How are configuration updates handled between the master and slave devices? What transactions are dropped during the switch-over, is the redundant unit secure at all times? Lots of questions!
The last consideration, even though most people ask it first, is the cost of the solution. It is wise to settle on a top three or four products so that when contract negotiations begin (both with the vendor and with your management) you have alternatives.
The current players
The last review Enex TestLab undertook for publication on this topic was in August 2005. That review is still massively popular, so due to demand we have re-visited the subject.
We asked a number of vendors to participate including Cisco, McAfee, Netgear, Juniper, Nortel, Symantec, Fortinet, Check Point, WatchGuard, IBM and SonicWALL. Some vendors, such as Cisco, decline outright to be tested. Others decline stating that they no longer have appliances in this market. To date, five vendors have submitted products; Juniper, SonicWALL, Astaro, Watchguard and IBM. As others come to hand we will include them.
The devices submitted were evaluated in terms of their design, features, interoperability, scalability, future-proofing, installation, configuration, administration, management, ease of use, quality and craftsmanship.
Matt Tett is a principal of Enex TestLab, an independent global testing organisation, founded in 1989 and is based at RMIT University in Melbourne Australia. Enex comprises eight business divisions each focused on different verticals all revolving around independent testing and expert consultancy from software and systems testing through to usability and gaming. The TestLab has been creating content for ZDNet and its affiliates for over 17 years. Matt has 20 years ICT experience and is a respected independent network and security consultant. He holds the following security certifications in good standing: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified Social Engineering Prevention Specialist (CSEPS).
I'm amazed that you didn't bother to test the platform with the most impressive security track record known to man - OpenBSD.
It's easy to configure. There are no licensing costs. The rule set for PF is human readable. It supports IPv6.