Testing So-Called 'Unified Threat Managers' 98
snydeq writes "The InfoWorld Test Center has released vulnerability testing results for four so-called 'unified threat managers' — single units that combine firewall, VPN, intrusion detection and prevention, anti-malware, anti-spam, and Web content filtering in lieu of a relay rack stuffed top to bottom with appliances. The lab threw nearly 600 exploits of known vulnerabilities in a wide range of popular OSes, applications, and protocols, and despite being designed to thwart such threats, the UTMs as a class allowed hundreds to pass through. Why did the UTMs miss so many exploits? A lack of horsepower to perform the necessary deep packet inspection under load is suspected, as the lab pushed the limits of each unit's throughput with legitimate traffic. 'The upshot is, although the vendors have packed these devices with additional gateway security functions, clearly many UTMs are still strictly firewalls at heart.'"
I used to love Sonicwall (Score:4, Interesting)
I used to be a big SonicWall fan, until I joined a company that required IM messaging and used Vonage. Sonicwall causes a bunch of issues with AIM's protocol. IM will go into a blackhole, a user cannot connect, etc. We were using them at the small remote offices, but we replaced them with Juniper SSGs. The Vonage and AIM issues vanished once we switched over.
Comment removed (Score:2, Interesting)
Testing Criteria? (Score:1, Interesting)
Re:No Cisco product? (Score:4, Interesting)
> It would have been nice to see how the ASA5500 series appliances stood up to the test.
If you send them one I'm sure they'll test it. It appears that Cisco wouldn't.
They also didn't include Untangle, http://www.untangle.com/ [untangle.com] which is available free, and is a direct competitor to the things tested. So it might be other reasons...
Not entirely surprising (Score:2, Interesting)
Re:general purpose != good (Score:4, Interesting)
UTM is a crock. It loads multiple single purpose apps on to a general purpose computing device and then tries to do it quickly.
The best thing in this field I've seen recently is Palo Alto Networks firewall (www.paloaltonetworks.com).
Knows the applications, even web apps. It can tell the difference between Gmail and gchat. Bittorent and wow torrent patching. Can do user based rules when integrated with AD. And can proxy SSL to look in the SSL stream if necessary. Malware blocking, url filtering via subscription. Because ports or protocols != applications and IP address != user anymore.
Where was TippingPoint? (Score:3, Interesting)
Re:Flawed by Design. (Score:2, Interesting)
If I have a firewall and an IDS on the same machine, and someone exploits a hole in the TCP stack or the IDS to get local root/admin priviledges, they then have control of not only the firewall but also the IDS. If I have two separate machines, a firewall and an IDS, if one gets compromised it does not affect the other.
Thinking about it, the way to get around it in the case of a UTM is to use VMs for each task, but that will have a hit on performance presumably, as well as integration and thus usability.
Re:Flawed by Design. (Score:2, Interesting)
My point was just that from the technical perspective is isn't optimal. Realisticly, it is a good compromise for those who can't afford/don't need anything better.