Security Appliances Take Step Up - Page 2

Enterprise users of Symantecs integrated threat protection systems can now extend that protection to remote and branch offices with the introduction of two midsize appliances: the Symantec Gateway Security 1660 and Symantec Gateway Security 1620.

The 1U (1.75-inch) appliances, both of which were released at the end of February, come with new SGS (Symantec Gateway Security) 3.0 software that adds anti-spyware and anti-virus capabilities. SGS 3.0 also adds management hooks that will allow administrators to integrate the boxes with the SGS Advanced Manager 9500, an appliance that enables centralized policy management, configuration, logging, alerting and reporting for the SGS line.

/zimages/6/28571.gifClick here to read more about Symantecs free service that rates threats for consumers.

eWEEK Labs tested two SGS 1660 appliances with Version 3.0 software. Each integrates full application firewall, IPS (intrusion prevention system), IDS (intrusion detection system), SSL (Secure Sockets Layer) and IP Security VPN capabilities, as well as on-box anti-virus and anti-spyware scanning, content filtering, client compliance monitoring, hot-standby and dual ISP connectivity options.

We tested the SGS 1660s with an SGS Advanced Manager 9500, which is based on a 2U (3.5-inch) Dell PowerEdge 2850 server platform. We used the management appliance to consolidate alerts and to configure policies on the SGS 1660s.

The SGS 1620, which we didnt test, is rated for 100 users and 100M bps of stateful throughput. The SGS 1660 is rated for 200 users and 200M bps of throughput and offers VPN acceleration. The estimated street price for the SGS 1620, with all licenses and subscriptions, is $1,200, about $2,600 less than the SGS 1660.

Our tests show that the SGS 1660 appli- ance is suitable as an entry-level network protection device for small organizations or for use in branch offices.

The SGS 1660 will be especially useful at companies with a smaller or less experienced IT staff. During tests, we found the appliance simple to install and configure. It took only a couple of hours to configure the hot-standby capability and to add basic firewall policies to protect our test network of Web servers and desktop clients.

As with any firewall, the bulk of setup and IT operation time will be taken up by configuring rules that will make network traffic conform to business needs.

In this regard, the SGS 1660 stands a bit above competing devices, including Check Point Software Technologies Check Point Express security gateway, which can be bundled onto IBMs eServer xSeries 306, Fortinets FortiGate-300 Antivirus Firewall and Juniper Networks NetScreen-50.

All these products provide similar functionality, although no one completely overlaps with any other.

Client compliance

One SGS appliance feature that was clearly added to gain a toehold in the endpoint access control space is the client compliance module, which allowed us to check for—and only for—the presence and currency of Symantec Client Firewall and Symantec anti-virus tools and definitions.

We dont hold the paucity of checks against Symantec (not in this version, at least). It makes sense that the company would start on the client compliance path by looking for its own tools. However, we hope that future versions of the SGS family expand to include checks for other common desktop firewall and anti-virus tools.

That aside, the SGS appliances ability to periodically check for compliance during connection with endpoints is an important advance.

In fact, network managers should build into their protection tool kits the ability to ensure that an at-risk client, such as a laptop computer, can be checked at initial connection time and periodically while connected to the network to ward off dormant worms or other malware that might have been missed during startup scans.

Next Page: The affects on network performance.