Review: Symantecs Gateway Security 5460

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Symantec Corp.s Gateway Security 5460 Version 2.0 provides tight integration of security services and much-needed relief for networks with complex security architectures. However, administrators with networks requiring extremely fast transaction times should consider how much scanning is done at the gateway.

The Gateway Security 5460, which began shipping in late October, is priced starting at $10,500 with only the firewall enabled; adding security services quickly increases the price. The unit eWEEK Labs tested—with anti-virus, content filtering, VPN, intrusion detection and intrusion prevention for 250 nodes—costs $26,535.

The Gateway Security 5460 chassis is a sleek, attractive 2U (3.5-inch) unit, somewhat reminiscent of Digital Networks North America Inc.s ReplayTV. The front LCD panel is used solely for initial IP and registration purposes. The units six copper gigabit interfaces provide plenty of headroom for redundant high-speed network connections.

The unit includes only one power supply. This is unfortunate, given the units mission-critical role in the network. eWEEK Labs highly recommends deploying two units in tandem, although this significantly ratchets up the price. The Gateway Security 5460 does support clustering and high-availability load balancing as an option (adding about $5,000 to the price), but we did not test these capabilities.

System management is performed via Secure HTTP to a Java-enabled Web page called SGMI (Security Gateway Management Interface). The first time we logged in from a Windows client using Microsoft Corp. Internet Explorer, SGMI checked the browser for a Java plug-in, then automatically installed Sun Microsystems Inc.s Java Runtime Engine 1.3.1_04.

Configuration from a Red Hat Inc. Red Hat Fedora Core client was a little more complicated: Before we could start, we had to find and manually install the correct Java Runtime Engine version for our Mozilla client. (Mozilla 1.4.1 requires Java Runtime Engine Version 1.4.2.)

In eWEEK Labs tests, SGMI proved to be wonderfully intuitive and flexible. The object-oriented policy engine allows superb control of destination zones and service groups. We especially liked the Gateway Security 5460s ability to tie content filtering and anti-virus scans to particular service groups and access rules, instead of offering just a simple on/off mechanism.

The Gateway Security 5460 uses application proxies for several common network applications, including HTTP, FTP and Network News Transport Protocol. This means that the Gateway Security 5460 scans and approves application content before sending the traffic to its destination on the requestors behalf. As always, however, proxy technology adds transaction time because the firewall must maintain and tear down separate connections to the client and target server.

The Gateway Security 5460 can act as a primary DNS (Domain Name System) server, providing protection against attacks such as a poisoned DNS cache. During tests, we had to point a forwarder on our internal DNS server to the Symantec unit. Although this feature left us feeling a little queasy, it worked flawlessly in our tests and should provide great relief to administrators who havent updated their BIND (Berkeley Internet Name Domain) version lately.

The Gateway Security 5460s inline anti-virus scan is an appealing feature, but our tests showed there is room for improvement.

We tested the Gateway Security 5460s ability to scan FTP, HTTP and SMTP traffic on the fly. In each case, the Gateway Security 5460 easily detected Nimda.E and Sobig.A viruses, first attempting to clean the files and then stripping them out while notifying the user of the problem.

However, we were dismayed to see that the Gateway Security 5460s proxy mechanism does not yet support POP3 (Post Office Protocol 3) for anti-virus scans, meaning that desktop anti-virus products will continue to be critical investments.

When the Gateway Security 5460 performs a virus scan, it must locally cache the whole file before scanning it and sending it on. During live-Internet FTP performance tests, we found that the inline scan added 8.83 percent to the transaction time of an unscanned transaction with a 2.26MB file and 5.38 percent to a 6.02MB transaction. Networks with lots of small transactions will most likely see the greatest performance degradation from the virus scan.

We also found that client applications with short timeout periods (for example, the Windows command-line FTP client) can struggle with the anti-virus feature when downloading large files (more than 10MB). Because the firewall caches and scans the download before the client sees anything, client applications may time out while waiting. To address this, Symantec offers an optional file “comforting” feature, which trickles information to the client while the firewall performs the scan. However, there is a possibility that attacks could slip though if this feature is used.

ManHunt, Symantecs IDS/IPS (intrusion detection system/intrusion prevention system) engine, distinguishes itself by offering not only signature recognition but also protocol anomaly detection.

During tests, the IDS/IPS engine performed as expected, detecting SQL Slammer attacks and dictionary attacks on an FTP server with ease. However, because the Gateway Security 5460 is a gateway solution, IT managers would be wise to maintain separate internal IDS products to monitor for threats originating inside the network.

Virus updates, IDS signatures and URL filtering blacklists can be performed manually or scheduled via LiveUpdate, but wed like to see Symantec add support for Intelligent Update packages as well as for more regular anti-virus updates.

Discuss This in the eWEEK Forum

Technical Analyst Andrew Garcia can be reached at [email protected].