Enterprise users of Symantecs integrated threat protection systems can now extend that protection to remote and branch offices with the introduction of two midsize appliances: the Symantec Gateway Security 1660 and Symantec Gateway Security 1620.
2
Enterprise users of Symantecs integrated threat protection systems can now extend that protection to remote and branch offices with the introduction of two midsize appliances: the Symantec Gateway Security 1660 and Symantec Gateway Security 1620.
The 1U (1.75-inch) appliances, both of which were released at the end of February, come with new SGS (Symantec Gateway Security) 3.0 software that adds anti-spyware and anti-virus capabilities. SGS 3.0 also adds management hooks that will allow administrators to integrate the boxes with the SGS Advanced Manager 9500, an appliance that enables centralized policy management, configuration, logging, alerting and reporting for the SGS line.
eWEEK Labs tested two SGS 1660 appliances with Version 3.0 software. Each integrates full application firewall, IPS (intrusion prevention system), IDS (intrusion detection system), SSL (Secure Sockets Layer) and IP Security VPN capabilities, as well as on-box anti-virus and anti-spyware scanning, content filtering, client compliance monitoring, hot-standby and dual ISP connectivity options.
We tested the SGS 1660s with an SGS Advanced Manager 9500, which is based on a 2U (3.5-inch) Dell PowerEdge 2850 server platform. We used the management appliance to consolidate alerts and to configure policies on the SGS 1660s.
The SGS 1620, which we didnt test, is rated for 100 users and 100M bps of stateful throughput. The SGS 1660 is rated for 200 users and 200M bps of throughput and offers VPN acceleration. The estimated street price for the SGS 1620, with all licenses and subscriptions, is $1,200, about $2,600 less than the SGS 1660.
Our tests show that the SGS 1660 appli- ance is suitable as an entry-level network protection device for small organizations or for use in branch offices.
The SGS 1660 will be especially useful at companies with a smaller or less experienced IT staff. During tests, we found the appliance simple to install and configure. It took only a couple of hours to configure the hot-standby capability and to add basic firewall policies to protect our test network of Web servers and desktop clients.
As with any firewall, the bulk of setup and IT operation time will be taken up by configuring rules that will make network traffic conform to business needs.
In this regard, the SGS 1660 stands a bit above competing devices, including Check Point Software Technologies Check Point Express security gateway, which can be bundled onto IBMs eServer xSeries 306, Fortinets FortiGate-300 Antivirus Firewall and Juniper Networks NetScreen-50.
All these products provide similar functionality, although no one completely overlaps with any other.
Client compliance
One SGS appliance feature that was clearly added to gain a toehold in the endpoint access control space is the client compliance module, which allowed us to check for—and only for—the presence and currency of Symantec Client Firewall and Symantec anti-virus tools and definitions.
We dont hold the paucity of checks against Symantec (not in this version, at least). It makes sense that the company would start on the client compliance path by looking for its own tools. However, we hope that future versions of the SGS family expand to include checks for other common desktop firewall and anti-virus tools.
That aside, the SGS appliances ability to periodically check for compliance during connection with endpoints is an important advance.
In fact, network managers should build into their protection tool kits the ability to ensure that an at-risk client, such as a laptop computer, can be checked at initial connection time and periodically while connected to the network to ward off dormant worms or other malware that might have been missed during startup scans.
Next Page: The affects on network performance.
TKTK
Hark, who goes there?
IPS functionality is often finicky to configure and almost always a high-maintenance item during the first several weeks of operation.
Symantec ships the SGS appliances with what we found to be useful default IPS settings, allowing IT managers to get up and running relatively quickly and easily.
During tests, the default intrusion prevention policies worked well enough, and extensive user-configurable options will allow IT administrators to mitigate impact on the network. For example, we were able to apply the low-security policy to our trusted inside interfaces and configure the intrusion event profile to determine which traffic types to monitor and which to block.
Each network service that can be monitored—including the usual suspects DNS (Domain Name System), NetBIOS, TCP, UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol)—can be further refined by associating protocols such as HTTP that can be monitored by the SGS 1660 IPS module.
The IPS module is based on signatures that can be added or fully modified only by Symantec through Live Update. While the effect on network traffic speed was negligible in our test environment, we hope that subsequent versions of the IPS module will allow IT managers to make manual adjustments to the policies to enable more fine-grained control of blocked traffic.
During tests, we spent quite a bit of time balancing among different combinations of the preset policies that we assigned to the various interfaces on the SGS 1660.
We recommend that network managers start off with the lowest settings to ensure that desired network traffic is allowed through the SGS 1660. Based on our work, it shouldnt take more than a week of monitoring to safely adjust the IPS blocking policies to reach the right mix of network protection and business enablement.
New in this version of the SGS 1660 Version 3.0 software are more than 100 new reports that significantly ease the administration of the appliance. We ran the reports from each of our SGS 1660 appliances, and both the SGS 1660 and 1620 can send event and alert data to the Advanced Manager 9500 appliance for organizationwide reports.
Some of the most useful reports didnt have to do with performance or network events but, rather, with device configuration. When it comes to controlling ongoing management costs of a complex, policy-driven device such as the SGS 1660, configuration reports are crucial.
We were able to generate content-filtering profile, DNS record and global IKE (Internet Key Exchange) policy reports that detailed how our SGS 1660 was configured.
Many of the policy reports also have corresponding performance reports, which network managers use to keep business managers apprised of network performance.
Although not entirely new, content filtering is handled more gracefully in the Version 3.0 software that is supplied with the SGS 1600 models. We focused our testing on English language sites. However, the software supports double-byte characters for handling content violations in any language.
Next page: Evaluation Shortlist: Related Products.
Page 4
Check Point Software Technologies Check Point Express security gateway Software-based solution that can be bundled on an IBM eServer xSeries 306 for quick installation (www.checkpoint.com/products/promo/express_gateway.html)
Fortinets FortiGate-300 Antivirus Firewall An all-in-one appliance that includes anti-virus, anti-spyware, content filtering and VPN capabilities (www.fortinet.com/products/ telesoho.html)
Juniper Networks NetScreen-50 Juniper appliance provides integrated security, including multiple DMZs (www.juniper.net/products/integrated/ ns_2550.html)
Technical Director Cameron Sturdevant can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.