By DaviD Strom, Network worlD
If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.
That’s where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy set-up and they can sset-upport a 25-person small business for an average of around $1,500.
We tested eight devices: Check Point Software’s 640, Dell/SonicWall’s NSA 250MW, Cyberoam CR35iNG (which is now a separate company from Elitecore Technologies), Fortinet’s FortiGate-100D, Juniper Networks’ SRX220H-POE, Kerio Technologies’ Control 1100, Sophos/Asta-ro’s UTM 220, and WatchGuard Technol-gies’ XTM 330.
Here are our top-line findings: • Check Point is our Clear Choice Test
winner. The Check Point 640 UTM is the cheapest and most capable box — two things that usually don’t go together — and the most appropriate UTM device for the SMB marketplace. It has an appealing user interface, a lot of great security features, and is simple to manage and create new security rules. It also works well with mixed Mac/Windows networks.
• Kerio, WatchGuard, Cyberoam and Sophos were runners-up. All had solid protective features and were nearly as easy to manage as Check Point, but cost more. Dell, Juniper and Fortinet all had their issues, which we describe in the
• In addition to the five basic UTM fea-tures, all of the vendors have included extra functionality. For example, Dell/ SonicWall and Check Point included a wireless access point inside the box. WatchGuard and Fortinet have manage-ment software that will work with their own external Wi-Fi access devices. • Several units also include Web
ap-plications firewalls that can be used to selectively block particular applica-tions from running on the internal network, while others include traffic or bandwidth management to eliminate network hogs or to at least clamp down on potential bandwidth abuses. • Units from Check Point, Fortinet and
Kerio can be used to connect to two different upstream Internet connec-tions, such as a cable modem and a DSL link, for the ultimate in con-nection diversity on a budget. This provides failover in case one link goes down, or can be used for dynamic load balancing between the two connec-tions. Dell/SonicWall can even sup-port up to four connections. • Several vendors have begun to
incor-porate various cloud-based services into their devices to offload some of the security processing tasks. For example,
definition downloads, upload logs for more in-depth analysis, and handle anti-virus screening.
• Some boxes have only four gigabit Ethernet ports while others have more: if you don’t have a network switch but have lots of wired connections, you will need to weigh the purchase of a sepa-rate network switch vs. a bigger UTM box with the wired ports built in. • In some cases, such as on Check Point’s
or Juniper’s box, any port can be defined to any network: WAN, LAN, DMZ, or to a special restricted guest network. In others, such as Fortinet’s, you are limited in terms of what you can attach to each port. Some boxes, such as Kerio, Sophos and Check Point, have a simple “LAN Switch” setting so that anything you attach can be connected to anything else across a single flat network topol-ogy, which is probably the most com-mon situation. This makes them easier to setup, and also easier to manage if you know ahead of time that you don’t have to worry about where you attach your cables.
Pricing and buying your UTM
The hardest part about choosing the right UTM box is figuring out its overall cost. Each vendor offers dozens of different sized
T H E C O N N E C T E D E N T E R P R I S E
J u n e 1 7 , 2 0 1 3
Shootout results: Best security
tools for small business
Check Point comes out on top; Kerio, WatchGuard,
Cyberoam and Sophos score high in review of unified threat
management (UTM) devices
Check Point is our Clear Choice Test
winner. The Check Point 640 UTM
is the cheapest and most capable box
— two things that usually don’t go
together — and the most
appropriate UTM device for the
(The Check Point 640) has an
appealing user interface, a lot of
great security features, and is
simple to manage and create new
security rules. It also works well w/
mixed Mac/Windows networks.
2 december 19, 2011 www.networkworld.com
licensing options and features. We asked each vendor to send us a typical box that might be used by a 25-person office, and some sent boxes with built-in or separately managed wireless access points.
Each box has a series of features that are separately licensed and a support contract is also purchased, typically for a year at a time. This means that getting a bottom-line price can be a chore. The range of prices for the first year of service on the units tested were $900 for Check Point to $2,900 for Fortinet.
The summary table below shows which additional features each product has, the number of different ports, scanners and filters are available, and which type of VPNs are supported by each box. (Watch a slideshow version of this test.)
Here are the individual reviews:
Our winner is the Check Point 640. It was extremely easy to setup, had wizards that offered simple choices and defaults that just required a few buttons to click on before the box was up and running. And it was also the least expensive.
By default, it enables all of its ports on a single LAN switch, and you can set up multiple SSIDs for the wireless interface with just a single policy selection, which is the easiest of any of the boxes we tested.
One of the things that we liked is that Check Point has designed this box for the SMB market by navigating a nice balance between ease of use and yet still includ-ing powerful security features. In fact, the same software that runs on its enterprise UTMs is also running on the 640.
Unlike Juniper, Check Point doesn’t hide its advanced settings in a command-line interface. Instead, everything is accessible from the Web interface, which has the best-looking and clearest menus of any of the boxes we used. You can quickly view the active computers connected to the box, change the URL blocking dialog messages that pop up when your users try to surf to inappropriate sites, add protocols to the anti-virus scanner, and other commonly selected options.
If you need extra features, such as set-ting up a failover link to an ADSL modem or changing the priority of a particular security policy, it isn’t all that hard to find
the right menu option to accomplish your task.
Like more advanced UTMs, you can do quick on-screen packet captures for particular interfaces, or create file-based Pcaps too.
The biggest downside for the Check Point is a serious firmware bug that prevented its wireless radio from being controlled properly. This was a function of a pre-release version that we were given for the test and was eventually resolved. Another issue: while the menus are clearly presented, there are some context changes on the left hand menu when you choose top menu tabs that can be somewhat annoying. Finally, while Check Point promises to have cloud-based tools to automate firmware downloads, upload logs and handle remote unit management, this wasn’t yet available in our test unit.
Check Point’s UTM also includes sup-port for two different dynamic DNS ser-vices. Its VPN supports three client types, including a Windows-based PP2P client.
The price is very attractive: It includes 10 Wired Ethernet ports and sells for $894, including a year of support and licensing all the protective features. This is the low-est cost unit in the review set, so you are getting great value for your money.
We have used SonicWall devices since they seemingly invented the UTM SMB category, but we found that the current release suffers from a confusing series of menu choices. Still, one of the features of SonicWall is that they are extremely easy on the initial setup.
In our testing, we found a bug in the SSL certification setup, which was resolved
be-fore publication. We also found that overall reporting features were not as comprehen-sive as some of the other vendors.
In other areas, it was more flexible: you can choose among three Dynamic DNS pro-viders and two Windows client antivirus services, Kaspersky or McAfee. It also can
One of the things that we liked is that
Check Point has designed this box
for the SMB market by navigating a
nice balance between ease of use
and yet still including powerful
security features. In fact, the same
software that runs on its enterprise
handle multiple upstream Internet connec-tions in its Modem Settings sheets, and is one of the few vendors that offers DPI SSL traffic inspection. Another nice feature is that there is no maximum file attachment size for the antivirus scanner because it looks at the entire packet as it streams by the box. Some of its competitors first place email file attachments in memory before they are scanned.
The SonicWall UTM starts out with each port setup independently, but you can add what it calls PortShield groups to turn your box into a single network switch. You can also setup the box to automatically forward NetBIOS protocols across subnets, to handle Windows file and printer sharing, for example.
Traffic statistics are found right below the menu controls over each port interface, which is a handy reference for them. You can also setup a quick packet capture to debug your configuration or to examine specific traffic.
Our SonicWall came with a built-in wireless access port, and it has several nice features, including the ability to scan the surrounding Wi-Fi network for other SSIDs and check for radio channel interference. Unfortunately, you can’t set it up to transmit on both 2.4- and 5-GHz frequencies. For that, you’ll need to buy the separate Sonicpoint access point. You can set up a separate SSID for guest access, but it required more steps than some of its competitors to setup.
SonicWall costs $1,500, which is the middle of the pack, and came with five wired Ethernet ports; with additional cost expansion modules can add another four ports.
The Cyberoam doesn’t have the prettiest user interface but it eventually gets the job done, with features that can compete with the market leaders, such as appli-cation filtering and Instant Messaging archiving.
Its colorful and graphical configuration wizard was somewhat convoluted to setup, and the documentation didn’t match the version of firmware we installed. How-ever, once we got the initial configuration going, it was fairly straightforward to add features.
The basic zone-to-zone firewall rules are setup automatically and can be easily augmented. Also, there are a wide variety of VPN clients (including Cisco and PPTP) and three dynamic DNS choices, except IPsec is only available for Windows clients. There’s also a good selection of reports,
including security incidents, trends and compliance.
Its Web filtering policies are a bit con-voluted to setup, but quite powerful. For example, you can block Facebook access during particular work hours. You can also set up multiple Internet links for load balancing or failover protection, or using a broadband data modem (this will have to be done via the command line).
A nice feature here is if you haven’t yet subscribed to a particular feature (in our case, it was the Web application firewall), a small dollar sign icon appears next to the menu item to remind you. If your mouse hovers over this, you see a tool tip saying you need to pony up the bucks to enable
this option. Another is that it can force safe searches on Google, regardless of the local setting.
There is an authentication client for Win-dows, Windows Terminal Servers, Citrix Xen servers, Mac and Linux machines that can provide automatic logins: this is similar to what Check Point provides. Our Cyberoam box came with six wired Ether-net ports and sells for $1,563 including a 24/7 support subscription, which is in the middle of the pack.
Fortinet has a very capable but complex box that took a few calls to their tech sup-port to get working properly. Its dashboard gives you the basic operations, and there are menus that are somewhat obvious once you spend time with the product. They have very powerful protection policies, so you can specify a particular user in a par-ticular group to run specific applications or based on particular devices.
So for example you could have a guest-only group with certain restricted rights, and an iPhone group that allows unlimited browsing.
Its URL filtering is equally powerful, and one nice feature is that like Elitecore you can force the Safe Search mode with Google, Yahoo and Bing to remove some objectionable content from your network.
It also offers the ability to automatically export its logs to the cloud, called naturally, FortiCloud. (1GB of log storage is allowed free of charge.) In addition to the five security modules, it also has a powerful ap-plications firewall and bandwidth
manage-ment features that can be incorporated into its policies, like the other modules.
Fortinet has its FortiClient endpoint compliance control software for both Macs and Windows that works in conjunction with its UTM box. If you already have client anti-virus software, you will want to remove it before installing FortiClient. This is the same software that runs the IPsec VPN, and there is also the ability to run a SSL VPN. It also supports dynamic DNS configuration.
For link diversity, you can use a USB 3G cellular data modem as a failover connec-tion. And if you want to connect Fortinet’s own Wi-Fi access points, you can man-age them from within the FortiGate Web console.
Online help could use a better search engine and indexing, although there are some good screencast videos on Fortinet’s site that show you how to use it.
Fortinet came with 16 wired Ethernet ports for the internal network and sells for $2,898, which was the most expensive unit we tested.
Juniper’s UTM is a study in contrasts: it is the most feature complete box, mirroring security protection features from its most expensive enterprise firewalls. But it is also the most vexing to setup and config-ure. Because of its incomplete Web-based interface, you’ll find yourself typing on the command line and looking up command syntax. It does have a few setup wizards that will walk you through the initial process, but even so, we had problems with having to muck around with the initial routing settings.
With some of its competitors, if you need to change the management port from the standard Web ports of 80/443 because your Internet provider blocks traffic there, you can easily find the menu option and make the change. With the SRX, you need to enter the command line to do this. But regardless of what port you choose, you can’t remotely manage the box over the Web anyway. That is a security feature, but it essentially knocks the SRX out of the running as suitable for the SMB market.
The SRX supports dynamic DNS, but again you need to go to the command line to get it set up. If you want to create a rule to block application specific traffic, you need to go to the command line — we added a rule to block YouTube video streams. One thing that wasn’t easy was putting up a special block page, which most of the other UTM boxes do by default. Not Juniper. If you want to add support for QoS or
band-This is the lowest cost unit in the
review set, so you are getting great
width shaping or add link detection and failover, there is a lot you can do, but again, you will find yourself at the command line.
In addition to all this command line typing, you will be clicking and navigating back and forth across its Web menu tree to accomplish even the simplest of tasks. This workflow design will drive you nuts if you aren’t familiar with its interface. (Juniper promises to simplify the experience in future releases.) To make matters worse, there are two different sequences of menus with different command layouts — one for configuration, and one for monitoring.
We tested the SRX with a separate Juni-per wireless access point that is managed by the SRX. There are several entries into different menu trees to get the wireless network up and running, again more cum-bersome than either Check Point or Sonic-Wall’s equivalent configuration. And you can only manage up to four access points per box anyway, with the third and fourth incurring additional license fees. One nice thing is that the access points can commu-nicate on both 5- and 2.4-GHz bands and support multiple SSIDs.
There are several other drawbacks with the SRX. First, it has only an IPsec VPN, using the Pulse client software. There is no Active Directory integration, and unlike the FortiClient, no client-based endpoint protection integrated with the unit. Unlike the SonicWall, there is no deep packet inspection over SSL yet, although Juniper is working on adding these features.
One nice thing is that you can roll back any changes to a previous version. We had a Juniper engineer sitting by our side and still needed to use this feature because we got ourselves into trouble and needed to back out. You have to commit your configuration changes in a separate step, which can be either a nice feature or an an-noyance, depending on your perspective.
Another plus is that you have lots of choices for anti-virus and URL filtering, indeed, Juniper offers the most of any of the boxes we tested. For antivirus, if you choose Kaspersky, its scanner has to down-load and scan everything on the box itself; with Sophos, it is done in the cloud without impacting box’s CPU or other resources.
Juniper’s UTM sells for $2,699 and includes eight wired Ethernet ports. This also puts it near the top of the price range of the units tested. These ports are part of a big switched LAN by default, but can be assigned to other network uses.
Kerio was one of the easier boxes to config-ure, with clear menus and simple options,
such as the ability to aggregate all of its LAN ports in a single switched network. Its workflow to setup security policies is straightforward, and effective group policy access rights come with a few pre-set conditions to make for easier setup. For example, users can have read-only admin rights or no admin access or full access. Users can have access to external peer-to-peer networks, or can write their own URL filters, and a few other tasks. You can assign particular security policy rules to particular users or groups.
There is also a separate Web portal that you can assign different access rights to, a nice feature. Users can also access just their own usage data online and receive regularly scheduled reports. Rules are easy to setup, and can include a redirect to a dif-ferent URL if your users are trying to surf objectionable sites. There is support for three Dynamic DNS providers. All of this is a nice touch.
Usage statistics are available in two places: First, there are some overall traffic stats inside the admin console as well as status on CPU, memory and disk usage of the box.
There are a few drawbacks though. You need to set up a maximum file size for anti-virus scanning; the default is 4MB, but no scanning of encrypted traffic.
Kerio’s online help comes with a series of six video tutorials, but this is less useful because some of the screens don’t match the current version of the software menus. Kerio sells for $1,625 and that includes four wired Ethernet ports.
Sophos bought the rights to the Astaro line of UTMs and it has a very attractive menu layout and simple setup, such as the ability to create a simple LAN switch across all ports. It had five flexible Dynamic DNS providers, with DNS entries that can be assigned to a particular interface port. It supports Web applications filtering, QoS monitoring and link path diversity too. The same UTM software is available either on an appliance (which is what we tested) or as on-premises or cloud-based software.
Menu choices are clearly laid out, reflect-ing the solid UTM heritage of the Astaro line. Reports are sprinkled throughout the user interface, and presented at the top level of various menu choices, such as network protection statistics, or inter-face statistics. While that can be initially disconcerting, we liked the visualizations included too. Online help is also easily searchable and in context.
One of the features is what Sophos calls Remote Ethernet Device management. This
is useful for configuring a bunch of distrib-uted UTMs. Your central UTM box sets up the remote UTMs without anyone needing to touch them in your branch offices. We didn’t test this feature, but it could be very useful if you have to deploy many units. We also had an unresolved problem with how our Mac’s browser connected to the box via SSL.
Sophos sells for $2,780, which includes eight wired Ethernet ports, and most of that price is for the various software sub-scriptions. While this box would be highly recommended for its features and ease of setup, the price puts it near the top of the range of the units we tested.
WatchGuard was extremely fast to setup for a basic network, but the additional security measures took several long ses-sions with tech support personnel at our side coaching us. It has the ability to set separate policies for particular interfaces, and all policies have the same common rule set, which can make for a very powerful security device.
It has a cloud based management interface that works in conjunction with the Web UI where antivirus signatures and reputation management on IP and domains are screened. It also makes use of the cloud to aid in nearly touchless remote deployment, which can be handy if you are shipping a bunch of boxes to different destinations. You can also set up schedules to turn off particular protocols, such as no after hours FTP traffic for example, with a few simple menu commands.
The XTM box we tested didn’t include its own wireless access point, but Watch-Guard sent us their AP200, a separate access point that is managed directly by the XTM. Getting it setup wasn’t as simple as the XTM box itself, and there are several screens that you have to visit to get it work-ing and integrated into the overall Watch-Guard protected network.
WatchGuard claims it is working on im-proving the software, which are new feature additions to its overall management frame-work.You can set up separate virtual LANs to have trusted and guest wireless networks.
You can also set up separate SSIDs for a single wireless access point, and attach different policies to each SSID, so you have a guest restricted network and a more open but more protected network.
One issue is that WatchGuard also has a Windows management client, which actu-ally requires two separate executable files to download. This software can be used to manage a collection of devices remotely,
such as a value-added reseller who has to maintain various customer networks. The command menu structure and features are somewhat similar but not exactly the same, and it looks to be a superset of the com-mands available in the Web interface.
Once you get used to the Windows software, this (and not the Web interface) is what you would want to use for reporting, debugging your policies and tweaking your configuration. You can also view all traffic flowing through the box, but you can’t see who is managing your box at any given mo-ment very easily.
WatchGuard supports Dynamic DNS connections to get past our cable modem, and both SSL and IPsec VPNs for both Mac and Windows clients. It sells for $1,570 and that includes seven wired Ethernet ports.
How we tested SMB UTMs
We installed each UTM in two locations in St. Louis: in our own test lab and in the Mer-cury Labs offices, a small video production and public relations agency. Both had a vari-ety of Windows and Mac desktops and used cable modems to connect to the Internet. The ad agency did not use any security devices at present: only an Apple AirPort Express provided any network connectivity.
Once a box was connected, we updated the firmware and licensed individual soft-ware modules on each box, and then set up each UTM with WAN and LAN interfaces to operate with DHCP addresses whenever possible to remove the headache of manag-ing IP subnets.
We looked at what it would take to create a more restrictive policy for guest workers, as one example, and to see how to automat-ically block incoming threats. We added particular policies for sample users and
performed other common tasks. Since we had cable modem connections, we looked at setting up a VPN and also using a dynamic DNS service to forward traffic to the UTM unit. We assumed these devices will be placed on networks without any central Active Directory or RADIUS servers and added user accounts and set up security groups manually.
We evaluated the units based on these three criteria: installation, features, and overall value.
For installation, we reviewed the basic setup of the various network interfaces, users and licenses. These products should be geared towards smaller networks, with limited IT expertise and time to admin-ister them. We looked at how much time was needed to set them up and configure properly.
When it came to examining features, we looked at the ability to manage and monitor the box remotely, set up new security poli-cies, and review reports. We also looked at how well the basic five security modules integrate with each other, and what kind of workflow is needed to implement its protective features.
Finally, to assess value, we accounted for the overall first year purchase price plus the cost of any support and software licenses.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.