This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
As shown in Table 1, many UTM vendors advertise gigabit rates for high-end platforms. But overall throughput drops when VPN is added; turning on antivirus, antispam and Web filtering have even greater impact. For example, the SonicWALL 5060 drops from 2.8 Gbps (firewall only) to 384 Mbps (full UTM). Lack of standardized tests prevents meaningful comparison, but most vendors admit that using multiple services takes a significant toll on performance.
That's why Kansas City Life Insurance Company decided to split services across a pair of Astaro appliances. "Ideally we'd put everything in one box, but at our size, that's not really practical," says network engineer Keith Beatty.
One appliance filters Web traffic for 600 local users, enforcing category rules and scanning for viruses. A second unit filters more than 562,000 mail messages each week, blocking spam for another 4,000 insurance agents who work throughout the U.S.
"Web and email are the most visible pieces of a network; you must be sure to put enough hardware in place to support all of your users," says Beatty.
Kansas City Life started with vendor
installation sizing guidelines, but used live traffic to verify estimates. "I talked to users and watched to make sure quality of service was there. We hit the sweet spot for Web filtering right away, which told me I didn't want to put more [services] on that one box."
The Astaro devices replaced several legacy products, including Cisco Systems PIX and Check Point firewalls, SurfControl and GFI MailEssentials.
"Those products may have had more features, but we weren't really using them," says Beatty. "Astaro gave us the core features we needed, with an overall experience that has been more robust." However, the company opted not to use Astaro's IPsec VPN, preferring to retain its well-ingrained SSL VPN appliance.
Kansas City Life mapped its existing firewall and Web/ spam filtering policies into Astaro's unified interface. On the back end, Windows Active Directory bonds the appliance with the company's user authentication.
Beatty believes that Kansas City Life's investment in UTM has paid off: "It wasn't making my job easier having to dig up firewall patches all the time. And every year, maintenance on SurfControl got more expensive. Now, we're not even using the entire UTM feature set and we have more flexible features for less money."
This was first published in March 2007