This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Enterprise Management and Control
We examined how each product is managed, typically with a Web browser, and the various administrative roles that can be performed concurrently. We also looked at how particular functions are licensed, and how threat signatures are updated. Because these products handle a variety of security tasks, ease of setup is important, and being able to delegate and divide administrative roles is also critical.
Check Point's SmartView Monitor for administering its operations.
Configuration. All of the products, except Check Point, are primarily configured by connecting to their built-in Web servers. Check Point actually has three configuration interfaces--command line, a Web-based initial configuration tool for basic tasks, and its SmartView Monitor Windows-based administration tool (See Check Point screen shot, right). Unfortunately, you'll need to be familiar with all three. For example, you have to go to the command line interface to set up a DHCP server on an internal network.
Some of the Web interfaces are more logically designed than others. For example, Astaro, IBM ISS and Fortinet separate the functional modules--separate menu trees for antivirus and IDS, for example--and logically lay them out. Juniper has the poorest interface of the six, because its commands and controls are buried several levels down or require operators to visit multiple pages to set up even the simplest procedures, such as changing one of the antivirus settings. SonicWALL's interface is just a little better than Juniper, hiding many of its UTM features under a single "security services" menu tab.
Setting up the IBM ISS box took about an hour, and Check Point took several hours. The others were somewhere in between. While this may not be terribly important if you're installing a single box, it will add up for large deployments.
This was first published in June 2007