This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
IBM ISS stood out from the pack with superior defaults, such as setting up internal network routes and activating features at the click of a button. This default-driven approach could be a bit problematic if your tastes run to doing something more sophisticated. For example, most of the other UTM appliances could handle connections to a WebDAV server for sharing files; with IBM ISS, we needed to set up a special firewall policy to allow this traffic. Nevertheless, this was a minor inconvenience--not enough to keep IBM ISS from getting the clear top grade in overall enterprise management.
Licensing, updating. Each product has intricate licensing and signature file update issues, mainly because customers will purchase varying configurations, feature sets and user counts. None of the products did a particularly good job troubleshooting licensing errors; Check Point and Juniper had the most complex and unintuitive licensing procedures. In fact, we had trouble with our Check Point licenses even after its engineer spent several hours on site setting up our box that turned up a bug. The other products make installing and upgrading licenses, and updating threat signatures, far easier.
IBM ISS makes this process a snap; it consolidates all of its updates for antivirus, IDS and firmware in a single screen. You can set it to check for updates
automatically on a schedule. The others are more complex; you will have to visit multiple screens or do more than just push a single button to update everything.
Administration. Consolidated security administration is a key value proposition for UTM. However, getting to this consolidation won't be easy. Because these products cover a wide range of protection methods, they need to have the flexibility to be operated by multiple administrators.
Fortinet, Juniper and Astaro can handle multiple concurrent administrators and immediately post any configuration changes to their boxes in a "last one wins" scenario: This means that any intermediate changes will be ignored, which isn't ideal and means one person needs to have ultimate authority over all UTM appliances. Check Point, SonicWALL and IBM ISS only allow for a single administrator to be connected at any one time to avoid conflicts.
Check Point has the most complex and useful approach, providing great flexibility across a large deployment. Multiple administrators can run its SmartDashboard in read-only mode to view, but not change, the configuration. And it has other tools, such as the separately priced Provider-1, which can segregate roles between, say, a desktop department to handle antivirus configuration and a network group to manage the firewall setup. Juniper has something similar with its separately priced NetScreen Security Manager for managing role-based administration. (SonicWALL is coming out with a new version of its management software that will allow multiple concurrent admin users, but this wasn't available for our tests.)
This was first published in June 2007