This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Live monitoring. We examined several critical pieces of information available from the Web interface: real-time CPU and memory load, current alerts of potential network attacks, antivirus-related messages, and system health messages that required immediate attention.
This is helpful to see if your UTM box is overloaded or mismatched with the particular network traffic and inspection loads.
All of the UTM products except Check Point and IBM show the current CPU load and, in some cases, memory consumption on the home page of their Web interface, so it is easy to find and easier still to track. IBM ISS buries its status screen, while you have to visit Check Point's SmartView Monitor (a separate piece of software that comes as part of the UTM package) to get this information.
The three most useful front pages were from Astaro, SonicWALL and Fortinet, which offer all sorts of helpful summary information in one convenient place. Fortinet also includes a secure command-line console window within its Web interface, while the others require an SSH client to connect to their box if you need access to the command line. SonicWALL also tells you if you have set up the box with a known security weakness, such as allowing management from the WAN interface.
IBM ISS' antivirus status screen shows protocols protected and traffic statistics.
Check Point uses Windows software for its management, which means an admin must carry around a laptop with the software installed, rather than simply logging in through a browser. IBM ISS and Astaro can't be managed through Macintosh-based Firefox browsers, and we found some bugs when we administered SonicWALL with Firefox on a Mac.
Antivirus statistics are very important, since few things light up the help desk lines like email problems. IBM ISS has a simple-to-understand antivirus status screen (See IBM ISS screen shot, right), showing messages blocked, signatures, and which ports are being blocked or scanned. Astaro also has a good summary display of its email traffic, but tweaking the protection results requires visiting several different sub-menus. Check Point and Fortinet put this information on summary screens; Juniper and SonicWALL have separate screens that summarize the virus penetrations.
This was first published in June 2007