This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Authentication and Policies
Setting up and tuning security policies for the various modules is at the core of these products. Ideally, you would want an appliance that makes it easy to figure out how to keep your network protected, but still allows users room to get actual work done, all the while providing feedback when you have too strong or too weak a policy.
SonicWALL and Fortinet clearly lead the pack in this regard with the others scoring equally behind. Even if you don't activate all of the security modules, both vendors' approach is easy to understand and provides just enough feedback so as to not overwhelm an administrator.
Fortinet protection profiles provide a good base that can be modified for particular requirements.
There are two basic approaches to how security policies are created:
- Integrated policy that applies to particular users or network
interfaces. This has its advantages if your UTM box sits on several different network segments and
you want to deploy different policies by segment or by user group (for example, one with servers on
it, or one with engineering users). With this method, an administrator sets one policy that cuts
across all of the individual security modules, with specifics for antivirus, IDS and so forth. Call
this the traditional firewall approach, and each policy can enable different security modules for
Fortinet and Check Point use this approach; Fortinet does a better job, setting up a series of four default protection policies that gives you a great starting point and examples that make it easy to modify them for your specific needs (See Fortinet screen shot, right).
- Separate policies that are module-specific. This means there will be one policy for antivirus, another for general firewall tasks, and more for IDS actions. IBM ISS uses this approach; while it also has chosen lots of defaults to get you started, making modifications isn't as easy as with Fortinet, because you must make them in several places. Juniper also sets up security policies by module.
This was first published in June 2007