This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
The appropriateness for your company depends largely on how you have structured your support staff. If you have an antivirus person on staff, and you have a box that requires adjusting antivirus policies in several different places, you have a lot more maintenance work than with a box where you can set these policies in a single place. However, your security staff may wear a lot of different hats and thus this might not be as much of an issue. It is really a matter of taste and organizational structure.
SonicWALL zones offer module-specific protection policies.
SonicWALL and Astaro mix both approaches. Astaro has policies that are based on application-layer protocols (Web, email, IM and so forth) and has separate policies for network layer events. This means that to make changes in the UTM operations, you need to touch screens in both the protocol section and the network interfaces. If you forget one or the other, you will have configuration problems or, worse yet, think you are protected when you aren't.
SonicWALL policies are module-specific, and are applied to particular network routes. That has a lot of appeal, and is why we give it top marks here. All of its protection rules are organized in a single section, and it is easy to apply them to the appropriate interface (See SonicWALL screen shot, right).
Authentication capabilities are relevant if they are used for remote VPN connections. For most site-to-site VPNs, this isn't important unless you want to do some rudimentary endpoint protection or create policies based on particular user groups or roles.
All of the products support RADIUS authentication; Astaro and Fortinet can connect directly with Active Direc-tory user store; Astaro also supports authenticating to Novell's eDirectory. Juniper can integrate with RSA's SecurID tokens directly.
All of the products offer IPsec VPNs, and Astaro, Check Point and Fortinet support SSL VPN terminations. None of the SSL modules has anywhere close to the level of features that a standalone SSL VPN box would provide.
This was first published in June 2007