AV's place is not in the all-in-one security box

Tests indicate antivirus is a UTM performance drain

There is no real agreement about whether antivirus software is required in or even a good idea for an enterprise-class firewall.

Some consider antivirus software protection irrelevant in a unified threat management (UTM) firewall deployment, because a desktop antivirus application and an e-mail security appliance are doing a good job scanning for viruses. Others consider sitting inside the UTM a huge bonus, because they want every possible "defense-in-depth" feature to block viruses at other places on the network.

The former attitude proved the most defensible one based on our testing. Not only did we see incredible performance problems when antivirus scanning was included in the UTM mix, but we also found that these firewalls don't do a very good job of finding viruses in any event.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

There is no real agreement about whether antivirus software is required in or even a good idea for an enterprise-class firewall.

Some consider antivirus software protection irrelevant in a unified threat management (UTM) firewall deployment, because a desktop antivirus application and an e-mail security appliance are doing a good job scanning for viruses. Others consider sitting inside the UTM a huge bonus, because they want every possible "defense-in-depth" feature to block viruses at other places on the network.

The former attitude proved the most defensible one based on our testing. Not only did we see incredible performance problems when antivirus scanning was included in the UTM mix, but we also found that these firewalls don't do a very good job of finding viruses in any event.

We ran into flawed implementations, and bugs and hidden features that were needed to make antivirus scanning work properly.

We started our testing knowing that most vendors feel that UTM-based antivirus scanning is useful in the small-to-midsize business sector, but not necessarily in gigabit-speed enterprise firewall deployments. Exactly where antivirus stops being useful is not clear.

We discovered quickly that few of these participating vendors take antivirus software seriously. Some don't even include it in their high-end boxes. For example, Juniper Networks' ISG-1000 makes you pick between virus and intrusion-prevention protection. The Cisco ASA5540 doesn't give you any antivirus-management options.

Some vendors do give antivirus a fighting chance, though. Secure Computing's Sidewinder gives network managers tight control of antivirus scanning parameters. For every rule that allows traffic through the firewall using the HTTP, FTP and SMTP protocols it supports, you can specify what to scan, and what Multi-purpose Internet Mail Extensions types to scan.

The Sidewinder got a perfect score in blocking all our FTP, SMTP and HTTP viruses. However, when we tried to send viruses through the firewall using a nonstandard HTTP port, the Sidewinder missed them all. That scanning comes at a moderate performance cost, though, with antivirus scanning dropping the throughput of the Sidewinder 2150D by about 50%.