Skip Links

Network World

  • Social Web 
  • Email 
  • Close
Clear Choice Test Unified Threat Management Firewalls. All-in-one firewalls show spotty performance: Juniper, Cisco, Check Point lead the way in test of 13 unified threat management devices.
Intro to UTM Testing Testing categories Product Summaries Click tabs to expand

AV's place is not in the all-in-one security box

Tests indicate antivirus is a UTM performance drain
By Joel Snyder , Network World , 11/12/2007

There is no real agreement about whether antivirus software is required in or even a good idea for an enterprise-class firewall.

Some consider antivirus software protection irrelevant in a unified threat management (UTM) firewall deployment, because a desktop antivirus application and an e-mail security appliance are doing a good job scanning for viruses. Others consider sitting inside the UTM a huge bonus, because they want every possible "defense-in-depth" feature to block viruses at other places on the network.

Don't Miss!Read the latest WhitePaper - IT Departments on Data Security: A Research Concepts Survey

The former attitude proved the most defensible one based on our testing. Not only did we see incredible performance problems when antivirus scanning was included in the UTM mix, but we also found that these firewalls don't do a very good job of finding viruses in any event.

Tracking antivirus catch rates

Most UTMs we tested can scan only for particular applications on known ports. We tested three applications (SMTP, FTP and HTTP) on four ports, and the nonstandard port wasn't seen by most products — SonicWall and WatchGuard were the exceptions, and the WatchGuard proxy can't scan FTP. Even if you run only known applications on known ports, our tests show that half of the firewalls will miss a significant number of viruses.
Vendor Product Protocols covered Catch score
Astaro ASG 425a FTP, HTTP, SMTP, POP3 67%
Check Point UTM-1 2050 FTP, HTTP, SMTP, POP3 70%
Crossbeam C25 FTP, HTTP, SMTP, POP3 70%
Fortinet FortiGate 3600A FTP, HTTP, SMTP, IMAP, POP3, IM, NNTP 75%
IBM/ISS Proventia MX5010 FTP, HTTP, SMTP, POP3 60%
Juniper Networks SSG-520M FTP, HTTP, SMTP, IMAP, POP3 72%
Nokia IP290 FTP, HTTP, SMTP, POP3 75%
Secure Computing Sidewinder 2150D with IPS acceleration FTP, HTTP, SMTP 75%
SonicWall Pro 5060 FTP, HTTP, SMTP, IMAP, POP3, CIFS, TCP 85%
WatchGuard Firebox Peak X8500e SMTP, HTTP, TCP 45%
Click to see: Tracking antivirus catch rates

We ran into flawed implementations, and bugs and hidden features that were needed to make antivirus scanning work properly.

Related Content

We started our testing knowing that most vendors feel that UTM-based antivirus scanning is useful in the small-to-midsize business sector, but not necessarily in gigabit-speed enterprise firewall deployments. Exactly where antivirus stops being useful is not clear.

We discovered quickly that few of these participating vendors take antivirus software seriously. Some don't even include it in their high-end boxes. For example, Juniper Networks' ISG-1000 makes you pick between virus and intrusion-prevention protection. The Cisco ASA5540 doesn't give you any antivirus-management options.

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to moderator approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed
Save The Date!
What They Are Saying

I also lost internet access, and resorted to "uninstall KB951748 & KB951978". Access returned. Tried...- Anonymous

Join the Discussion