UTMs require routing for flexibility's sake

Dynamic routing is the kind of feature required of any UTM firewall as a means of providing deployment flexibility.

We tested the OSPF-routing capabilities of the UTM devices in order to simulate the kind of multiple-exit network (two Internet gateways) that might be common in a large network.

However, we do need to note that dynamic routing might also be useful on the inside of a multiple-zone firewall for a growing network as it picks up new subnets around the globe. VPNs, likewise, are perfect places for dynamic routing to be used. As a large VPN grows, the burden of managing the list of networks at each point in the VPN can be high, and dynamic routing combined with VPNs can help to maintain reachability information on what networks are connected without making every single device reconfigure its VPN each time the network changes. When VPNs are combined with dynamic routing, a tight integration among firewall policy, VPN rules and dynamic routing is required.

Two vendors stood out for making dynamic routing especially easy: Juniper, in both the ISG-1000 and the SSG-520, and Nokia, in the IP290 with Nokia’s IPSO operating system and Check Point’s VPN-1 firewall. While Juniper doesn’t offer the full suite of routing capabilities available on its enterprise and carrier-class routers, the ScreenOS routing features in combination with its virtual routers within the firewall and easily manageable configurations will probably go way beyond what is needed in most UTM environments. Likewise, Nokia’s IPSO platform has long had a very strong routing base, that supports clustering and a broad range of protocols .

To stress the extended features in both Juniper and Nokia dynamic routing, we also added a Border Gateway Protocol session to our test devices and made sure that we could control the propagation of routes between OSPF and BGP.

Cisco, traditionally a routing giant, fell down in our evaluation because its ASA platform doesn’t include all of the brainpower of its IOS code base. Although Cisco is pushing EIGRP (it’s proprietary and very popular dynamic-routing algorithm) routing into Version 8 of the ASA software (which was released after we had completed testing), the capabilities of the ASA 5540 we tested don’t live up to Cisco’s routing strengths.

We gave passing marks for dynamic routing to the Astaro, FortiGate, Secure Computing and SonicWall UTM firewalls. All had working dynamic-routing code that was easy to configure and debug. With he Secure Computing Sidewinder configuration, you have to drop out of the GUI and work at the command line. However, the underlying open source Quagga routing code looks and behaves in a way that will be familiar to Cisco IOS-trained network managers — a big plus.