Skip Links

Check Point takes best approach to URL filtering

By , Network World
May 07, 2012 12:04 AM ET

Network World - URL filtering has become a "checkbox" feature on most Unified Threat Management firewalls, and no wonder: it doesn't require a lot of imagination to do it right, and it's hard to really differentiate yourself or do a bad job of it.

Three of the vendors tested -- SonicWall, Fortinet , and Barracuda -- had nearly identical interfaces to define URL filtering policy. There are some minor differences — for example, Fortinet had a cute feature that would limit the amount of time you could spend on a category ("you can look at Sports pages, but only for 5 minutes"), but generally there was little difference.

Next-gen firewalls: Off to a good start

The Barracuda NG Firewall had one major flaw, to be fixed in Version 5.4, which required us to set up separate and independent policies for the HTTP and HTTPS proxies, doubling the time to maintain the policy and increasing the chance of human error.

Check Point takes a very different approach by integrating URL filtering with application identification and control into a single policy. Check Point's combination of the two tools is a better way of building a next generation firewall. URL filtering and application controls are closely related and overlap in many ways.

For example, blocking access to external webmail servers can use both application identification, to find private webmail servers, and URL filtering, to find public webmail servers. Combining the two techniques is better than using just one.

Our anti-malware testing really highlighted differences between the products and their approaches to scanning for viruses across broad categories of traffic. The two stars of the show here were Fortinet, for having the best anti-virus engine, and SonicWall, for having the best coverage across different types of traffic.

Both Check Point Security Gateway and Barracuda NG Firewall did poorly at the task of finding viruses across many different applications, although Check Point Security Gateway did include a new anti-bot detection system.

We tested using a small handful of recent viruses that we found in the wild just before our testing started. Each of the products had plenty of time -- over two weeks -- to update their signatures to catch the viruses we used. FortiGate caught 100% of the viruses we threw at it. Next in line was SonicOS, which caught 100% of the viruses when we sent them over HTTP and HTTPS protocols, but slightly less when we used FTP, IMAP, and SMTP. Check Point Security Gateway and Barracuda NG Firewall caught fewer viruses in our small sample (80% and 90%, respectively).

The more important result was coverage across various protocols, and this is where SonicWall shined. Only SonicWall managed to find viruses no matter where we hid them. In configuring SonicWall to catch malware, you don't list specific ports, but applications running on top of those ports: HTTP, FTP, IMAP, SMTP, POP3, CIFS (Microsoft file sharing), and "everything else." When we sent viruses using common protocols through the firewall, the anti-malware engine inspected the traffic. It didn't catch each virus in each scenario, but there were no gaping holes where inspection didn't activate at all.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News