Shootout results: Best security tools for small business

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That’s where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

We tested eight devices: Check Point Software's 640, Dell/SonicWall's NSA 250MW, Cyberoam CR35iNG (which is now a separate company from Elitecore Technologies), Fortinet's FortiGate-100D, Juniper Networks' SRX220H-POE, Kerio Technologies' Control 1100, Sophos/Astaro's UTM 220, and WatchGuard Technolgies' XTM 330.

Here are our top-line findings:

• Check Point is our Clear Choice Test winner. The Check Point 640 UTM is the cheapest and most capable box -- two things that usually don’t go together -- and the most appropriate UTM device for the SMB marketplace. It has an appealing user interface, a lot of great security features, and is simple to manage and create new security rules. It also works well with mixed Mac/Windows networks.
• Kerio, WatchGuard, Cyberoam and Sophos were runners-up. All had solid protective features and were nearly as easy to manage as Check Point, but cost more. Dell, Juniper and Fortinet all had their issues, which we describe in the individual reviews.
• In addition to the five basic UTM features, all of the vendors have included extra functionality. For example, Dell/SonicWall and Check Point included a wireless access point inside the box. WatchGuard and Fortinet have management software that will work with their own external Wi-Fi access devices.
• Several units also include Web applications firewalls that can be used to selectively block particular applications from running on the internal network, while others include traffic or bandwidth management to eliminate network hogs or to at least clamp down on potential bandwidth abuses.
• Units from Check Point, Fortinet and Kerio can be used to connect to two different upstream Internet connections, such as a cable modem and a DSL link, for the ultimate in connection diversity on a budget. This provides failover in case one link goes down, or can be used for dynamic load balancing between the two connections. Dell/SonicWall can even support up to four connections.
• Several vendors have begun to incorporate various cloud-based services into their devices to offload some of the security processing tasks. For example, they can automate firmware and virus definition downloads, upload logs for more in-depth analysis, and handle anti-virus screening.
• Some boxes have only four gigabit Ethernet ports while others have more: if you don’t have a network switch but have lots of wired connections, you will need to weigh the purchase of a separate network switch vs. a bigger UTM box with the wired ports built in.
• In some cases, such as on Check Point’s or Juniper’s box, any port can be defined to any network: WAN, LAN, DMZ, or to a special restricted guest network. In others, such as Fortinet’s, you are limited in terms of what you can attach to each port. Some boxes, such as Kerio, Sophos and Check Point, have a simple “LAN Switch” setting so that anything you attach can be connected to anything else across a single flat network topology, which is probably the most common situation. This makes them easier to setup, and also easier to manage if you know ahead of time that you don’t have to worry about where you attach your cables.

Pricing and buying your UTM

The hardest part about choosing the right UTM box is figuring out its overall cost. Each vendor offers dozens of different sized boxes with a dizzying array of choices, licensing options and features. We asked each vendor to send us a typical box that might be used by a 25-person office, and some sent boxes with built-in or separately managed wireless access points.

Each box has a series of features that are separately licensed and a support contract is also purchased, typically for a year at a time. This means that getting a bottom-line price can be a chore. The range of prices for the first year of service on the units tested were $900 for Check Point to $2,900 for Fortinet.

The summary table below shows which additional features each product has, the number of different ports, scanners and filters are available, and which type of VPNs are supported by each box. (Watch a slideshow version of this test.)

Here are the individual reviews:

Check Point

Our winner is the Check Point 640. It was extremely easy to setup, had wizards that offered simple choices and defaults that just required a few buttons to click on before the box was up and running. And it was also the least expensive.

By default, it enables all of its ports on a single LAN switch, and you can set up multiple SSIDs for the wireless interface with just a single policy selection, which is the easiest of any of the boxes we tested.

One of the things that we liked is that Check Point has designed this box for the SMB market by navigating a nice balance between ease of use and yet still including powerful security features. In fact, the same software that runs on its enterprise UTMs is also running on the 640.

Unlike Juniper, Check Point doesn’t hide its advanced settings in a command-line interface. Instead, everything is accessible from the Web interface, which has the best-looking and clearest menus of any of the boxes we used. You can quickly view the active computers connected to the box, change the URL blocking dialog messages that pop up when your users try to surf to inappropriate sites, add protocols to the anti-virus scanner, and other commonly selected options.

If you need extra features, such as setting up a failover link to an ADSL modem or changing the priority of a particular security policy, it isn’t all that hard to find the right menu option to accomplish your task.

Like more advanced UTMs, you can do quick on-screen packet captures for particular interfaces, or create file-based Pcaps too.

The biggest downside for the Check Point is a serious firmware bug that prevented its wireless radio from being controlled properly. This was a function of a pre-release version that we were given for the test and was eventually resolved. Another issue: while the menus are clearly presented, there are some context changes on the left hand menu when you choose top menu tabs that can be somewhat annoying. Finally, while Check Point promises to have cloud-based tools to automate firmware downloads, upload logs and handle remote unit management, this wasn’t yet available in our test unit.

Check Point’s UTM also includes support for two different dynamic DNS services. Its VPN supports three client types, including a Windows-based PP2P client.

The price is very attractive: It includes 10 Wired Ethernet ports and sells for $894, including a year of support and licensing all the protective features. This is the lowest cost unit in the review set, so you are getting great value for your money.

Dell/SonicWall

We have used SonicWall devices since they seemingly invented the UTM SMB category, but we found that the current release suffers from a confusing series of menu choices. Still, one of the features of SonicWall is that they are extremely easy on the initial setup.

In our testing, we found a bug in the SSL certification setup, which was resolved before publication. We also found that overall reporting features were not as comprehensive as some of the other vendors.

In other areas, it was more flexible: you can choose among three Dynamic DNS providers and two Windows client antivirus services, Kaspersky or McAfee. It also can handle multiple upstream Internet connections in its Modem Settings sheets, and is one of the few vendors that offers DPI SSL traffic inspection. Another nice feature is that there is no maximum file attachment size for the antivirus scanner because it looks at the entire packet as it streams by the box. Some of its competitors first place email file attachments in memory before they are scanned.

The SonicWall UTM starts out with each port setup independently, but you can add what it calls PortShield groups to turn your box into a single network switch. You can also setup the box to automatically forward NetBIOS protocols across subnets, to handle Windows file and printer sharing, for example.

Traffic statistics are found right below the menu controls over each port interface, which is a handy reference for them. You can also setup a quick packet capture to debug your configuration or to examine specific traffic.

Our SonicWall came with a built-in wireless access port, and it has several nice features, including the ability to scan the surrounding Wi-Fi network for other SSIDs and check for radio channel interference. Unfortunately, you can’t set it up to transmit on both 2.4- and 5-GHz frequencies. For that, you’ll need to buy the separate Sonicpoint access point. You can set up a separate SSID for guest access, but it required more steps than some of its competitors to setup.

SonicWall costs $1,500, which is the middle of the pack, and came with five wired Ethernet ports; with additional cost expansion modules can add another four ports.

Cyberoam

The Cyberoam doesn’t have the prettiest user interface but it eventually gets the job done, with features that can compete with the market leaders, such as application filtering and Instant Messaging archiving.

Its colorful and graphical configuration wizard was somewhat convoluted to setup, and the documentation didn’t match the version of firmware we installed. However, once we got the initial configuration going, it was fairly straightforward to add features.

The basic zone-to-zone firewall rules are setup automatically and can be easily augmented. Also, there are a wide variety of VPN clients (including Cisco and PPTP) and three dynamic DNS choices, except IPsec is only available for Windows clients. There’s also a good selection of reports, including security incidents, trends and compliance.

Its Web filtering policies are a bit convoluted to setup, but quite powerful. For example, you can block Facebook access during particular work hours. You can also set up multiple Internet links for load balancing or failover protection, or using a broadband data modem (this will have to be done via the command line).

A nice feature here is if you haven’t yet subscribed to a particular feature (in our case, it was the Web application firewall), a small dollar sign icon appears next to the menu item to remind you. If your mouse hovers over this, you see a tool tip saying you need to pony up the bucks to enable this option. Another is that it can force safe searches on Google, regardless of the local setting.

There is an authentication client for Windows, Windows Terminal Servers, Citrix Xen servers, Mac and Linux machines that can provide automatic logins: this is similar to what Check Point provides. Our Cyberoam box came with six wired Ethernet ports and sells for $1,563 including a 24/7 support subscription, which is in the middle of the pack.

Fortinet

Fortinet has a very capable but complex box that took a few calls to their tech support to get working properly. Its dashboard gives you the basic operations, and there are menus that are somewhat obvious once you spend time with the product. They have very powerful protection policies, so you can specify a particular user in a particular group to run specific applications or based on particular devices.

So for example you could have a guest-only group with certain restricted rights, and an iPhone group that allows unlimited browsing.

Its URL filtering is equally powerful, and one nice feature is that like Elitecore you can force the Safe Search mode with Google, Yahoo and Bing to remove some objectionable content from your network.

It also offers the ability to automatically export its logs to the cloud, called naturally, FortiCloud. (1GB of log storage is allowed free of charge.) In addition to the five security modules, it also has a powerful applications firewall and bandwidth management features that can be incorporated into its policies, like the other modules.

Fortinet has its FortiClient endpoint compliance control software for both Macs and Windows that works in conjunction with its UTM box. If you already have client anti-virus software, you will want to remove it before installing FortiClient. This is the same software that runs the IPsec VPN, and there is also the ability to run a SSL VPN. It also supports dynamic DNS configuration.

For link diversity, you can use a USB 3G cellular data modem as a failover connection. And if you want to connect Fortinet’s own Wi-Fi access points, you can manage them from within the FortiGate Web console.

Online help could use a better search engine and indexing, although there are some good screencast videos on Fortinet’s site that show you how to use it.  

Fortinet came with 16 wired Ethernet ports for the internal network and sells for $2,898, which was the most expensive unit we tested.

Juniper