Check Point's UTM management falters; Cisco, Juniper gain ground

Without good management tools, the enterprise-class unified-threat-management firewalls we tested would be little more than expensive packet-pushers.

Check Point's lapse has been an opportunity for Cisco and Juniper Networks. If there were an award for "most improved management capability," we'd give it to Cisco. The Cisco Security Manager (CSM) demonstrates that - while admittedly a few years late to the party - Cisco doesn't just understand how to manage enterprise firewalls (hint: it's not from the command line), but also is putting its software where its PowerPoint presentations used to be.

Cisco's management gains

Cisco's overall policy management is very nicely done, and its VPN management tools are slick. For example, policies can be defined in a hierarchical way, and firewalls can be linked into policies at different levels, simplifying common configurations while allowing customization of individual devices.

Of course, perfection is not yet upon us. CSM derives a lot of its structure from the underlying firewall, so someone who is familiar with the ASA or PIX ,Cisco's older stand-alone firewall product, will be able to understand what CSM is doing.

In some cases, that's good; in others, it's not as good, because some of the ugliness of the structure of the old PIX code is being carried forward. Take NAT management, for example. It is disconnected from firewall policy and is so confusing that even the gurus from Cisco who helped us with our installation got it wrong.

In other places, Cisco seems to have forgotten to put features into its central management. For example, CSM can't show you performance, errors and status information. Instead, it launches the per-device management tool, which has good status information -- but can talk to only one firewall at a time.

Now you've got two management tools pointed at the same firewall, raising the potential for conflicting policy updates. Don't even think about linking IPS analysis (which requires a separate application and separately purchased Monitoring, Analysis and Response System appliance) to policy management, because it just doesn't work that way.

Juniper's management system

NetScreen Security Manager (NSM), the tool used to drive the firewalls that Juniper picked up with its NetScreen purchase three years ago, also has matured considerably since it was introduced. NSM is a single application that combines firewall and IPS management, forensics, monitoring and alerting that allows traffic through the firewall with all the NAT and UTM features that apply to that policy. This linkage among all aspects of a policy makes it easy to understand what the firewall is going to do, and why.

Problems with NSM, such as its weak IPS forensics tools and its inability to create policies that include multiple zones, will be obvious to anyone building and managing large policies with UTM features. That said, those caveats shouldn't keep NSM from sitting on top of the enterprise-class UTM firewall management list.

SonicWall, WatchGuard wares

SonicWall has shown great strides in bringing its management features up to enterprise levels. While the centralized management tool for the SonicWall platform meets basic requirements, more interesting were the improvements in the firewall's manageability. We found a lot of nice control knobs in the SonicWall Pro 5060 firewall that are the obvious result of focusing on the small-to-midsize business market. Many of these adjustments translate very nicely into the enterprise.

For example, the SonicWall Pro 5060 has an SSL Control feature that lets you enforce certain SSL policies, such as blocking certificates signed by an untrusted certification authority or expired certificates -- nice tools to have in the war on phishing. The Pro 5060 also has a separately licensed application-layer firewall that could be used to look into Web, mail and FTP protocols for very high-level UTM-flavored controls.

WatchGuard Technologies also has raised the level of its management tools, but is having a hard time building a single management application to drive all its UTM features. To control and observe the Firebox Peak we tested, we had to run six applications, all with some overlap and often very different styles of GUI. Check Point's management uses multiple applications as well, but these are so nicely integrated and consistent that you don't feel like you're in different tools as you move among them.

That's not true with WatchGuard. There are many deep corners that you have to explore to make the product do what you need it to do. It took us four attempts at antivirus configuration to get our Firebox Peak to scan for all the viruses we wanted it to scan.

Not enterprise fare

When it comes to management utterly unsuitable for enterprise-class UTM firewalls, we must point to IBM Internet Security Systems' SiteProtector, the management appliance used to control all IBM/ISS products, ranging from IPS and intrusion-detection systems () to desktop protection tools and enterprise UTM firewalls. The original Proventia Multi-Function Security appliance was a way for ISS (before the IBM acquisition) to get its high-end IPS functionality into branch offices. All a typical branch office needs is two zones, two or three policy rules and a way to build a tunnel back to headquarters.

The Proventia MX5010 we tested had those features, but nothing else. Its tools for creating firewall policy are abysmal and completely unsuitable for an enterprise firewall. SiteProtector is filled with terminology that makes no sense (firewalls, for example, are called agents) and has a policy-management system designed for a branch but not for enterprise firewall deployments. For example, when we wanted to turn on high availability, we had to add a set of rules just to let the boxes talk to each other. Even the special wizard ISS sent us forgot to mention this little detail. We ran into a nearly identical problem when we turned on dynamic routing, which required that we add a specific firewall rule to let updates be seen by the firewall.

Secure Computing came into this test at an awkward point in its product life cycle. The Sidewinder firewall line has never had true centralized management. When Secure Computing bought Cyberguard, the other enterprise proxy-firewall vendor, one of the gems it picked up was Cyberguard's centralized management tools. Unfortunately, while the company released Version 7 of Sidewinder, the management tools were not ready for evaluation. We did find the management model for the firewall itself was elegant. Sidewinder has been a zone-based firewall (Secure Computing calls them "burbs") since before zones were popular, and the security wonk will find the tools that Secure Computing offers attractive. Network managers probably will find Sidewinder hard going.

The problem of having to dive into the command line was even more troublesome with Fortinet's FortiGate 3600A. We could not manage a FortiGate firewall as a UTM device in an enterprise without doing that. Many features we needed to complete our testing are only available there. (Fortinet has a centralized management tool, FortiManager, but declined to provide it for this test.)

The command-line interface left a lot of uncertainty about the status of policies, the current activity of the firewall and availability of features. Do you really have to read 2,000 pages of documentation to understand what is going on? Well, yes, in fact, you do. If Fortinet wants the FortiGate line to compete as true enterprise firewalls, it's going to have to spend a lot more time looking at management from such leaders as Check Point before anyone will take them seriously.

Astaro Internet Security's management also needs time and engineering expertise for it to mature. With a Web-based GUI (Astaro did not send its centralized management tool for its submission), network managers get a clear idea that a lot of interesting, open source-based features have been mashed into a single product.

However, Astaro has failed to integrate the management of these features. For example, if you want to allow HTTP traffic through the firewall, you go to one part of the GUI and establish a packet-filter rule to let HTTP through. If you then want to scan that traffic for viruses, however, you go to a different part of the GUI and turn on the HTTP proxy -- pulling out your packet-filter rule, so as not to confuse things -- and configure virus-scanning on the proxy. Overall, Astaro is not ready for enterprise prime-time yet. That said, any vendor with this kind of agility needs to be watched carefully for a future spot there.