Security Appliances

Posted by Hugh Smith, with Scott Thomas and the Calpoly NetPrl Testing Team on March 12, 2004

Tags: LAN traffic,  Astaro,  DMZ traffic,  DoS,  FortiGate-60,  Fortinet,  Integrated Security Platform,  Internet Security Appliance,  NAT,  Network Address Translation,  Security Appliance 5400 Series ,  Security Linux 4 Enterprise Edition,  ServGate Technologies,  SonicWall,  Symantec Corp,  VPN,  antivirus,  content filtering,  denial-of-service,  ease of use,  filtering,  intrusion detection,  intrusion prevention,  management,  on-device antivirus scanning,  small office,  stateful firewalling,  virtual private networking,  Data Protection,  Other,  Security and Privacy,  Software and Web Development,  security appliances

Channel: Data Protection, Other

The Office

We put on our small-business hats and asked, "What functionality is important to protect our small office with a minimum of IT support pain?" Although we did significant load testing on the participating devices, we knew that for smaller offices, network load is not as important as ease of configuration and a comprehensive feature set. We kept this in mind while developing our test plan. First, we outfitted our small-office network with one WAN interface and one public IP address. Internally, our small office had a local network with private IP addresses and a DMZ for Web, e-mail and FTP servers. Our LAN users were configured using DHCP, and the security devices provided NAT (Network Address Translation) for both DMZ and LAN traffic. The devices also were responsible for port forwarding of traffic between the WAN and the DMZ servers.

The Features

Although not even the best all-in-one device will relieve all your security woes--you'll still have patching to do and need desktop firewalls--we were happy with the devices overall. (For a checklist of other bases to cover, see "Appliances Aren't a Cure-All,".)

Security Appliance Features click to enlarge

The devices sat between us and the outside world, so they had to have firewall features, including traffic filtering, NAT and port forwarding. Stateful firewall features for preventing DoS (denial-of-service) attacks, like syn and smurf, are even better. In addition, some small organizations may want these devices to act as a DHCP and DNS server. All the products provided the basic firewall capabilities we were looking for, but the Fortinet and SonicWall devices can't act as DNS servers, and the Symantec box doesn't provide DHCP functionality.