If there was one theme that ran consistently through this month's anti-malware gateways, it was ease of use. All of these products offered the opportunity to provide a seamless setup and transparent user experience. Of course, some did it better than others, but the intent was clear: quick, easy setup and configuration, and the user should never know it's there unless there is a problem. Most of our products achieved that quite well and all achieved it to some degree.
There are so many issues that need to be addressed when looking for an anti-malware gateway that we could not possibly identify them all in a 350 word review. So, here's your homework if you decide to buy this type of device for your organization.
First, how are you going to use the gateway? You can deploy it directly in-line after your firewall (on the inside) so that the last thing packets see before hitting your intranet is the gateway. Alternatively, you can deploy it as a sort of reverse proxy – after the firewall, but as a front-end to an anti-malware server. This is a bit less straightforward and not all products require such a server. Most are updated directly to the appliance. That can pose a throughput problem and using an out-of-line product is a bit controversial (as is any sort of out-of-line protection). However, in this case, users must pass through the firewall, the gateway and the public AV server. That really is an unwieldy solution to the malware problem.
So, exactly what should we expect from one of these devices. First, the most effective products probably are in-line. That poses the potential challenge of performance. Second, there is the matter of supported protocols. An anti-malware gateway serves little purpose if users can set up peer-to-peer connections with untrusted sites and those connections are not monitored for malware. If the gateway supports HTTPS, SSL must be decrypted in order for the gateway to have any real utility. Then, of course, the gateway must re-encrypt after it scans the decrypted contents of the packets.
And, what about outbound protection? This is, in some cases, getting very close to data leakage prevention. This type of protection picks up malware – such as spyware – that is phoning home to dislodge its payload of harvested information on the target network.
Another issue is how you plan to deploy the system physically. This year, we saw virtual appliances as well as physical appliances. Virtual appliances are a somewhat recent phenomenon, at least in security tools. Virtual appliances usually are ISO files that are intended to be opened in a virtual environment, such as VMware. Sometimes, these virtual appliances are complete in the ISO file. That means that one can install the product without the VMware system because the VMware run-time is included. The other way is to require an existing VMware implementation.
Physical appliances were more common and are easier to install and manage. They also can pose some challenges in a virtual environment since they are required to interface with the virtual world.
Price is another issue we encountered. While we had no trouble reconciling pricing with feature sets, we found pricing all over the board. One of the most important characteristics of a gateway is what you are paying for. Like any other device that comes either as an appliance, virtual appliance or software, anti-malware gateways are priced accordingly. This year, we found everything from straightforward physical appliance pricing to pay-as-you-go annual license fees. These more exotic pricing schemes can hide some pretty high prices. For example, the virtual gateway appliance may require that you purchase hardware and you need to know exactly what hardware is going to fit the bill. If you go too small, you risk performance hits. Some larger servers can be pretty pricey and we strongly advise against mixing anti-malware applications with other applications on the same server.
One more issue needs to be considered in your choice of products: What is your organization's current anti-malware strategy? The optimum solution to the malware problem usually is a combination of a gateway and some sort of endpoint product. If that is your choice, does your security architecture require the gateway and the endpoint product to work together? Finally, as part of that strategy you will need to define what type of centralized – or regionalized – management you need. Make sure that your gateway can be managed in any manner you wish.
The bottom line, as always, is how the product you select fits your needs and fits into your architecture. This is not quite as simple as it sounds, but, as in the case of any in-line product, it is critically important.