Supplier: Check Point Software Technologies
Price: From £7,803 (excluding VAT); £9,766 with SmartDefence subscription included
Check Point moves into the fiercely contested UTM appliance arena with a new family of three products. The top-of-the-range UTM-1 2050 targets mid-range businesses and enterprise remote offices. As with Astaro's ASG appliances, Check Point operates an unlimited user-licensing scheme, which makes the 2050 particularly good value although the vendor recommends a maximum of 1,000 users.
The appliance combines Check Point's highly respected Firewall-1 with seven other security services: web-content filtering, a web application firewall, anti-virus, anti-spyware and options for IPsec and SSL VPNs. The firewall also has the ability to identify and control applications such as IM, peer-to-peer and VoIP. Anti-spam is not included, but we were advised that Check Point may add this feature at a later date.
The 2050 delivers a decent hardware specification built around a Pentium 4 651 3.4GHz processor and 2GB of memory and has enough horsepower to handle a firewall throughput of up to 2Gbps. You get four gigabit ethernet and four fast ethernet ports, with the first group handling standard internal, external and DMZ connection duties. Installation starts by connecting a PC to the appliance's internal port and pointing a browser at its default IP address. A quick-start wizard gets you set up, and then you download Check Point's SmartConsole package from the appliance.
All the action takes place at the SmartConsole dashboard, where you deploy security policies to selected appliances. Rules must be created to open up access to selected services. These contain source and destination objects, services and time schedules, and logging can be customised individually for each one. Actions cover the usual permit, deny and drop options, but you can also implement user and session authentication.
Check Point's extensive use of network objects helps with rule creation as you can select objects, services, users and groups from the side bar and drop them directly into the relevant location in the rule. However, we had to set up our internal and external interface objects first, declare which one was connected to the internet and manually activate network address translation on it. Usefully, modifications are not applied until the policy containing them has been pushed to selected appliances.
Check Point's SSL VPN features are vastly superior to those offered by other vendors. You need to activate the visitor mode at the appliance object and set up special rules and users, but these determine precisely which services on the LAN may be accessed remotely. Mobile clients just point a browser at the appliance's external port and enter their credentials at the login portal. Once authenticated, an Active X network extender is downloaded to their system, a secure tunnel created and a virtual IP address assigned from a predefined pool. You can protect against mobile workers attempting to come in via an unsecured public access system by activating the Integrity security scanner.
The optional SmartDefense feature provides update services for anti-virus scanning and activates the web-content filter. Both components are configured from the same content inspection tab in SmartConsole and anti-virus measures come courtesy of Computer Associates' eTrust. You can apply scanning to HTTP, FTP, POP3 and SMTP traffic in either direction and can also scan traffic passing between internal networks.
Web content filtering is handled by SurfControl, which was being acquired by Websense when we wrote this review. It offers a choice of 40 URL categories that can be blocked or allowed and you can add custom black and white URL lists and network exceptions. You can also decide which UTM-1 gateways will be used to enforce content filtering. We tested across a wide variety of websites and access to all sites that came under the categories listed in the URL blocking policy was restricted. Sites known to harbour spyware were also dealt with efficiently.
SmartDefense offers proactive protection against worms and probes, along with web and application vulnerabilities. You get the usual protection against standard denial-of-service attacks, port scans and anti-spoofing, which are regularly updated.
Check Point scores highly for its sophisticated management features, being one of few vendors that provides the tools to manage multiple appliances as standard. The SmartDashboard can keep track of all your gateways once they are defined as network objects, and you can choose on which ones you want to install selected policies. The SmartView Monitor provides real-time statistics on appliance utilisation, and traffic graphs for areas such as the top-ten services, quality-of-service rules and even VoIP users.
The UTM-1 2050 may not be the easiest appliance to deploy, but it does deliver a quality range of security services. Anti-spam functions would round it off nicely, but the centralised management features it provides will be very hard to beat.
SC MAGAZINE RATING
Ease of use: ***
Value for money: ****
Overall Rating: ****
For: Centralised management of multiple gateways, good range of security features, quality reporting tools, unlimited user licence, sophisticated SSL VPNs
Against: No anti-spam service yet, initial configuration could be made easier
Verdict: A quality range of security capabilities in a well-specified appliance, complete with classy management and reporting tools included in the price.