In the Gateway Security product, Symantec has come up with a range of gateway appliances, each of which combines firewall, anti-virus, virtual private network (VPN), content filtering and intrusion detection in one rack-mounted system that is 1U high.
Model 5300, which we tested, is the top of the range and provides a maximum 90 Mbits/sec (40 Mbits/sec sustained) throughput for an unlimited number of nodes (up to a 1,000 nodes is recommended). All models in the range have four 10/100Base-T Ethernet interfaces as standard. All offer an integrated VPN, and can be configured for high availability (failover to another Symantec Gateway Security unit) and load balancing between units. The entry-level model 5110 supports 12 Mbits/sec sustained throughput and up to 50 nodes.
Internally, it is based on the Intel x86 PC architecture running the Linux operating system, which has been hardened and integrated with the application software. Externally, it has only the four Ethernet ports, a serial port for a console and another serial port for communication with a UPS. There is a small illuminated LCD panel for messages and menu control via cursor keys and a number of status lamps.
Installation and set-up involves allocating IP addresses via the front panel, after which configuration is carried out remotely using a Windows NT/2000 workstation running Symantec's own management software. Configuration is secure because you specify the IP address of the management workstation, and management connections from other workstations will be refused. Also, a random password is generated during set up that must be noted from the front panel LCD for use when logging into the management interface.
Sensibly, the firewall defaults to 'deny everything'. Very little configuration is required to get the firewall up and running using wizards in the management software. But this sets up only the very basic rules for FTP, HTTP, and SMTP traffic. Using the wizard, you can enable outbound web (HTTP) and FTP connections, plus you can set up inbound SMTP connections to a mail server. This gets the system working at the most basic level. Then you can configure more complex rules, other protocols, and, for the third and fourth Ethernet interfaces, configure a DMZ, for example. It has all the usual features you would expect from a modern firewall: stateful inspection, packet filtering, network address translation, IPsec VPN, and application proxies for full inspection.
The VPN offers a choice of DES, triple-DES and AES encryption algorithms. It also supports authentication via third-party tokens such as Cryptocard, SecureID, etc. Also supported are authentication protocols such as TACACS+, RADIUS and LDAP, and PKI solutions such as Entrust.
It also supports virus scanning using Symantec's own anti-virus knowledge base, which may be configured automatically to provide updates across the internet at scheduled intervals. Virus scanning can be configured for SMTP, HTTP and FTP traffic selectively. The virus scanning is based on Symantec's well-known anti-virus technology including an extensible scan engine and heuristics, which can detect virus-like activity even before a new virus becomes well known.
Intrusion detection is updated in a similar way to virus scanning and uses a database of attack signatures that is updated automatically according to a user-defined schedule. Combined with the intrusion-detection features inherent in a firewall that provides packet filtering and proxies, this provides good overall protection against intrusions and denial-of-service attacks.
There is also an internet content filtering feature that allows the blocking of URLs and news groups (NNTP). This is useful for ensuring that internet usage complies with an organization's policies and for preventing time-wasting and resource-wasting abuse of the internet by employees.
Supplied with the appliance is a CD-ROM that contains both the management software and a restore image to rebuild the whole of the appliance software, including the operating system. This is intended for emergency use only, if the hard disk becomes corrupted. However, we found it hard to find the option to save the configuration files for such an eventuality without help from the manual.
Ease of configuration is one of the strengths of Symantec's Gateway Security. The graphical management console makes the process intuitive and easy. This means that configuration mistakes are a thing of the past. It uses the 'best fit' rule to prevent vulnerabilities being introduced accidentally. The management console allows centralized management of a number of Symantec appliances, whether they are local or at remote branch offices.
Reporting facilities are good, with logging and alerting features. Analysis of logs and custom reporting makes it easy to see new trends of use and abuse.
Load balancing is set up via the cluster wizard, which allows you to cluster several Symantec Gateway Security units in groups. There are two ways to set up load balancing: firstly, a software method using the built-in clustering functionality; or alternatively, a hardware solution by Symantec's support of the third-party Radware FireProof intelligent traffic management device.
Other third-party load balancers can be used, but are not directly supported by Symantec. High availability is simply regarded as a special case of load balancing, in which, if one Symantec Gateway Security unit fails, the remaining members of the cluster take over and continue to share the load.
Symantec has taken the appliance route to combining firewall, AV scanning, content filtering, VPN and intrusion detection in a single box. This provides a turnkey solution that is also scalable by taking advantage of the range of these appliances that are suitable for head office as well as branch offices. The load-balancing and failover features mean that there is no practical upper limit to the scalability. It also means that you have a single-vendor solution to all three major security concerns of the modern enterprise.
By Geoff Marshall
