We've been using the Barrier1 threat management tool in the SC Labs over the past year. We use it when we have a particular bait on our deception network and we want to know exactly how the network – and the adversary - reacts. Sometimes, the bait is the type that attracts pretty nasty customers, so we do simple, straightforward things to keep them out and place the Barrier1 inside to see what makes it past our defenses and to dissect the nature of the successful attack. We have another type of monitor on the outside, so the result is that we see everything coming at us and we see everything that makes it through and how it got through. For a lab, this is about as good as it gets. For an enterprise, ditto.
Over the past year, Barrier1 has made some solid upgrades to the product. Here in the SC Labs, we have been using the Model 15 which contains enhanced firewall, anti-virus, anti-spam, intrusion detection and prevention, web content filtering and advanced reporting. On the surface, this makes it a typical UTM, but if that is the extent of the description, it really doesn't go far enough.
Barrier1 is a next-generation product. Currently, it supports 250-plus protocols, over 21 layered algorithms, 60-plus sources for worldwide sensors – just one of those has over 600 million IPs addresses used for monitoring, for example – and over 17,500 scripts beyond snort rules. That's a lot of horsepower for a little box that we don't even need to rack up.
Barrier1 has made its reputation by sitting behind virtually every major brand of firewall and next-generation firewall and catching malicious behavior that gets past the primary firewall. In addition – although we have yet to test this capability – the tool can handle industrial control systems, such as SCADA, and has been tested extensively by a SCADA test lab. It also has been very successful identifying and stopping ransomware attacks.
One of our favorite operations was during Super Bowl 50 where we had a Barrier1 watching the game network. Although the stadium network was quite well-secured – and, in fact, had been tested extensively and updated prior to the game – the Barrier1 still caught events that, while certainly not catastrophic did show weaknesses in the infrastructure. Analysis after the fact was both interesting and informative.
We also ran a series of tests of DDoS attacks against our honeynet, monitoring with our external monitor and with Barrier1. We ran the tests through a VPN, but using the Barrier1 we were able to see every instance where the packet stream was directed from outside the VPN. This let us identify the ISP. Using this technique for a victim of a DDoS attack can be a significant way to track the attacker as they bounce through numerous source IPs and ISPs during the attack in order to achieve obfuscation. A fast flux/bulletproof network would show up immediately.
The operating system is purpose-built and hardened. Over the past year, it has been upgraded significantly. The reporting has been significantly modernized and still is extensive. Because it uses HTML 5, Barrier1's dashboard is quickly customizable by the user. In general, this is a beast in lamb's clothing. It is very efficient and we have had no maintenance problems over the past year. We are now in the process of an upgrade and if it goes as smoothly, as we're used to, we will hardly realize that it's going on.
One thing that we especially like is that this is a product that is clearly within the reach of the small business. At a starting price of just $1,600, SMBs can have the same sort of protection that larger companies with far bigger budgets have. That is not to say that you can't spend a fair bit if you need something much bigger, but Barrier1 has done a good job of matching price, functionality and target market. Support is excellent and is included for the first year. After that it is available on a flat rate, per customer basis.
While most customers won't use Barrier1 for the types of lab experiments that we do, the track record in production applications is excellent, and our experience should be equaled by commercial users. We see this as a top-drawer product and we are renewing its SC Lab Approved status for another year.
Price $1,600 to $150,000 (depends on various models and platforms).
What it does A complete threat management system masquerading as a UTM.
What we liked Speed, depth of analysis, sensitivity to an extremely broad range of threats.
The bottom line This is one of those products that really fits in any size enterprise. From pricing to functionality it's a solid package. It is a key component of our multi-level testing and analysis for the Threat Hunter Blog. One more year as SC Lab Approved.