Intoto, a provider of integrated security, wireless and voice software platforms to networking equipment manufacturers, announced that it will demonstrate its advanced enterprise-class security solutions at the Fall 2004 Network Systems Design Conference. The high-performance security solutions feature Intoto's iGateway EX software platforms running on security processors from Cavium Networks and Hifn, and a communications processor from Broadcom. Additionally, Intoto will showcase its IntruPro(TM) product line, a complete intrusion prevention system for enterprise environments. The demonstrations will be held in Intoto's booth #616.

"Intoto's security software offerings, with iGateway EX and IntruPro, enable networking equipment vendors to rapidly and cost-effectively develop feature-rich integrated security appliances and gateway devices suitable for a wide range of products addressing small to large enterprises," said Doug Makishima, vice president of marketing at Intoto. "We're proud to showcase our field-proven solutions with industry-leading processor vendors, including Cavium, Hifn, and Broadcom, that deliver unprecedented performance and significant cost savings for today's OEMs."

Cavium Networks' NITROX II with Intoto's iGateway EX security software on an Intel(R) Pentium 4 processor delivers multi-gigabit measured performance with full-featured VPN capabilities. Intoto's iGateway EX software platforms work with Cavium's NITROX family of security macro processors on Intel(R) IXP4XX and Intel architecture processors.

Hifn's HIPP III architecture provides complete IPsec VPN functionality in a single chip and achieves multi-gigabit performance. Hifn's HIPP III IKE software package utilizes Intoto's iGateway EX's IPsec IKE software platform for automatic key management and authentication. The HIPP III IKE software package is a licensed option for use with Hifn's 4300, 4350, 8300 or 8350 FlowThrough(TM) Security Processors.

Intoto's iGateway EX achieves gigabit-class firewall performance on the BCM1250 communications processor from Broadcom. The BCM1250 features two 64-bit MIPS cores, each scalable from 600 MHz to 1 GHz.

 

    如何利用SOC来对抗恶意攻击

    ——安全运营中心正在成为企业中必不可少的组成部分

    深夜，关于Slammer蠕虫紧急电话把Eamus Halpin从睡梦拽了出来。在这种蠕虫攻击之前，他一直是仅仅依靠端口阻断来保护自己的企业免受黑客攻击和入侵的危害。在他看到Slammer肆虐全球造成的一片狼籍后，Halpin才意识到自己必须全面更新公司的网络安全措施。 

    iRevolution是一家总部设在伦敦的管理服务商，Halpin 正是这家公司的首席技术设计师。他回忆说：“当时我正好在西雅图出席微软公司的NDA会议，当时就有人警告我要注意Slammer对基于端口阻断式网络的破坏。”尽管iRevolution的网络错过了这种蠕虫的直接攻击，但Halpin知道那完全是运气。他说：“我花了三个小时来研究蠕虫的危害，当我知道其中的危险时，我的头发都立了起来。我们网络中存在的漏洞比瑞士奶酪还要多。” 

    尽管iRevolution已经建立了基本的防御措施 —防火墙、杀毒软件、入侵检测系统（IDS），但没有一种方法能够将这些安全工具的警报组合起来并形成网络健康状况的逻辑全景。 

    Halpin说：“所有这些工具的维护和管理都是独立进行的。它们之间从不互通信息，而且没有将企业的业务活动当作一个整体。因此，我们只能偶尔发现某种类型的病毒通过电子邮件对企业发动了攻击，但我们不能真正确定问题到底有多严重。” 

    为此，Halpin决定要对企业的安全措施进行一次全面的检查。他的目标是为iRevolution的内部网络建立和维持一个世界级的安全运营中心（SOC），同时也帮助企业为客户提供类似的支持。 

    网络运营中心（NOC）可以连续不断地监视网络，排除错误并确保最优化的性能，而SOC与之非常相似，它可以连续不断地监视和管理一系列的安全设备及事件，保持和确保网络的总体安全性。专家认为，SOC的使用在企业中变得越来越普遍，这里面有很多原因，其中最明显的原因是，安全问题已经从基于规则的点状解决方案发展成为更为普遍深入、更为关键的体系，对网络的总体健康起到了至关重要的作用。 

    Nemertes 研究公司高级副总裁兼联合创始人Andreas Antonopoulos解释说：“过去我们都让安全专家来管理各种类型的防火墙、IDS和诸如此类的安全措施，这主要是因为安全问题一般都发生在网络中非常具体的某个地点。但是，现在的情况已经变化，安全问题已经不再像当年那么简单。由于周边的漏洞比比皆是，所以安全措施应当被实施在应用层、网络层和存储层上。它已经成为您的端对端应用服务中的一部分，与网络性能的地位非常接近。”

    Sarbanes-Oxley法案（SOX）、健康保险可移植性及可说明性法案、Gramm-Leach-Bliley法案等法规方面的压力也促使企业SOC得到了进一步的发展。 

    Computer Associates公司eTrust部门执行安全顾问Diana Kelley说：“Sarbanes-Oxley法案就是SOC前瞻性推动力量的最好例证。如果企业的网页上出现404错误，那么企业就应当准备好承担内部控制结构不足责任。也就是说，企业要对自己的商业报告实施正确有效的控制。一旦这种控制建立起来后，企业还应对其进行监视和维护，而    SOC正是解决这一问题的一种很有效的方法。” 

    另外，现在市场上有一种趋势，也就是将过去外包给管理安全服务商（MSSP）的安全监视职责收回企业内部，这种情况在金融行业中尤为明显。专业网络咨询企业International Network Services 公司负责安全服务的副总裁兼首席安全官Jim Tiller认为，内部的SOC可以对企业网络实施更好的控制和监视，并且有助于降低总体成本。 

    Tiller说：“在有些情况下，MSSP在响应能力方面存在一些困难。但是，由于蠕虫和拒绝服务式攻击发生的频率越来越高，尤其是在金融行业中更为严重，而且此类威胁也变得越来越狡猾老练，我们的响应能力与网络的可见性息息相关，也就是说，如果我们能够清楚地了解网络中发生的一切，就能够及时做出适当的响应。通过引入管理能力，我们就能提高网络的可见性并改善企业的响应能力。” 

    另外，他还指出：“对于大型企业来说，在被管理的安全服务中的投资是相当巨大的，如果将这些服务收入企业内部并由企业自己来管理，从长远来看必然会给企业带来较大的利益。”

    障碍

    尽管我们可以很容易地理解安全运营中心存在的意义和需求，但建设一个SOC却远非如此简单的。由于很多企业中的安全和网络小组都是独立成长起来的，要让它们携手合作也绝非易事。专家认为，即使企业网络中具备强大的安全监控能力，但如果这种能力与网络运营监控完全脱节，那么就很有可能导致企业的网络发生重大的灾难。 

    Antonopoulos说：“在很多情况下，单从外表来看我们很难发现安全事件。例如，如果路由器停止响应，您单凭这种症状很难确定到底发生了什么问题。如果您的网络运营小组与安全运营小组彼此分隔，最终的结果只能是：两个小组分别寻找问题的根源，或者是两个小组都不去查找问题的根源，但都声称问题出在对方的小组身上。 

    如果我们想要修补网络中出现的问题，这种局面中隐藏的矛盾就会显得更为突出。他说：“如果两个小组都在网络上实施某些措施并对其进行监视，最终的结果可能是：网络小组的人员进行了修改，如访问控制列表，可能导致系统安全性降低；而安全小组实施的ACL又有可能对网络性能产生冲击。由于这两个职能部分没有整合，而且没有按照端对端的形式来处理问题，最终带来的只能是成堆的棘手问题。” 

    真正的安全运营中心（SOC）应当集成安全和网络事件信息，使安全和运营人员能够全面了解各类事件，以及事件对网络造成的影响。这样，他们就能够根据预先定义的安全策略，作出明智的响应决策。不过，说起来容易，真正实施起来还会遇到很多的困难。 

    起点

    许多企业首先考虑的都是采购安全事件管理系统或警报关联引擎。但专家认为，这是一项战术性的错误。企业在实施安全运营中心之前，首先应当做的是进行总体风险评估，确定每一件网络资产在实际业务中的重要性。 

    了解业务的重要性是非常关键的，因为安全运营中心的目的不仅是实现安全事件监视，而且也要对事件作出信心十足的响应。Unisys公司负责三个安全运营中心管理工作的Summers 说：“我们需要知道，如果某台服务器停机，它对业务会产生什么样的影响，还有这些服务器是否比其它的服务器更重要？如果知道了这些问题的答案，技术问题就会非常容易解决。”

    技术忠告

    接下来要做的便是选择技术平台。这一步的目的是找到一种能够与各类已有安全设备协调工作的安全事件管理平台，而且该平台需要对各类警报进行关联，并且与现有的系统实现某种程度的集成，从而达到查找故障和网络运营管理的目的。专家指出，只有对网络的了解达到了这样的层次，企业才能将网络中存在的各种安全漏洞一个个的揪出来。 

    CA公司的Kelley说：“与我们合作的一家大型的金融服务公司发现，有人在侵入该公司遍布全球的网络。每次侵入都有所不同，似乎并不是某个特定的个人所为，但它们都来自同一个IP地址，而且每过几天就发生一次。这些侵入都没有严重到触发报警的程度，但当该公司将这些信息汇集到（安全运营中心内的）一个中心控制台时，他们才发现这个IP地址到底在对该公司的全球网络做些什么。从此，该公司开始严肃对待这件事情。” 

    然而，要想使您的安全运营中心具备此类全球化的监控能力，实施的过程将会非常费时，而且成本极为高昂。

    除了ArcSight、Intellitactics和netForensics等新兴企业提供的集成式安全事件管理器外，多数大型网络管理公司，如CA、HP和IBM，也都提供集成在各自平台中的安全事件监视能力。但是，它们的成本都相当可观，不是一般的企业所能承受的。 

    Nemertes公司的Antonopoulos说：“在安全领域中，IDS与您的管理系统沟通时所用的语言通常与防火墙是不一样的。您可以在防火墙中添加一条阻断某类通信的规则，但这种规则绝对不适用于路由器。因此，安全事件监视器将是一个非常巨大的集成项目，要将所有的信息都转换成通用的格式，并在所有这些领域中将其关联起来。” 

    Antonopoulos说：“厂商会将大型集成项目的成本转嫁到客户身上。单单是这些硬件和软件的成本通常就高达150万至300万美元。另外还有人员三班倒和认证系统集成的成本，整个算下来将是一笔非常惊人的开销。” 

    IRevolution公司的Halpin指出，他的安全运营中心项目是基于CA公司的Unicenter网络管理功能，并且与CA的eTrust安全监视和事件关联功能集成在一起，整体成本约为100万美元，实施过程消耗的时间长达18个月。该安全运营中心自启动后已经运行了6个月，而Halpin说他现在觉得自己能够从这个SOC获得一些有价值的信息，并且能够为实际行动提供很多的帮助。 

    他认为：“总体来说，这笔交易还算是公平，但我的成本主要来自人员工作时间。选择工具是一回事，让工具在公司特有的环境中运转起来则是另一回事，需要耗费大量的时间并排除数量众多的各类故障。” 

    他说，要想让整个过程变得轻松一些，最关键的一条就是选择灵活性较高的工具。也就是说，这种工具不仅能够支持您现在正在使用的各类防火墙、IDS和网络管理平台，而且要易于定制和调节。 

    他说：“编写规则的过程必须非常简单。如果您能够迅速编写规则，而且拥有很好的模板和向导，那么整个过程将会变得更容易。”

    但是，也许在建设安全运营中心方面最大的忠告是，您最初的100万美元投资只是第一步。因为技术总是在不断地发展，您企业的安全需求和战略也应当随时做出相应的调整。 

    Halpin说：“尽管我目前认为公司的安全能力和安全运营中心都具有很大的扩展能力，但我预计在三、四年之后，我们就必须将其完全丢掉，并且重新开始，因为安全技术也必须与时俱进。随着双核心处理器和其它技术的不断出现，企业的处理能力也将发生巨大的飞跃，我们绝对不能止步不前。这些发展将对技术和安全市场产生非常重大的影响，而且现在我们都知道，企业在安全方面的花费也将是没有尽头的。”

    应当尽量避免的5种SOC缺陷 

    1. 技术上的隧道视觉。如果您完全被最新的技术和最优秀的工具吸引住，那么就有可能忽视安全运营中心的核心。而这种核心应当是基于合理风险评估和安全策略的。因此，首先要确定SOC的核心，然后才可以将注意力集中在产品和技术上，但无论产品和技术有多神奇，它们的作用仍然是为SOC核心提供支持。

    2. 孤立思维。千万不要认为安全运营中心是独立于网络运营之外的孤立竖井。高效的安全运营中心需要的是完全集成的安全能力和网络监控工具，同时，与这些能力和工具相关的人员也是不可或缺的。

    3. 人员配备方面的错误。不要让资深安全人员来做那些低层次的监控工作，在网络世界中，最好设置一些适当的检查和平衡机制，使网络中的权力得到分散，千万不要让单个人员掌握所有的权力。

    4. 没有灵活性的工具集。您选择的工具不仅应当适用于当前的安全设备、验证系统和网络监控解决方案，而且应当易于定制，并且能够提供各类的模板和向导。需要注意的是，即使是最好的工具集也需要自己进行大量的定制和集成工作。

    5. 选择便宜的路线。安全运营中心存在的目的不是为了节俭。总体而言，大型企业应当至少投资100万美元才能实施和维持一个真正的企业级安全运营中心。而且随着时间的推移，今后的投资极有可能变得更高。

    如何为安全运营中心配置人员

    一些专家认为，为安全运营中心配置人员也是一件非常具有挑战性的事情，其重要程度不亚于建设或购买安全运营中心。

    安全运营中心需要24×7式的全天候监视，这就是最大的障碍之一。Unisys公司管理安全服务全球主管John Summers说：“有些企业的安全人员习惯于每天工作8小时，每周工作5天，但24×7式的职位通常相当于5位全职员工的工作量，其报酬自然也要高得多。”很多企业都看到了这一点，但它们希望缩减工资支出，其结果可想而知。

    例如，有些企业的错误在于，它们只为安全运营中心配备最优秀的安全人员。Nemertes 研究公司高级副总裁兼联合创始人Andreas Antonopoulos说：“有些公司让那些经验丰富的安全专家呆在屏幕前执行监视工作，每6小时轮一班。但我估计您是不可能把这些人留住的，因为他们很快就会感到厌烦。”除了厌烦问题和过量使用有价值的员工外，这种战术还有可能引发巨大的安全漏洞。

    Antonopoulos说：“如果您的安全策略在编写、实施、监视和符合性检查方面都是由同一个人来执行的，那么这个人可能就是最大的安全风险。没有分权就绝对谈不上检查与制衡。” 

    如同传统的网络运营中心一样，好的安全运营中心也应当具备多个层级的员工配置，其中第一层的人员负责接收警报和执行一些低级的故障排除工作，第二和第三层的人员负责处理更为复杂的警报和问题。在理想情况下，第一级的人员应当为企业内的网络和安全部门提供一线的响应。这样，您的资深安全专家就可以处理更为复杂的风险管理和策略编写工作，低层人员在安全运营中心内的职责主要是进行监视。这样，当警报出现时，如果第一层的人员不能确定如何处置，他就可以把球踢给第二和第三层的人员，只有这时，那些身价不菲的专家才会派上用场。

We put five UTM firewalls through extensive tests to see if they could detect blended threats and maintain high performance. Although we were mostly underwhelmed with the results, our Tester's Choice stood out from the rest, having caught all our 'attacks' the first time around.

Introduction Yeah, But Can They Perform? ISS Proventia M50 Integrated Security Appliance Symantec Gateway Security 5460 Secure Computing Sidewinder G2 Security Appliance Model 2150 C 6.1 SonicWall Pro 5060c with SonicOS 3.0 Enhanced Fortinet FortiGate-800 Antivirus Firewall 2.8 The Essentials Test Methodology Report Card

UTM perimeter-security devices combine firewalling, antivirus, and intrusion detection and prevention on a single appliance. Many throw in content filtering and antispam, making a compelling argument for one-stop security shopping. Unified threat management, a term coined by IDC, is not a new concept, however: Vendors have tried to bring these processes together for years but were stymied by performance problems. Fortunately, advances in processing, both on the main CPU and in specialized silicon, mean that performance problems can be overcome.

To see how well vendors are tak- ing advantage of new technologies, we tested UTM products in our Syracuse University Real-World Labs, rating each on how well it increases protection without hurting performance. Unfortunately, we found most products wanting. Our scenario was typical: An organization with 5,000 users seeks an edge device that provides firewall, IDS/IPS, antivirus and content filtering. The organization's DMZ network hosts DNS and Web servers that communicate with a back-end Microsoft SQL Server and an SMTP server, which relays mail to an internal Exchange 2000 server (for more details, see "Test Methodology,"). Most traffic is from internal users to the Internet.

We invited 11 vendors to participate. Fortinet, Internet Security Systems, Secure Computing, SonicWall and Symantec accepted our invitation. Check Point Software Technologies, Cisco Systems and Finjan Software said they couldn't ship products in time. Juniper Networks doesn't have an offering that fits, and Astaro and iPolicy Networks did not respond to our invitation.

Advanced Protection?

It's time to puncture the IPS myth: All the problems inherent in intrusion detection are exacerbated by automated prevention. Certainly, there are signatures that flag malicious traffic with a high degree of probability, and you can safely block these packets. Any protocol violation--for example, characters not defined within the HTTP protocol specification, similar to RFC 822--can be intercepted with little risk of a false positive.

Figuring out which other signatures can be safely blocked takes a bit more digging to determine if normal traffic will trigger an alarm.

The vendors in this review take a conservative approach to setting default block policies, and that's appropriate. Each network is different, and an aggressive cookie-cutter stance will likely turn away legitimate traffic. With the exception of ISS's Proventia, changing the default action in the IPS functions of the devices tested was a simple matter of selecting the signature, or in some cases a family of signatures, and setting the action to block. Changing the default IPS setting in Proventia is a multistep process, but it can be done.

However, in our tests only Proventia properly detected our malicious traffic. The other products failed to detect at least one attack--Fortinet's FortiGate-800 came in last, detecting just two out of five. This is outcome inexcusable: All the vulnerabilities we selected are at least a year old, with publicly available exploit code waltzing through most of these devices and returning a reverse shell on our "attacker's" computer. Moreover, we told all the vendors we'd be using publicly available exploits against servers with known vulnerabilities.

After testing, we shared our results, the tool we used (Metasploit 2.3) and the modules with the vendor participants. Frankly, if we didn't provide the vendors with this information, we aren't convinced they would have added new signatures. In any case, those that didn't fare well will likely have fixes by the time you read this story. We scored protection capabilities, however, based on our initial set of attacks.

We then pulled together well-known virus files and sent them over FTP and SMTP with just names, no file extensions, to see if we could sneak any through. Every product except Secure Computing's Sidewinder offered antivirus scanning of FTP traffic, and all the products successfully scanned e-mail attachments.

Signature updates are automatic for the most part, with many of the products able to update manually if necessary. A few of the firewalls required that we install firmware updates and perform reboots manually, but that's par for the course.

We get into the performance versus protection debate a lot. When a stateful packet-filtering firewall wins a review because of better performance, readers with application proxies flame us, saying their firewalls provide superior protection. When an application proxy wins because of better protection, readers with the stateful packet filters rail that those other devices impact network performance. The right answer lies in the middle: We want good performance and strong protection.

Unfortunately, we discovered late that because of a series of errors, the tool we were using to test performance was misreporting results, and the testing scenario we wanted to create was radically different from the one we achieved. So much so that with less than 24 hours until press time, we decided to pull the performance results from this review. We couldn't develop and validate a test on such short notice, and we won't print misleading results. However, we can provide some general observations and post performance charts online.

Antivirus scanning had a significant impact on overall firewall performance, for two main reasons. Before a firewall can scan files, it must queue them. Then it scans each file in turn and decides to send it, drop it or quarantine it. This process uses memory and introduces a high degree of "burstiness" as files are queued, scanned, and passed or dumped. In addition, virus scanning is CPU- and memory-intensive, and it degrades overall traffic performance. Some firewalls, including the FortiGate and Symantec Gateway Security, let you set antivirus configuration options on a per-rule basis, while others are more global.

Content filtering and IPS functionality generally have lesser, but still appreciable effects on performance. Each vendor defines content filtering differently. For one, it could be as simple as regulating MIME types, or going deep into files to search for key words in Web pages and e-mail. The more specific the content filtering, the slower the overall performance.

Making It Dance

So how configurable are these puppies? We're big fans of granularity--we like to tailor an appliance's protective features to our needs, not the other way around. Fortinet's FortiGate is a model of fine-grained configurability. We could, on a per-rule basis, apply different sets of protection features, such as content filtering and antivirus scanning. That's handy when performance is a concern because you can enable advanced features as needed.

Once an appliance is processing lots of traffic, the management interface often slows to a crawl, rendering the device unmanageable. If you're brushing off this consideration, you've never tried to manage a firewall that was under DoS attack. We were happy to find that, even while under load, most of the devices remained manageable; the exception was the SonicWall appliance.

The clear winner in our review is ISS's Proventia M50. This $14,890 champ caught all our attacks the first time and had adequate performance and management capabilities, earning it our Tester's Choice award. Symantec's Gateway Security and Secure Computing's Sidewinder G2 battled for the middle of the pack. Both cost more than double what the Proventia will set you back--$36,700 and $35,900, respectively--but each has strengths in application proxies, plus Symantec's offering is augmented with IDS/IPS while the Sidewinder's split DNS and SMTP proxies add a layer of protection to common protocols. Fortinet's and SonicWall's products brought up the rear; we were surprised at how poorly their offerings performed. The FortiGate missed three key attacks, while the SonicWall lacks rivals' policy granularity, has poor logging, underperformed with throughput and missed some key attacks.

Internet Security Systems is a relative newcomer to the UTM field, but its solid experience in intrusion detection and vulnerability assessment have served it well: The Proventia was the only appliance to detect and name all the exploits we used, and really, that's the bottom line. In addition, the wealth of information Proventia provides about attacks and the causes is top-notch. However, its management interface leaves a lot to be desired. Navigating through screens was a challenge, and reporting was middle of the road.

ISS, like other vendors in this review, is conservative in enabling blocking on intrusion-detection rules--a wise stance. The Proventia has a wide variety of actions that can result from alerts, but the most common are blocking or resetting the connection and dropping the packet. Tuning IDS/IPS features--a requirement in nearly all IT shops--was needlessly complicated. We could tune default actions by entering adjustments on a per-signature or event-family basis through an advanced tab widget. For a few exceptions, this wouldn't be a problem, but for making wide-scale changes, it becomes another rule set to manage. ISS will make changes for you, but then you have to keep going back to the mother ship--not a scalable solution.

Proventia's antispam, antivirus, firewall and Web-filter capabilities generally are enabled or disabled globally, with scant tuning available. For example, antivirus is enabled or disabled for HTTP, FTP, SMTP and POP3 globally. We prefer the granularity Fortinet provides, where profiles are applied on a per-rule basis.

Reporting was mixed. The Proventia logged data and provided excellent detail, which is especially handy when the IDS is firing off alerts. Being able to quickly absorb the particulars of malicious traffic let us immediately understand the risks and possible courses of action. However, the Proventia, like the other products we tested, cannot save filters for later reuse; we also couldn't create negate filters. Although we don't always know what we're looking for in a log file, we know what we don't want to see. Not being able to create a filter that says, "Don't show SYN Flood alerts," we had to slog through entries by hand.

Proventia M50 Integrated Security Appliance. Internet Security Systems, (800) 776-2362, (404) 236-2600. www.iss.net

The Gateway 5460 is a blend of Symantec security products in a centrally managed appliance. The 5460 is unique because it features both application proxies (which inherently provide better protection against network- and service-level attacks and are also found in the Sidewinder) and intrusion-detection and -prevention functionality. However, its reporting is sparse and difficult to view at a glance; this is a recurring theme with Symantec's firewall. And, even given all its functionality, the 5460 is overpriced at $35,900.

We've always maintained that application proxies, which fully support defined protocols like HTTP, SMTP or SQL*Net, offer better protection than stateful packet filters and even IPSs. This is because application proxies instantiate service protocols as a client and server. Service-level attacks typically violate protocols in some way, and we have shown in testing that they are best stopped by application proxies. However, there are two problems with this approach: The first is reduced performance, because of the increased processing and the additional latency required to set up a second connection completing the proxy. The second is that few application proxies are actually written. Common protocols HTTP, FTP, SMTP and DNS are easily found, but other common protocols, including Microsoft SQL, use generic proxies that do nothing more than proxy TCP and UDP connections.

The 5460 addresses the second shortcoming with its IDS/IPS feature, which triggers on malicious traffic per an attack-signature match. An interesting phenomenon on the 5460 is that the IIS .printer and ntdll.dll overflow attacks were detected and blocked on the application proxies, not processed by the IDS. The Unicode attack was passed through the application proxy because it is valid HTTP traffic, but it triggered an IDS alert. That's what we call an interesting pairing of complementary technologies. Unfortunately, because Symantec doesn't have an application proxy for SQL Server and no signatures for the two well-known exploits we used, our SQL Server overflow attack was not caught.

Firewall rule and configuration changes were often a multistep process, where we had to apply changes and then save them to the firewall. If we forgot the second step, our modifications didn't take effect. Application proxies are configured on a per-rule basis, so as with the FortiGate, we could tailor protective mechanisms as needed.

Logging, while detailed, was rather awkward to use, which is the last thing you want to deal with when troubleshooting. The logging system had filtering capabilities, but again, we found no way to define a negate filter.

Symantec Gateway Security 5460. Symantec Corp., (800) 441-7234, (408) 253-9600. www.symantec.com

The Sidewinder, like Symantec's Gateway Security, is an application proxy firewall, except it doesn't support signature-based intrusion detection and prevention. Rather, Secure Computing focuses on building application-level proxies. Content filtering and antivirus are added protections. We did nick Secure Computing on attack detection because of its lack of integrated IDS and antivirus scanning on FTP traffic. Byte for byte, an application proxy provides better protection than an IPS, but as we found with Symantec Gateway Security, the IPS can fill gaps in application-proxy coverage. We'd like to see Secure Computing close some of those gaps.

The Sidewinder is highly tunable; we're impressed with the options available in configuring application proxies. Different profiles can be defined for an application defense, which is then used to configure protection features. For example, we created an HTTP profile of the enforced content control and allowed only the get, post and head methods. We also disallowed Unicode encoding in the URI. We could then apply that profile to a rule. But not all application-defense mechanisms had as many options as HTTP.

The Sidewinder achieves high performance for an application proxy by limiting the amount of resources it expends on application inspection. Normally, application proxies must move network transactions from the NIC up into user space, proxy the traffic to the "other side" and send it back down to the NIC, creating a bottleneck. Secure Computing changed how the Sidewinder proxies traffic, setting it to inspect only packets that require protocol analysis. For example, if a Web client is doing an HTTP get, only the first few packets must be inspected. Once the get is successful, the rest of the transaction is just moving data, which is kept in kernel space and requires much less overhead. This intelligent inspection provides the best of both worlds--application proxy and good performance.

Still, these benefits don't justify the high price, and like the Symantec Gateway Security, logging left lots to be desired. Although there were plenty of details, ferreting out the salient ones took more mental processing then we like to expend on parsing logs when troubleshooting or even monitoring the firewall.

Sidewinder G2 Security Appliance Model 2150 C 6.1. Secure Computing Corp., (800) 379-4944, (408) 979-6572. www.securecomputing.com

The inexpensive SonicWall 5060 seems to be targeted at a midsize companies. In our first round of attacks, the device detected three out of five exploits and, like ISS's Proventia, wasn't thrown by our fragmentation evasion attempt. The SonicWall did detect our ntdll.dll exploit, but it failed to name the attack properly, which would have led us to believe it was a false positive. The device's policy definitions weren't as granular as Fortinet's, and its IPS responses were not even close to those offered by ISS. As a firewall, the SonicWall is solid, but we're not convinced the device's intrusion-detection capabilities are up to snuff.

Once we had the SonicWall installed and the firewall policies configured, we enabled the IPS on the LAN zone and the DMZ zone. We fired off our attacks, and four triggered alerts. Only three, however, were correctly identified. The Microsoft SQL Server buffer flow attack passed unnoticed, and the Windows ntdll.dll overflow triggered three different alarms: one for WebDAV access, one for an overlong URI and one for a SQL injection attempt that left us scratching our heads. None of these would have indicated that someone was attempting to exploit a two-year-old vulnerability. To make matters worse, these exploit signatures were all marked as low priority. We told SonicWall about our results and the company updated its signature databases within the week.

The SonicWall's alert logs are filterable, and when we clicked on an IPS event, we could edit signature properties, such as default action. There's also a link that took us to more information about the event. Unfortunately, the SonicWall doesn't log traffic that passes through allow rules, except through syslog or SonicWall's Viewpoint reporting software. Makes troubleshooting a bit difficult.

We also found that while under load, the SonicWall was essentially unmanageable. Sure, we were managing the SonicWall from the same interface traffic was arriving on, but we never got above 50 percent utilization during our tests, so management shouldn't have been degraded because of high traffic.

SonicWall Pro 5060c with SonicOS 3.0 Enhanced. SonicWall, (888) 557-6642, (408) 745-9600. www.sonicwall.com

Fortinet markets the FortiGate-800 as a high-speed antivirus gateway. Add in the IPS, content filtering and antispam capabilities, and you get the whole enchilada. But FortiGate's reporting, a critical feature in security gear, is subpar. We also were sorely disappointed with the device's intrusion-detection capabilities: The FortiGate properly detected only two of the five attacks we threw at it.

The FortiGate does have some redeeming qualities. It is easy to configure and its rule set is highly readable. We also like the system status page, which was unique among the devices tested and gave a quick overview of the firewall. We configured and applied different protection profiles on a per-rule basis, so we could customize traffic protections. For example, we applied a restrictive content-filtering and antivirus profile for one rule, and a less restrictive set of rules for another. Logging is sparse, barely giving enough details to troubleshoot problems. However, unlike the SonicWall, we could log all traffic, and the FortiGate has a modular system for determining what gets reported.

Fortinet FortiGate-800 Antivirus Firewall 2.8. Fortinet, (866) 868-3678, (408) 235-7700. www.fortinet.com

Mike Fratto is editor of Secure Enterprise. He was previously a senior technology editor for Network Computing and independent consultant in central New York. Write to him at mfratto@secureenterprisemag.com.

Secure Enterprise joined with sister publication Network Computing for the mother of all firewall reviews--we tested 20 firewalls in four categories: Gigabit enterprise firewalls, XML gateways, branch-office firewalls and UTM (unified threat management) devices. The only vendor that submitted a single product in multiple categories was Secure Computing, which sent its 2150 model Sidewinder G2 for our gigabit enterprise and UTM reviews. Testing took place at our Green Bay, Wis., Syracuse, N.Y., Chicago and Gainesville, Fla., labs.

In the UTM category, we put five devices through their paces. Overall, we were underwhelmed. Although we told vendors we would test using publicly available exploits, only one product, ISS' Proventia, detected everything. All the other devices let through at least one attack--even though the vulnerabilities we threw at them were at least a year old. Moreover, performance, especially with antivirus checking enabled, left much to be desired, and pricing was all over the map.

Product Category: UTM appliances, aka multifunction firewalls or all-in-one security appliances

Market Data: By early next year, spending for all-in-one security appliances will exceed spending for specialized security devices, according to Gartner.

Products Tested: Fortinet's FortiGate-800 Antivirus Firewall 2.8, Internet Security Systems' Proventia M50 Integrated Security Appliance, Secure Computing Corp.'s Sidewinder G2 Security Appliance Model 2150 C 6.1, SonicWall's SonicWall Pro 5060c and Symantec Corp.'s Symantec Gateway Security 5460

Who Won and Why: Priced at a mere $14,890, ISS's Proventia detected every one of our attacks while providing decent management capabilities. Our main nit is that ISS could have made it easier to tune IDS/IPS features and antispam, antivirus, firewall and Web-filter capabilities.

What Happens Next: Check out the rest of our "Firewall Blowout" in the April 28, 2005 edition of Network Computing.

When we set out to test unified threat-management appliances, we modeled our tests on real-world requirements. We laid out our network with a DMZ containing an SMTP MTA (message transfer agent), a DNS server and an HTTP server. Our internal zone housed our user clients and an Exchange Server. We designed firewall rules so that all traffic originating from the external zone went only to the DMZ, and all traffic originating from the internal zone could get to the DMZ and external zone. This is a common architecture. The bulk of our traffic originated from the internal zone.

To test the protection features of the UTM devices, we used the Metasploit framework to attack vulnerable HTTP and SQL servers in the DMZ. We verified that the exploits worked prior to testing. We also used fragroute to fragment the traffic into 8-byte chunks to evade IDS detection. We then gathered up virus files, which we used for FTP and SMTP antivirus scanning. We set up the UTM appliances with similar polices to detect and block attacks and to detect and block viruses over SMTP and FTP, and we restricted access through the firewall, allowing only required services. We then tested each exploit and virus while the firewall was idle and while under load. We considered an attack properly detected and blocked if the UTM device named the exploit with a degree of accuracy. For example, several appliances named the ntdll.dll exploit as an overlong URI string, which is far too generic a classification to set a block on. If, however, the appliance named it, we attempted to block the attack. We notified vendors of the results. We didn't change the grade if the IDS was properly configured but failed to detect or block the attack, even if the vendor issued a subsequent signature update.

Be careful with protocol parameters, such as maximum header and URL length in HTTP. Although we agree that it's unusual to have a URI longer than 100 characters, some longer ones are out there and there are longer headers. Be sure you understand the behaviors of your applications before you set arbitrary limits.

We strove to configure the firewalls with the strongest possible policy that would be similar across all the products tested so we could determine how the different feature sets compare with one another. Surprisingly, the core security features don't vary much. Some products add some nice touches, though. SonicWall's advanced protections are configured on zones, and you can enable antivirus and content filtering on a per-zone basis. Secure Computing and Symantec took that idea one step further, letting us configure advanced features on a per-rule basis.

All Secure Enterprise product reviews are conducted by current or former IT professionals in our Real-World Labs or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Secure Enterprise schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

5月4日消息，思科系统公司首席执行官约翰·钱伯斯本周二在拉斯维加斯举行的NetWorld + Interop(网络世界暨互操作)展会上发表主题演讲时将推出一种名为“Adaptive Security Appliance 5500”（自适应安全设备5500）的新产品。 这种新的安全设备把不同产品的安全功能都集中在了一起。

　　这种新的产品在一种设备中集中了18种不同的网络和安全管理功能。这些功能包括探测入侵者、防止拒绝服务攻击、防止间谍软件和广告软件和网络通信的宏观检测等。这种检测功能能够发现雇员在访问Kazaa等文件交换网站时引起网络带宽突然增加的状况。

　　目前，这种功能很多都用于思科为企业数据中心设备的各种产品中。这些产品包括PIX安全设备、IPS 4200 Series系列产品和VPN 3000网络集中器等。然而，由于许多企业的数据中心的使用空间有限，不能容纳所有的的这种设备。因此，思科这次推出的自适应安全设备能够帮助用户最大限度地节省空间。

　　思科的这种多功能产品的战略与其竞争对手是完全不同的。例如，Check Point软件公司和赛门铁克就为不同的功能提供不同的安全产品。

　　然而，思科的另一个竞争对手Juniper Networks也开始把许多功能集成在一一个设备中。思科的这一新的举措将促使Juniper Networks等竞争对手把更多的集成到一台设备中。

　　思科副总裁Jayshree Ullal表示，ASA5500（自适应安全设备5500）产品将在5月份上市，销售价格为3500美元至1.7万美元。思科计划在今年晚些时候推出更多的集成多种功能的安全产品。

http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1650/cdccont_0900aecd802930c5.pdf