The best firewall is...

Firewalls have come a long way since we last looked at them in 2005, and have now become full-blown Unified Threat Management devices. We take a look at the top players.

It is interesting to consider the progress the humble firewall has made over recent years, from its first rudimentary software incarnations using simple rule-based systems, to the current fully-converged security appliances addressing a plethora of threats and policies.

These days it is actually difficult to source a purely stand-alone firewall. In fact, most routers cover this basic function and we even see network switches that adopt this role at a port-by-port level.

Two or three years ago, security vendors were beginning to find their feet with first- and second-generation converged security devices. Today, these devices are complete packages, and they ceased to be just firewalls a long time ago. Now, they are commonly known as security appliances or by the flashy name Unified Threat Management (UTM) devices. UTMs cover everything from firewall (stateful and deep packet inspection), to spam, virus, anti-spyware, content filtering and more.

Recent developments in this space have seen vendors aggressively pushing into the traditional networking routing and switching space — further converging these technologies to deliver increasingly integrated network-and-security devices. This does not mean a few IPs pointed in the right direction, these vendors are tackling big network issues such as Quality of Service (QoS), packet shaping and bandwidth management — issues that cost businesses and CIOs time and money.

From a management perspective, increasingly converged solutions mean things can be seen more simply, particularly if you are managing a large and widely distributed enterprise. If you are considering single solutions, these devices are able to single-handedly address a large part of your security and networking needs. They can help reduce cost, complexity, integration and management issues. The flip-side is that all your eggs are in the one basket. If the bad guys find a way in, they're right in, so there is still an argument supporting the onion layer approach.

Planning your security environment

Considerations when planning your security environment (apart from understanding your legacy systems and what actually needs to be replaced) include ensuring you are fully aware of your current exposure and your risk. Your exposure and risk changes over time and needs to be monitored regularly. It also needs to be audited regularly to ensure your current levels of protection are appropriate for the information you are securing. A tip is to look at your existing security measures to ensure that they are not overkill — they may be deployed better elsewhere, protecting more important and more valuable data. The majority of enterprises understate the value and security of their information assets. Still, there is little point spending $50,000 on a security solution to protect $10,000 worth of information. Protection must be commensurate with the value of the data it is protecting and the likelihood of it being attacked.

The next step is to ensure you have a detailed knowledge of your network and the systems that need to be protected. No security solution is going to help an enterprise that has a weak understanding of their communications infrastructure. Most importantly, you need to be fully aware of how your systems interconnect with external points. This is much more than just the internet and Wide Area Network (WAN) connections. People sync their PDAs using high-speed network connections; others wander in and out with USB devices; and wireless technologies abound. Audit, audit, audit; and document your work. Draw the map, define the risks, check and double check.

Once the value, risks and environment are known, it is time to start your procurement cycle. While we love to think that readers rush out and purchase anything we recommend in our reviews, your own evaluation and research also needs to be done for your specific environment. Environments are often similar, but no two networks are identical, and neither are technical resources, training, budgets and so on. Information security is not to be taken lightly.

If you have completed your risk assessments correctly you will be in a much better position to ignore security consultants' and vendors' fear, uncertainty and doubt (FUD) tactics and focus directly on finding a solution to protect your environment.

Isolating the product that's right for you

Evaluating security products is something Enex does at our lab on a regular basis, for many clients.

You should be able to create a shortlist based on your understanding of your own environment and risk requirements. Take a look at as many vendor's product feature-tables as you can and from those, create a list of mandatory requirements and then your wish list of features. Narrow the field, but don't just think features, look at the vendor's claims around your mandatory items.

Two critical considerations that are often overlooked are administration/management and interoperability. Make sure you consider management, it is no good if you find the perfect fit device but need to deploy 40 of them to branch offices if the vendor has an inadequate management system (yes, it has happened). Nor is it ideal if your network engineers need a degree in quantum physics to configure and administer it. The chances of misconfiguring it and leaving the door open leap upwards. Interoperability is also a consideration that is often overlooked. Do you have legacy equipment that this system will need to work with? Create a list of the products and application connecting to (and through) this security system. Ensure that key protocols are fully supported.

Once your shortlist is drafted, contact the vendors and ask them specific questions that relate to your requirements. The ones that tick most boxes should be brought in for demonstration and be subjected to real physical testing that simulates your scenarios and requirements. Testing methodologies and accepted practices for performing penetration testing and evaluation of security systems is an issue worthy of a separate discussion. There are as many theories as there are the solutions and environments.

Two factors often overlooked that need to be tested as part of any evaluation are performance and fail-over/redundancy.

Performance must be looked at from the perspective of ensuring the solution is going to handle traffic without creating bottlenecks — particularly with all the features that you want to use enabled.

Fail-over/redundancy should be examined from two positions. Firstly, is the product fail-safe? If it crashes, does it open everything up to the world or does it block everything off? Blocking everything off, while extremely inconvenient, is a lot better than opening everything up.

Secondly, redundancy: how well does the device perform in a high availability configuration? This ranges from the basics such as having multiple fans and power supplies through to complete secondary devices. How smooth is the transition? How do they stack and connect together with the rest of the network? How are configuration updates handled between the master and slave devices? What transactions are dropped during the switch-over, is the redundant unit secure at all times? Lots of questions!

The last consideration, even though most people ask it first, is the cost of the solution. It is wise to settle on a top three or four products so that when contract negotiations begin (both with the vendor and with your management) you have alternatives.

The current players

The last review Enex TestLab undertook for publication on this topic was in August 2005. That review is still massively popular, so due to demand we have re-visited the subject.

We asked a number of vendors to participate including Cisco, McAfee, Netgear, Juniper, Nortel, Symantec, Fortinet, Check Point, WatchGuard, IBM and SonicWALL. Some vendors, such as Cisco, decline outright to be tested. Others decline stating that they no longer have appliances in this market. To date, five vendors have submitted products; Juniper, SonicWALL, Astaro, Watchguard and IBM. As others come to hand we will include them.

The devices submitted were evaluated in terms of their design, features, interoperability, scalability, future-proofing, installation, configuration, administration, management, ease of use, quality and craftsmanship.

About the author
Matt Tett is a principal of Enex TestLab, an independent global testing organisation, founded in 1989 and is based at RMIT University in Melbourne Australia. Enex comprises eight business divisions each focused on different verticals all revolving around independent testing and expert consultancy from software and systems testing through to usability and gaming. The TestLab has been creating content for ZDNet and its affiliates for over 17 years. Matt has 20 years ICT experience and is a respected independent network and security consultant. He holds the following security certifications in good standing: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified Social Engineering Prevention Specialist (CSEPS).

Astaro Security Gateway 525

(Credit: Astaro)

The Astaro Security Gateway (ASG) 525 is the big brother of the ASG family. There are currently six models available with the smallest targeted at just 10 users, moving up from there. A software solution and virtual appliance are also available, so they have most bases covered.

The vendor claims that the ASG 525 is capable of handling between 600 and 3000 users, which is a wide-open claim. This would depend on the enterprise environment concerned, as well as the demands and network usage involved.

The ASG 525 and its siblings provide standard firewall and VPN functionality along with content filtering, spam filtering, malware scanning, intrusion detection and bandwidth management. Interestingly it can also handle mail encryption, which is a rapidly emerging consideration in many organisations these days.

The 525 is housed in a robust, full-length 2RU chassis. At the front are 10 Ethernet (10/100/1000) ports, along with an additional management Ethernet port, two serial and two USB ports. A small liquid crystal display (LCD) for status information and four buttons for scrolling through options are also available. Two pairs of status LEDs advise power and hard-disk drive (HDD) activity. Two LEDs for each of the Ethernet ports indicate connectivity and activity.

Both sides of the chassis have good ventilation grilles. The rear of the unit has two key-locked, removable, hard-disk enclosures; three exhaust fans and a VGA port (these appliances are built on standard PC architecture). The rear also houses the power switch, a reset switch, another power LED, and two power supplies that each utilise separate IEC power cables. Each power supply has two exhaust fans.

Astaro claims it differs from most other UTM vendors because it offers products as a hardware appliance or as a software ISO. This, the company argues, enables prospective customers to choose an unlimited style of licensing model on their own appliances (where the customer's hardware is the limiting factor as to how far the installation can scale upwards before requiring additional units or the purchase of a bigger unit) or choose a tiered protected-IP model based on Astaro's software ISO.

Astaro's software provides the exact same functionality as its appliances, however, it allows an end-user to use their own x86-based hardware. Customers therefore, could conceivably re-purpose servers for use as an Astaro UTM appliance, moving to bigger and better hardware as required, taking their configuration with them. The software ISO can also be loaded in virtualisation environments, further reducing hardware overheads.

Astaro states that its objective for the ASG range is to solve problems for companies, individuals and administrators. It focused on end-users and heeded their feedback. Over 70 per cent of the features and functionality of these products are a direct result of customer consultation. Astaro's users will see the product evolving as a direct result of their needs.

The installation and initial configuration of the device is relatively straightforward. A number of management options are offered and, as with most UTMs, there is an overwhelming array of features screaming out for attention. Astaro has presented these in a logical and easy-to-use way.

The administrative interface of the ASG device (Credit: CBS Interactive)

Design-wise the product is solid and supports a rich feature set. The physical quality of the craftsmanship of the device itself is very high, which is expected by the larger end of the business security market.

Maintenance packs for one, three and five years are available and include updates, hardware replacement and technical support (web, email and phone). Gold subscription packages are offered through Astaro partners during office hours. Platinum subscriptions are 24/7. You will need to be seated to read this: a one-year gold package costs AU$7457 for the 525 model, and it gets more expensive as you option up. The platinum package (for five years) costs a whopping AU$47,233!

This price range, even considering the product is aimed at the larger enterprise, is high at AU$40,800 – AU$60,100.

Astaro is up against some fierce competition at this end of the security device market. This Astaro product is, however, worthy of inclusion on your shortlist. Assuming, of course, that your CFO can stomach the price.

The bottom line Feature rich, easy-to-manage security product for the larger enterprise.
Vendor Astaro
Price AU$40,800 – AU$60,100
Warranty & support Gold (office hours support): one-, three- and five-year packs AU$7457 to AU$28,353.
Platinum (24/7 support: one-, three- and five-year packs AU$12,405 to AU$47,233.
The good ASG is available as an appliance or as software only
Good feature set
Easy to use considering complexity of functions
The bad Expensive product
Maintenance packs are even more expensive

Juniper Networks SSG550M

(Credit: Juniper Networks)

Juniper's SSG550M is the bigger sibling to the 520. The main differentiators between these are performance and redundancy options. Juniper claims the 550 provides performance of 1Gbps stateful and 500Mbps IPSec, while the 520 is 650Mbps stateful and 300Mbps IPSec. The 550 can also support an optional redundant power supply while the 520 cannot. Both models are available with AC or DC power supplies — good news for the telcos out there.

The SSG550M is housed in a large black 2RU chassis. On the front, the device is dominated by six modular expansion slots — two of these occupied by a double height 16-port 10/100/1000 network module. One expansion slot was also occupied by a single port ADSL line card. Fixed ports on the front also include four additional 10/100/1000 network ports, two USB ports, a console port and an auxiliary port. Power and reset/config switches are recessed, and there are status LEDs for power, alarm, status and high availability. Each network port also features two LEDs showing connectivity, status and activity. The removal of a blue plastic bezel provides access to the ventilation filter; at the rear are more ventilation grilles. Access to the power supply modules is also from the rear, delivered via standard IEC connector power cables.

Juniper's elevator pitch for the 550M is that it offers a mix of high performance, security and LAN/WAN connectivity for regional and branch office deployments. ScreenOS is Juniper's real-time security specific operating system. It includes a specific set of security and management applications including:

  • Common criteria and ICSA certified stateful inspection firewall
  • ICSA certified IPSec VPN gateway for interoperable and secure communications
  • Deep inspection for application-level attack protection
  • Antivirus protection based on the Kaspersky Lab scanning engine that includes antiphishing, anti-spyware, anti-adware protection
  • Anti-spam via a partnership with Symantec to block known spammers and phishers
  • Content filtering using SurfControl to block access to known malicious sites or other inappropriate content
  • Network segmentation through its virtualisation capabilities
  • Denial of service (DoS) mitigation capabilities
  • Application layer gateways to inspect common VoIP protocols (H.323, SIP, SCCP and MGCP)

Considering Juniper's networking heritage and impressive array of carrier grade services equipment, it is no wonder that the company's firewall platform also performs common networking functions supporting routing protocols such as BGP, OSPF and RIPv2. This integrated functionality provides enterprises with great network redundancy, allowing for multiple services/ISPs. Using dynamic-routing with path-monitoring, enables an automatic connection failover to an alternate route and/or ISP. Juniper's dynamic routing capability also enables route-based VPNs (the ability to define multiple VPN tunnels and based upon a routing decision select the best VPN tunnel for the traffic).

The design of the GUI for administration/configuration is now somewhat dated, although functional. For those familiar with the Netscreen/Juniper interface, it will have a traditional look and feel. It also retains a menu-based system that provides multi-level access to the device's operations. Juniper has added an option to toggle from the traditional menu to a much neater Java-enabled menu, ensuring that sub menus pop-up with a single click. Either way our engineers found locating the configuration/administration items easy.

The Juniper web GUI (Credit: CBS Interactive)

Juniper (with strong roots in the carrier industry) provides a number of ways to manage these devices — either remotely or locally. These range from its standard web GUI through to a traditional console-based session. Centralised management is also an option and, you'll find, necessary when deploying a number of devices in differing geographies.

Overall, it is a very robust and highly customisable device. Juniper has a history delivering mission-critical and highly available products. In the Australian corporate and government markets this category device would suit the medium to large organiaations in virtually any scenario.

Warranty is for one year from the date of purchase. Juniper also offers two support/maintenance models for all products:

  • JCARE Support: the Juniper partner or reseller will (in addition to selling you the product) sell a maintenance contract for the device. This is based on return-to-factory, next-day or same-day support models (as per the customer's SLA). All support requests (JTAC, hardware, software etc) are provided direct by Juniper to the end-customer.
  • JNASC Partner enabled: as a Juniper Networks authorised support centre partner, the partner provides level 1 and level 2 support services directly to the end customer. The partner maintains the primary support relationship with the customer while relying on Juniper for escalation support. Juniper assists the JNASC partner with all escalation and level 3 support issues to resolve an end-customer problem

The price of the 550M we tested, considering the design, intended application, features and functionality is very reasonable at AU$15,487.

The bottom line If you are in the market for an enterprise-level mission critical network security device then shortlist Juniper's SSG500 series for evaluation.
Vendor Juniper Networks
Price AU$$15,487
Warranty & support Juniper warrants that for a period of one year from the date of purchase, the hardware shall be free of defects in material and workmanship under normal authorised use consistent with the product instructions.
Juniper currently operates two distinct support models for all products: JCARE Support and JNASC Partner enabled.
The good Configurable/customisable
Feature rich
High reliability could be expected
The bad May be overkill in some environments
Densely packed networking ports with limited cable management may confuse and sometimes obscure status indicators

SonicWALL E-Class NSA E5500

(Credit: SonicWALL)

It's disappointing to think this product will sit locked away in a rack hidden in an enterprise's datacentre; the E-Class product family is actually attractive. Sadly, the only people likely to bask in its beauty are engineers performing routine maintenance.

SonicWALL's heritage in information security systems delivers beauty with the brains to match. The device is housed in a silver 1RU chassis, which features a milled and brushed aluminium panel up front with eight network ports, one high availability port, a console port and two USB ports.

Also up front is a small LCD display, a reset switch and four status LEDs indicating, power, test, alarm and hard disk activity. Down each side are ventilation grilles, while at the rear is the power supply (using an IEC power cable), an expansion bay and two hot swappable fans.

SonicWALL's value proposition for the E5500 is reassembly free deep packet inspection. This (theoretically) translates to enabling unlimited file sizes and unlimited file concurrency, without any significant compromise in performance. SonicWALL uses multi-core technology, which maintains this performance. It also incorporates dynamic threat protection, which automatically updates, and learns and protects against new threats without administrator intervention.

Installation of the E5500 unit is straightforward, with local configuration done via a web browser. The GUI provides access for administrators to manage whatever features they require. Despite the complexity of this system the interface is easy to use and navigate.

The E5500 is the low-end unit of the E-Series. The E Series is, however, SonicWALL's flagship range and, even though the E5500 is an entry-level product, it is certainly no slouch.

SonicWALL is a vendor who may get lost in the crowd — unless you do your research. The information security industry is notorious for those happy to go out and spread fear, uncertainty and doubt around without taking into consideration what end users actually need. Setting SonicWALL apart is the fact that a security engineer can integrate a range of SonicWALL products into a cohesive solution — enabling SonicWALL customers to design, pick and mix solutions that fit their environment — without overkill. This enables an organisation to tailor its security solution to match their requirements and, most importantly, manage it all from a centralised console.

The administrative interface of the SonicWALL E5500 (Credit: SonicWALL)

With SonicWALL, it is not necessarily one single product that sets it apart but the sum of all its products.

A good example of SonicWALL's product range comes when considering price. Enterprise devices range from the NSA240 at AU$1899 through to the E7500 at AU$28,995. The E5500 as tested for this review came in at AU$10,495, which is very reasonable considering its application.

A 12-month hardware warranty and 90 days support is offered as standard. Support is packaged in its "Total Secure" option that includes hardware, all security services and support for one, two or three years. E-Class support includes dedicated level 3 support.

The bottom line The benefit of SonicWALL's sum of parts equation is alive and strong with the E-Class product. SonicWALL is one to consider if your information security environment does not conform to a standard, and at the end of the day, whose does?
Vendor SonicWALL
Price AU$10,495
Warranty & support NSA and NSA E-Class product lines: 90 days support (web/phone, firmware updates), 12 months hardware warranty as standard.
NSA E-Class support includes dedicated level 3 support.
One-, two- and three-year support options available.
Support is also included when purchasing a "Total Secure" package, which includes the hardware, all security services and support for one, two or three years.
The good Product heritage
Feature rich
Links easily with SonicWALL security product family
The bad Limited expansion
Two network ports only configurable for WAN failover/availability

WatchGuard Firebox X6500e UTM

(Credit: WatchGuard)

WatchGuard cannot be faulted for consistency. Over the past seven years Enex has tested numerous WatchGuard products, every one of them bright red. You just can't miss them in a datacentre. The last three iterations of WatchGuard's Firebox have been housed in uncannily similar chassis.

WatchGuard has also been consistent and retained its "golden screwdriver" approach to upgrades. Users are able to purchase upgrades via software "feature keys", unlocking additional functionality and performance already installed, without needing to upgrade any of the device hardware.

The Firebox X6500e is the middle child in the "Peak" family, sitting between the X5500e and the X8500e(-F) siblings. WatchGuard pitches this device at enterprises with 400-2000 users, touting a RRP price between AU$19,348 and AU$31,000 (dependent on functionality). The unit supplied to the lab retailed for AU$24,863.

Like most modern security appliances, WatchGuard's X6500e offers more functionality than just the humble firewall. As a unified threat management (UTM) device, it addresses a myriad of security threats including spyware, viruses, spam, blended threats, content filtering, web exploits, SQL injections, buffer overflows, DoS/DDoS and plenty more. The device is capable of an impressive range of functions.

Physically the X6500e incorporates eight 10/100/1000 network ports and a DB9M port for console access at the front of the unit, along with four additional status LEDs indicating power, storage, arm/disarm and expansion functions.

Both sides of the chassis feature good ventilation grilles with three decent fans operating at the rear of the unit. There are two user-accessible modular bays, a power switch and the power supply (using standard IEC cable) also at the rear. Surprisingly, however, the unit has no options for a redundant power supply. In a device such as this — aimed at the enterprise market (and considering the asking price) — it is something you should expect.

WatchGuard's claims about this product's top features include zero-day protection out of the box, and support for up to 2 gigabit per second firewall throughput. Firebox X Peak is built on application proxy firewall technology — reputed to be more secure than stateful packet filtering. WatchGuard also describes layers of anti-spyware to meet compliance standards and protect sensitive corporate data.

Networking is solid with the Firebox X6500e. Multi-gigabit firewall throughput and eight 10/100/1000 Ethernet ports support high-speed local area infrastructures and gigabit-wide area connections.

Another consistency in this product line, WatchGuard retains its WatchGuard System Manager (WSM) software in the Firebox X6500e. This application needs to be installed onto the administrator's machine before accessing the Firebox — a process that is not particularly user friendly. So while the X6500e is possibly more secure than other devices with an open web port on the internal network (allowing web-based configuration), it is still something that an administrator needs to learn and become confident with.

When a new Firebox is first commissioned the administrator must complete a complex process: initialising the device in a safe mode, running a set-up wizard from their administrative PC (including uploading the device's feature key into the system) and setting up initial and temporary networks and access passphrases. Only then can an administrator launch the WSM and access the device.

WSM is also able to act as a centralised system for multiple Firebox products. Once accessed WSM enables the administrator to perform key tasks, primarily connecting to and configuration of the device using the Fireware Policy Manager, but will also include accessing the monitoring system (known as Firebox System Manager). Although complicated, once comfortable with WatchGuard's management systems most engineers should be able to navigate easily.

Watchguard System Manager, Firebox System Manager, Firewall Policy Manager applications. (Credit: CBS Interactive)

WatchGuard's Firebox X6500e is a well-featured security appliance. It provides adequate levels of connectivity suitable for the majority of users. The feature key model is a great solution to provide easy feature upgrades. This offsets its relatively high initial price, and makes it suitable for enterprises expecting growth in the future.

Its warranty is provided via an annual renewal of WatchGuard's LiveSecurity subscription, which also includes an advanced hardware warranty. Product support methods are web and phone support from 8am to 8pm, Monday to Friday.

The bottom line If your enterprise is planning growth, then the simple feature key upgrades may offset the high initial cost of the product by saving you time and cost sourcing and replacing equipment.
Vendor WatchGuard
Price AU$24,863
Warranty & support Annual renewal of LiveSecurity Subscription, which includes advanced hardware warranty. Web and phone support from 8am to 8pm, Monday to Friday.
The good Consistent between revisions
Licence key model upgrades
Feature rich
The bad Relatively expensive
Complicated application-based configuration/administration/management
Limited support methods
No redundant power supply option

IBM ISS Proventia MFS MX3006

IBM ISS Proventia MFS MX3006 (Credit: IBM)

The IBM ISS Proventia MFS MX3006 has five siblings, starting with the MX0804 and ranging up to the MX5110. This is good as it means that organisations can deploy the smaller devices in the regional or branch offices and scale up to the larger models in head office datacentres and environments, and/or mix and match dependent on the applications and networks needing security without being stuck with a single product that may not fit the purpose or be overkill.

IBM describes this device as a multifunction security product, which is simply another term for unified threat management (UTM). A UTM device typically includes the convergence of a number of separate security technologies into one appliance. Fundamentally, this consists of a firewall and with additional functionalities, such as network intrusion detection, network intrusion prevention, antivirus, Virtual Private Network (VPN) or content filtering bundled into the device.

The MX3006 unit is housed by a well-constructed, compact, blue 1RU chassis. Its dimensions measure 355x430x40mm. Upfront are six RJ45 network ports, a power status LED, a DB9 pin male serial port for console connectivity, a two-line liquid crystal status/information display and four small buttons for navigation. These buttons are quite difficult to press as they are moulded into the same plastic that comprises the bezel. One assumes there are small micro-switches beneath with very little tactile feedback, as there is no audio feedback either to provide any indication that a button has been pressed.

Both sides and the rear of the device have good ventilation grilles. The rear of the unit has an IEC power connector, power switch, two USB ports, two internal expansion port access slots and four small fans, due to the size of these fans they operate at quite a high speed, which is very noisy. Some vendors integrate thermal sensors into their appliances enabling the fans to spin according to the device temperature and thereby reducing noise when they are at idle, the MX3006 doesn't appear to have this feature or it always runs hot and therefore noisy.

The integrated security features available for the MX3006 are: firewall, VPN, intrusion prevention, antivirus, anti-spyware, URL filtering and anti-spam.

IBM states that this product can detect and protect against over 7400 vulnerabilities straight out of the box, and that it has the world's largest content filtering databases, listing nine billion URLs. The antivirus component verifies against 340,000 known virus signatures. It also attempts to identify and block unknown viruses using behavioural analysis. Protection against spyware is covered by the analysis of output from several resources, including the intrusion protection system, the behavioural AV protection engine and the URL filter. IBM's biggest claim is that the device filters over 95 per cent of spam.

A key selling point for this unit is that it uses attack-based as well as vulnerability-based security intelligence from IBM's ISS X-Force research and development team (sounds like something from a movie!).

Access to the administration console can be gained in a number of ways, most commonly via a web interface. Set-up instructions provided with the device are very clear and concise. On start-up the LCD offers information as each service is started, providing clear guidance to the operator about the status of the device. The administrator is guided through a series of simple set-up procedures prior to launching the management console. Enex would go so far to suggest that the IBM ISS MX3006 device is the easiest integrated security device to set-up of any we have had through the lab.

This impressive level of user-friendliness continues with the management console. Also web-based, the management console resembles the traditional left-hand, menu-based system. Its home page contains a number of panels for at-a-glance monitoring of the various functions.

The Management Console of the MX3006. (Credit: CBS Interactive)

In summary, the IBM ISS Proventia Network Multifunction Security MX3006 is a very well refined, extremely easy to administer and manage integrated security device. It is perfectly suited to the medium-sized enterprise and has just the right number of features, without going overboard or trying to be everything to everyone. We would even go as far to say that this device would suit remote/regional branch office deployment of larger organisations needing a simple straightforward well-featured security device.

The included warranty is one year; this can be extended by paying a quite hefty annual maintenance fee, which is AU$4228.40 inc. GST. The price of the product itself, at AU$16,000, while not cheap, is acceptable considering the intended market, features and functionality.

The bottom line Easy to use, well-designed, great features without going over the top. If you are responsible for the security procurement for a medium-sized enterprise then definitely shortlist this one for evaluation in your environment.
Vendor IBM
Price AU$16,306.40
Warranty & support One year warranty and antivirus licence for up to 500 users (maximum recommended users for this device), can be extended by annual fee of AU$4228.40
24/7/365 telephone support
The good Very easy to set-up and manage
Good set of features without going over the top
One of a larger family of devices enabling scaling between offices/applications
The bad Relatively expensive
Buttons on front panel are hard to press
Quite noisy due to the small size of the exhaust fans
Annual maintenance fee is quite pricey


As is the case with any device modification, replacement or upgrade, the three key points to focus on prior to purchasing a security product are auditing, research and evaluation. In fact, this is particularly important for a network security product.

Strategic review audits need to be undertaken to ascertain the current position of your enterprise, particularly in relation to your existing security/network environment. Where possible, benchmarks and metrics should be developed and executed — this builds a scientific snapshot of your organisation. You can use this data to evaluate a proposed solution, enabling you to clearly see how and where it might improve on your existing system. This snapshot data can also be revisited once the new solution has been deployed to ensure that it remains stable as part of a regular maintenance cycle.

A risk audit is also very worthwhile. It will identify the location and value of any assets being protected by the solution and ensure that the system being implemented is of sufficient size and scale to appropriately cover the information being protected. There is no point in spending AU$100,000 on security to protect AU$5000 worth of data.

Research your requirements and engage with vendors as much as possible before going to a pilot. Use this review as a guide to narrow down the vendors offering the type of solution that may suit your enterprise. Once your pilot evaluation phase has commenced, it is worthwhile bringing in a third party to undertake testing of the security solution. This ensures that the product stands up to all of the claims made by its vendor and helps match the protection profile developed through your strategic and risk audits.

Involving a third party maintains the independence necessary to conduct a worthwhile evaluation. Internal security staff will often have a preference for a legacy system that they have experience with, or they may be too narrow in their testing, focusing on features they are familiar with or features they would like, rather than what is most appropriate or beneficial to your environment.

Avoid allowing the solution vendor to undertake testing regardless of how much they claim to be experts. Having an independent third-party means your risk is shared and minimised when making a procurement decision.

Ranking the units in this round-up is very difficult given the diversity presented. It is really a great sample of security devices; with prices ranging from AU$10,000 to over AU$40,000 and each has key advantages.

For its sheer ease of configuration and use, the IBM product rates highly. For a feature-packed family product-range the gong goes to SonicWALL, but you will need to ensure your security architects plan carefully. The Astaro and Juniper solutions are very well designed and nicely suited to the larger enterprise. For cost effective scalability in a business that is growing, WatchGuard's golden screwdriver software upgrade path is a likely choice.

Happy security procurement!