URL filtering has become a "checkbox" feature on most Unified Threat Management firewalls, and no wonder: it doesn't require a lot of imagination to do it right, and it's hard to really differentiate yourself or do a bad job of it.
Three of the vendors tested -- SonicWall, Fortinet , and Barracuda -- had nearly identical interfaces to define URL filtering policy. There are some minor differences — for example, Fortinet had a cute feature that would limit the amount of time you could spend on a category ("you can look at Sports pages, but only for 5 minutes"), but generally there was little difference.
Next-gen firewalls: Off to a good start
The Barracuda NG Firewall had one major flaw, to be fixed in Version 5.4, which required us to set up separate and independent policies for the HTTP and HTTPS proxies, doubling the time to maintain the policy and increasing the chance of human error.
Check Point takes a very different approach by integrating URL filtering with application identification and control into a single policy. Check Point's combination of the two tools is a better way of building a next generation firewall. URL filtering and application controls are closely related and overlap in many ways.
For example, blocking access to external webmail servers can use both application identification, to find private webmail servers, and URL filtering, to find public webmail servers. Combining the two techniques is better than using just one.
Our anti-malware testing really highlighted differences between the products and their approaches to scanning for viruses across broad categories of traffic. The two stars of the show here were Fortinet, for having the best anti-virus engine, and SonicWall, for having the best coverage across different types of traffic.
Both Check Point Security Gateway and Barracuda NG Firewall did poorly at the task of finding viruses across many different applications, although Check Point Security Gateway did include a new anti-bot detection system.
We tested using a small handful of recent viruses that we found in the wild just before our testing started. Each of the products had plenty of time -- over two weeks -- to update their signatures to catch the viruses we used. FortiGate caught 100% of the viruses we threw at it. Next in line was SonicOS, which caught 100% of the viruses when we sent them over HTTP and HTTPS protocols, but slightly less when we used FTP, IMAP, and SMTP. Check Point Security Gateway and Barracuda NG Firewall caught fewer viruses in our small sample (80% and 90%, respectively).
The more important result was coverage across various protocols, and this is where SonicWall shined. Only SonicWall managed to find viruses no matter where we hid them. In configuring SonicWall to catch malware, you don't list specific ports, but applications running on top of those ports: HTTP, FTP, IMAP, SMTP, POP3, CIFS (Microsoft file sharing), and "everything else." When we sent viruses using common protocols through the firewall, the anti-malware engine inspected the traffic. It didn't catch each virus in each scenario, but there were no gaping holes where inspection didn't activate at all.
The FortiGate anti-malware engine works great, but would only inspect traffic on ports we explicitly listed. This means that a web server on a common port, say port 80 or 443, would be inspected just fine. However, if someone on the Internet had a web server with some malware on a non-standard port, such as 81, then the FortiGate wouldn't catch it. Your alternatives are to block non-standard ports — a sure recipe to unhappy users and a poor workaround — or to have a hole in your security coverage.
The Check Point Security Gateway was undergoing rapid change in the area of anti-malware when we tested it, and so our results may not be representative of the final status when version R75.40 of the software is finally released. Check Point told us that it was working with its anti-malware engine supplier to achieve higher catch rates, but that some of our test scenarios, such as IMAP and SMTP over TLS, would not be supported even in the final release.
One of the anti-malware features Check Point offered that we didn't see in the other products was anti-bot protections. If anti-malware works to prevent infections, Check Point's anti-bot protection is designed to catch post-infection behaviors such as command-and-control channels and attempts to spread the infection or send spam. We didn't test the anti-bot protections, since none of the other vendors offered this feature.
We had a more difficult time testing the Barracuda NG Firewall's anti-malware features because the NG Firewall uses proxies to handle virus scanning. Barracuda told us that many of the issues we saw in this part of our testing will be resolved in their upcoming v5.4 release.
In the case of HTTP traffic, the NG Firewall transparently intercepts the traffic as long as it's on a standard port (sending viruses through HTTP on a non-standard port didn't activate the proxy). For HTTPS traffic, the NG firewall must be manually configured as a secure proxy — unlike the rest of the products we tested — so we had to change our testing methodology just to get the firewall to scan the HTTPS traffic.
We ran into different issues trying to get the Barracuda NG Firewall to scan mail traffic. This only works if the firewall is used as a mail gateway. When we passed mail through the NG Firewall without using the mail gateway, and lost all capability to scan for malware.
When it comes to picking the best anti-malware, we found strengths and weaknesses in all of the products. Certainly SonicWall and Fortinet turned in the best results in our filtering, but we think that the Check Point Security Gateway's anti-bot feature and unified URL filtering and application control features gives it a slight advantage, even if doesn't have the best anti-malware engine. The problems that came up in testing the Barracuda NG Firewall may be resolved in the next version of the product, but for now they cause us to rank the product below the competition.
Read more about wide area network in Network World's Wide Area Network section.