Symantec security gateways: Simple and reliable

Company’s 5600 series offers multifunction defense at an affordable price

Prices of multifunction security appliances have come down substantially in the past six months, and if you have not bought one yet you may want to take another look.

With that in mind, we decided to take a fresh look at one of the best known of these, an appliance in the Symantec Gateway Security 5600 Series. Symantec sent us an 5640. Their top of the line has twice the capacity of this model, but we had no problems using it in a lab setting and in a medium-size, real-world network.

In our lab tests, we simulated a corporate intranet. We placed a Microsoft Windows XP workstation and a Windows 2003 server inside one of the 5640’s internal protected subnetworks. Outside this network we set up a Linux server loaded with the Nessus ( vulnerability scanner with settings to attack the other machines.

Installing the Symantec appliance was exceptionally easy. We did initial configuration of IP addresses via a slick digital panel on the front of the appliance.

The series includes firewall, antivirus, antispam, virtual private network (VPN), intrusion detection and prevention, and content-filtering applications. In practice, the firewall component provided excellent protection against intrusion without affecting our network traffic. The unit can be configured to protect your network during a virus outbreak even before virus definitions are available. Our experiences with viruses have led us to prefer this approach, which uses pattern matching and behavior analysis to catch malicious software.

We configured the antivirus component to scan file transfer, Internet and e-mail traffic. When we used our Web browser to open the Symantec Gateway Security home page, we found several configuration wizards that eased administration of the device. The 5640 did a remarkable job of eliminating the need to look at the setup manual every time we wanted to implement a setting. The manual is helpful, but an experienced administrator will have no problem operating the device without it.

Jumping right in, we programmed a few rules to regulate Web, e-mail and FTP traffic, and set alerts to let us know when violations occurred. Before the test, we had placed a malicious executable program on Web and FTP servers outside the Symantec appliance. From the Windows server we attempted to retrieve the malicious executable software from the external servers, but to no avail. The Symantec unit blocked the malicious traffic and generated alerts.

To observe the appliance’s ability to regulate mail traffic, we attempted to check an e-mail account from a protected workstation. We verified that the legitimate messages could be downloaded, but messages with malicious attachments set off alarms. An added bonus of using the appliance’s integrated technology is that mail is scanned whether a mail protocol or Web mail is used.

Symantec’s intrusion-detection component uses signature-based detection, as it should. But it also applies a combination of traffic rate monitoring, protocol state tracking and IP packet reassembly techniques to detect intrusion attempts for which there are currently no signatures.

Before we ran our intrusion tests, we used the Web interface to configure a few rules for detecting suspicious traffic. We configured Nessus to apply all vulnerability tests and to probe all TCP ports. When the Nessus scans started, the Symantec unit dutifully blocked all of the suspicious behavior and notified us of the attacks.

Experience has taught us that the easier and more reliable it is to create a network traffic rule, the more likely people are to use it. This is the real value that the 5600 Series delivers: simplicity and reliability.

One of the features that sets the appliances apart is Symantec’s DeepSight Threat Management System. It monitors more than 20,000 intrusion-detection systems around the globe and uses expert analysis to detect trends and new threats.

Another feature that sets the Symantec series apart is the clientless VPN. Using this feature, we were able to access our corporate intranet server from a client PC without the headache of installing software on the client. Options include rules for allowing certain types of traffic, even as granular as permitting Microsoft Outlook traffic. With clientless VPN, authenticated users can have remote access to mail, shared network files, applications, intranets and Web-based applications from any location.

Symantec appliances also have a feature to prevent access to objectionable Web sites. It works by using a large blacklist and a scoring system — the Dynamic Document Review feature — to block Web sites based on numeric scores derived from keywords. For example, the word “breast” might raise the score for a site, but adding the word “cancer” might lower the score.

As part of a layered security defense, the 5600 Series would be of value to practically any organization. It would be particularly beneficial in environments that currently use multiple systems for e-mail, Web and VPN functionality. Consolidating those functions will save administration resources while improving security. A Symantec appliance could also help an organization by pairing network-based restrictions with a tool such as Microsoft’s Active Directory to limit Internet access and protect against malicious code.

We give the Symantec appliance high marks, but it is just one of several excellent products on the market. A few months ago, the Astaro Security Gateway series from Astaro AG, whose products are based on open-source software, was not only competitive in features with the Symantec series but also had substantially lower prices. After recent reductions, the most price-conscious buyer will feel comfortable considering the Symantec appliances.

Evins and Greer are network security consultants. They can be reached at


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.