Symantec security gateways: Simple and reliable

Prices of multifunction security appliances have come down substantially in the past six months, and if you have not bought one yet you may want to take another look.

With that in mind, we decided to take a fresh look at one of the best known of these, an appliance in the Symantec Gateway Security 5600 Series. Symantec sent us an 5640. Their top of the line has twice the capacity of this model, but we had no problems using it in a lab setting and in a medium-size, real-world network.

In our lab tests, we simulated a corporate intranet. We placed a Microsoft Windows XP workstation and a Windows 2003 server inside one of the 5640’s internal protected subnetworks. Outside this network we set up a Linux server loaded with the Nessus (www.nessus.org) vulnerability scanner with settings to attack the other machines.

Installing the Symantec appliance was exceptionally easy. We did initial configuration of IP addresses via a slick digital panel on the front of the appliance.

The series includes firewall, antivirus, antispam, virtual private network (VPN), intrusion detection and prevention, and content-filtering applications. In practice, the firewall component provided excellent protection against intrusion without affecting our network traffic. The unit can be configured to protect your network during a virus outbreak even before virus definitions are available. Our experiences with viruses have led us to prefer this approach, which uses pattern matching and behavior analysis to catch malicious software.

We configured the antivirus component to scan file transfer, Internet and e-mail traffic. When we used our Web browser to open the Symantec Gateway Security home page, we found several configuration wizards that eased administration of the device. The 5640 did a remarkable job of eliminating the need to look at the setup manual every time we wanted to implement a setting. The manual is helpful, but an experienced administrator will have no problem operating the device without it.

Jumping right in, we programmed a few rules to regulate Web, e-mail and FTP traffic, and set alerts to let us know when violations occurred. Before the test, we had placed a malicious executable program on Web and FTP servers outside the Symantec appliance. From the Windows server we attempted to retrieve the malicious executable software from the external servers, but to no avail. The Symantec unit blocked the malicious traffic and generated alerts.

To observe the appliance’s ability to regulate mail traffic, we attempted to check an e-mail account from a protected workstation. We verified that the legitimate messages could be downloaded, but messages with malicious attachments set off alarms. An added bonus of using the appliance’s integrated technology is that mail is scanned whether a mail protocol or Web mail is used.

Symantec’s intrusion-detection component uses signature-based detection, as it should. But it also applies a combination of traffic rate monitoring, protocol state tracking and IP packet reassembly techniques to detect intrusion attempts for which there are currently no signatures.

Before we ran our intrusion tests, we used the Web interface to configure a few rules for detecting suspicious traffic. We configured Nessus to apply all vulnerability tests and to probe all TCP ports. When the Nessus scans started, the Symantec unit dutifully blocked all of the suspicious behavior and notified us of the attacks.

Experience has taught us that the easier and more reliable it is to create a network traffic rule, the more likely people are to use it. This is the real value that the 5600 Series delivers: simplicity and reliability.

One of the features that sets the appliances apart is Symantec’s DeepSight Threat Management System. It monitors more than 20,000 intrusion-detection systems around the globe and uses expert analysis to detect trends and new threats.

Another feature that sets the Symantec series apart is the clientless VPN. Using this feature, we were able to access our corporate intranet server from a client PC without the headache of installing software on the client. Options include rules for allowing certain types of traffic, even as granular as permitting Microsoft Outlook traffic. With clientless VPN, authenticated users can have remote access to mail, shared network files, applications, intranets and Web-based applications from any location.

Symantec appliances also have a feature to prevent access to objectionable Web sites. It works by using a large blacklist and a scoring system — the Dynamic Document Review feature — to block Web sites based on numeric scores derived from keywords. For example, the word “breast” might raise the score for a site, but adding the word “cancer” might lower the score.

As part of a layered security defense, the 5600 Series would be of value to practically any organization. It would be particularly beneficial in environments that currently use multiple systems for e-mail, Web and VPN functionality. Consolidating those functions will save administration resources while improving security. A Symantec appliance could also help an organization by pairing network-based restrictions with a tool such as Microsoft’s Active Directory to limit Internet access and protect against malicious code.

We give the Symantec appliance high marks, but it is just one of several excellent products on the market. A few months ago, the Astaro Security Gateway series from Astaro AG, whose products are based on open-source software, was not only competitive in features with the Symantec series but also had substantially lower prices. After recent reductions, the most price-conscious buyer will feel comfortable considering the Symantec appliances.

Evins and Greer are network security consultants. They can be reached at egreer@thecourageequation.com.