Shootout results: Best security tools for small business

Check Point comes out on top; Kerio, WatchGuard, Cyberoam and Sophos score high in review of unified threat management (UTM) devices

By David Strom, Network World
June 17, 2013 06:10 AM ET

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That’s where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

We tested eight devices: Check Point Software's 640, Dell/SonicWall's NSA 250MW, Cyberoam CR35iNG (which is now a separate company from Elitecore Technologies), Fortinet's FortiGate-100D, Juniper Networks' SRX220H-POE, Kerio Technologies' Control 1100, Sophos/Astaro's UTM 220, and WatchGuard Technolgies' XTM 330.

To continue reading, register here to become an Insider

It's FREE to join

Network World - If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That’s where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

We tested eight devices: Check Point Software's 640, Dell/SonicWall's NSA 250MW, Cyberoam CR35iNG (which is now a separate company from Elitecore Technologies), Fortinet's FortiGate-100D, Juniper Networks' SRX220H-POE, Kerio Technologies' Control 1100, Sophos/Astaro's UTM 220, and WatchGuard Technolgies' XTM 330.

Here are our top-line findings:

• Check Point is our Clear Choice Test winner. The Check Point 640 UTM is the cheapest and most capable box -- two things that usually don’t go together -- and the most appropriate UTM device for the SMB marketplace. It has an appealing user interface, a lot of great security features, and is simple to manage and create new security rules. It also works well with mixed Mac/Windows networks.
• Kerio, WatchGuard, Cyberoam and Sophos were runners-up. All had solid protective features and were nearly as easy to manage as Check Point, but cost more. Dell, Juniper and Fortinet all had their issues, which we describe in the individual reviews.
• In addition to the five basic UTM features, all of the vendors have included extra functionality. For example, Dell/SonicWall and Check Point included a wireless access point inside the box. WatchGuard and Fortinet have management software that will work with their own external Wi-Fi access devices.
• Several units also include Web applications firewalls that can be used to selectively block particular applications from running on the internal network, while others include traffic or bandwidth management to eliminate network hogs or to at least clamp down on potential bandwidth abuses.
• Units from Check Point, Fortinet and Kerio can be used to connect to two different upstream Internet connections, such as a cable modem and a DSL link, for the ultimate in connection diversity on a budget. This provides failover in case one link goes down, or can be used for dynamic load balancing between the two connections. Dell/SonicWall can even support up to four connections.
• Several vendors have begun to incorporate various cloud-based services into their devices to offload some of the security processing tasks. For example, they can automate firmware and virus definition downloads, upload logs for more in-depth analysis, and handle anti-virus screening.
• Some boxes have only four gigabit Ethernet ports while others have more: if you don’t have a network switch but have lots of wired connections, you will need to weigh the purchase of a separate network switch vs. a bigger UTM box with the wired ports built in.
• In some cases, such as on Check Point’s or Juniper’s box, any port can be defined to any network: WAN, LAN, DMZ, or to a special restricted guest network. In others, such as Fortinet’s, you are limited in terms of what you can attach to each port. Some boxes, such as Kerio, Sophos and Check Point, have a simple “LAN Switch” setting so that anything you attach can be connected to anything else across a single flat network topology, which is probably the most common situation. This makes them easier to setup, and also easier to manage if you know ahead of time that you don’t have to worry about where you attach your cables.

Pricing and buying your UTM

The hardest part about choosing the right UTM box is figuring out its overall cost. Each vendor offers dozens of different sized boxes with a dizzying array of choices, licensing options and features. We asked each vendor to send us a typical box that might be used by a 25-person office, and some sent boxes with built-in or separately managed wireless access points.

Each box has a series of features that are separately licensed and a support contract is also purchased, typically for a year at a time. This means that getting a bottom-line price can be a chore. The range of prices for the first year of service on the units tested were $900 for Check Point to $2,900 for Fortinet.

The summary table below shows which additional features each product has, the number of different ports, scanners and filters are available, and which type of VPNs are supported by each box. (Watch a slideshow version of this test.)

Here are the individual reviews:

Check Point

Our winner is the Check Point 640. It was extremely easy to setup, had wizards that offered simple choices and defaults that just required a few buttons to click on before the box was up and running. And it was also the least expensive.

By default, it enables all of its ports on a single LAN switch, and you can set up multiple SSIDs for the wireless interface with just a single policy selection, which is the easiest of any of the boxes we tested.

One of the things that we liked is that Check Point has designed this box for the SMB market by navigating a nice balance between ease of use and yet still including powerful security features. In fact, the same software that runs on its enterprise UTMs is also running on the 640.

Unlike Juniper, Check Point doesn’t hide its advanced settings in a command-line interface. Instead, everything is accessible from the Web interface, which has the best-looking and clearest menus of any of the boxes we used. You can quickly view the active computers connected to the box, change the URL blocking dialog messages that pop up when your users try to surf to inappropriate sites, add protocols to the anti-virus scanner, and other commonly selected options.

If you need extra features, such as setting up a failover link to an ADSL modem or changing the priority of a particular security policy, it isn’t all that hard to find the right menu option to accomplish your task.

Like more advanced UTMs, you can do quick on-screen packet captures for particular interfaces, or create file-based Pcaps too.

The biggest downside for the Check Point is a serious firmware bug that prevented its wireless radio from being controlled properly. This was a function of a pre-release version that we were given for the test and was eventually resolved. Another issue: while the menus are clearly presented, there are some context changes on the left hand menu when you choose top menu tabs that can be somewhat annoying. Finally, while Check Point promises to have cloud-based tools to automate firmware downloads, upload logs and handle remote unit management, this wasn’t yet available in our test unit.