UTMs require routing for flexibility's sake

Dynamic routing is the kind of feature required of any UTM firewall as a means of providing deployment flexibility.

We tested the OSPF-routing capabilities of the UTM devices in order to simulate the kind of multiple-exit network (two Internet gateways) that might be common in a large network.

However, we do need to note that dynamic routing might also be useful on the inside of a multiple-zone firewall for a growing network as it picks up new subnets around the globe. VPNs, likewise, are perfect places for dynamic routing to be used. As a large VPN grows, the burden of managing the list of networks at each point in the VPN can be high, and dynamic routing combined with VPNs can help to maintain reachability information on what networks are connected without making every single device reconfigure its VPN each time the network changes. When VPNs are combined with dynamic routing, a tight integration among firewall policy, VPN rules and dynamic routing is required.

Two vendors stood out for making dynamic routing especially easy: Juniper, in both the ISG-1000 and the SSG-520, and Nokia, in the IP290 with Nokia's IPSO operating system and Check Point's VPN-1 firewall. While Juniper doesn't offer the full suite of routing capabilities available on its enterprise and carrier-class routers, the ScreenOS routing features in combination with its virtual routers within the firewall and easily manageable configurations will probably go way beyond what is needed in most UTM environments. Likewise, Nokia's IPSO platform has long had a very strong routing base, that supports clustering and a broad range of protocols .

To stress the extended features in both Juniper and Nokia dynamic routing, we also added a Border Gateway Protocol session to our test devices and made sure that we could control the propagation of routes between OSPF and BGP.

Cisco, traditionally a routing giant, fell down in our evaluation because its ASA platform doesn't include all of the brainpower of its IOS code base. Although Cisco is pushing EIGRP (it's proprietary and very popular dynamic-routing algorithm) routing into Version 8 of the ASA software (which was released after we had completed testing), the capabilities of the ASA 5540 we tested don't live up to Cisco's routing strengths.

We gave passing marks for dynamic routing to the Astaro, FortiGate, Secure Computing and SonicWall UTM firewalls. All had working dynamic-routing code that was easy to configure and debug. With he Secure Computing Sidewinder configuration, you have to drop out of the GUI and work at the command line. However, the underlying open source Quagga routing code looks and behaves in a way that will be familiar to Cisco IOS-trained network managers - a big plus.

IBM/ISS' Proventia MX5010 also ships with Quagga, but with three differences: Only OSPF is supported, the debugging features that make Quagga easy to manage are disabled, and, in our testing, the dynamic routing didn't come up immediately after being enabled. With a considerable amount of fiddling with firewall rules to allow the OSPF updates to be accepted by the firewall, we were eventually able to make OSPF work.

The weakest dynamic routing came from Check Point's Secure Platform (used on Check Point's own UTM-1 2050 and on Crossbeam's C25 hardware), which incorporates NextHop's dynamic-routing engine. While the engine worked great and is very advanced in its capabilities, Check Point's documentation, user interface and debugging capabilities make diving into dynamic routing an exercise in frustration. In addition, Check Point includes only dynamic routing in its Secure Platform Pro version of the Secure Platform operating system, which is licensed separately and at additional cost. If you want to use dynamic routing and Check Point firewalls, our advice is to stick with Nokia IPSO platforms, which include similar capabilities, a great user interface and debugging, cluster support, and no extra license fee.

We also had to give low marks to WatchGuard's Firebox X8500e, which has a configuration system similar to Check Point's. However, in our testing, dynamic routing is not allowed within a high-availability configuraton. Because we think that high availability will be integral to any enterprise firewall, whether UTM or not, this effectively means that WatchGuard doesn't support dynamic routing in the enterprise.

Read related articles:
Check Point UTM management falters; Cisco, Juniper gain
UTM and IPv6: Do they mix?
UTM performance takes a hit
Juniper, Cisco all-in-1 devices hit on intrusion-prevention
VPN capabilities vary widely across UTM firewall devices
Tracking UTM high availability
A closer look at UTM hardware architecture
Watts up with power consumption?
AV's place is not in the all-in-one security box

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?