AV's place is not in the all-in-one security box

Tests indicate antivirus is a UTM performance drain

There is no real agreement about whether antivirus software is required in or even a good idea for an enterprise-class firewall.

Some consider antivirus software protection irrelevant in a unified threat management (UTM) firewall deployment, because a desktop antivirus application and an e-mail security appliance are doing a good job scanning for viruses. Others consider sitting inside the UTM a huge bonus, because they want every possible "defense-in-depth" feature to block viruses at other places on the network.

The former attitude proved the most defensible one based on our testing. Not only did we see incredible performance problems when antivirus scanning was included in the UTM mix, but we also found that these firewalls don't do a very good job of finding viruses in any event.

Most UTMs we tested can scan only for particular applications on known ports. We tested three applications (SMTP, FTP and HTTP) on four ports, and the nonstandard port wasn't seen by most products - SonicWall and WatchGuard were the exceptions, and the WatchGuard proxy can't scan FTP. Even if you run only known applications on known ports, our tests show that half of the firewalls will miss a significant number of viruses.

We ran into flawed implementations, and bugs and hidden features that were needed to make antivirus scanning work properly.

We started our testing knowing that most vendors feel that UTM-based antivirus scanning is useful in the small-to-midsize business sector, but not necessarily in gigabit-speed enterprise firewall deployments. Exactly where antivirus stops being useful is not clear.

We discovered quickly that few of these participating vendors take antivirus software seriously. Some don't even include it in their high-end boxes. For example, Juniper Networks' ISG-1000 makes you pick between virus and intrusion-prevention protection. The Cisco ASA5540 doesn't give you any antivirus-management options.

Some vendors do give antivirus a fighting chance, though. Secure Computing's Sidewinder gives network managers tight control of antivirus scanning parameters. For every rule that allows traffic through the firewall using the HTTP, FTP and SMTP protocols it supports, you can specify what to scan, and what Multi-purpose Internet Mail Extensions types to scan.

The Sidewinder got a perfect score in blocking all our FTP, SMTP and HTTP viruses. However, when we tried to send viruses through the firewall using a nonstandard HTTP port, the Sidewinder missed them all. That scanning comes at a moderate performance cost, though, with antivirus scanning dropping the throughput of the Sidewinder 2150D by about 50%.

Sidewinder fans might protest this as an unfair test, because we had to create an "un-Sidewinder-like" policy to allow traffic out on nonstandard ports. Maybe so, but the bottom line is that you can't cover all traffic with virus protection unless you know about it ahead of time.

When we tried to configure SMTP scanning, we discovered why Secure Computing added to its portfolio Ironmail, an antispam-antivirus messaging-security gateway. Although Sidewinder is sold as an appliance firewall, there are multiple dead ends, where the firewall ends and you're suddenly managing a Unix system. E-mail is one of those. If you want to scan e-mail for viruses, you have to configure Sendmail on the Sidewinder. You're limited in what direction you can scan e-mail. In addition, performance was miserable across SMTP, with the antivirus scanner taking 64 seconds to handle 20 e-mails.

Fortinet certainly knows how to set up antivirus scanning. Every rule passing traffic through the FortiGate 3600A firewall can call for a protection profile that enables antivirus scanning. In addition, the FortiGate box supports a wide number of protocols, adding messaging and Network News Transfer Protocol to standard mail (SMTP, POP, IMAP), Web and FTP protocols. FortiGate's logs were complete, and the performance was incredible, scanning at 500Mbps.

Unfortunately, the FortiGate 3600A initially caught only 60% of the viruses we sent through it. It also had an annoying configuration that had the box pass on virus-containing e-mail after it had stripped away the virus. Because most viruses are not attached to legitimate e-mails, sending through junk mail without a virus is no longer a best practice in enterprise e-mail management. We were disappointed there was no way just to tell a system to scan all traffic on all ports. If there's any product in this entire test that might be used for enterprise-speed antivirus scanning, FortiGate was it, except that you can't scan all traffic on all ports.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?