- How We Tested
- Astaro Security Gateway 110
- Check Point Safe@Office 1000N
- Netgear ProSecure UTM 50
- SonicWall NSA240
- WatchGuard XTM 810
- Testing Results
- Test Analysis
|UTM Device||External Tests||Internal Tests||Custom Outbound Firewall Policy Rules sets|
|Astaro Security Gateway 120||Port 4444 open||53 and 4444 open||HTTP Traffic allowed, SSH traffic blocked as expected.|
|CheckPoint Safe@Office 1000N||Zero ports found open||22,53, 80, 443 and 981||HTTP Traffic allowed, SSH traffic blocked as expected.|
|Netgear ProSecure UTM 50||Port 443 open||21,80 and 443 open||HTTP Traffic allowed, SSH traffic blocked as expected.|
|SonicWall NSA240||Zero ports found open||22,80 and 443 open||HTTP traffic allowed, SSH traffic blocked as expected.|
|WatchGuard XTM 810||Zero ports found open||4117,4118 and 8080 open||HTTP Traffic allowed, SSH Traffic blocked as expected.|
In an ideal world we would expect every UTM device to have zero ports (and so no internal services) detectable via the internet. But as the results table shows, only three out of the five appliances achieved this, good results from Watchguard, SonicWall, and Check Point.
Astaro’s and Netgear’s products didn’t quite manage this goal, but each device only exposed a single port and both vendors’ reasoning is sound, the ports were available for remote administration. Additionally, each of vendors had put security controls in place to help prevent unauthorised access to devices through these exposed ports. Netgear’s ProSecure UTM 50 does not allow remote users to authenticate with the device from the WAN, unless specified by the LAN based administrator. Astaro’s Security Gateway 120 employs its 'block password guessing' feature. This deters unwanted brute force attacks by blacklisting IP addresses after three failed authentication attempts.
Generally, we'd expect to find some standard ports open by default because devices would be unusable without some basic access to begin with. In terms of customised outbound firewall policy rules we evaluated, each device fully complied with the rules we modified. For example, we internally blocked the SSH protocol on port 22 and allowed HTTP traffic requests on port 80 without issues.