NETGEAR UTM50 review

In large organizations, information security is paid more attention than the protection of the office itself, and the cost of network security can easily exceed the budget for upgrading the network infrastructure. And if your goal is to protect your office computers from spam, viruses, Trojans, and other malware, then don't expect that you will be able to get off with a little blood or install a single program and report on the result. Of course, you can switch all working machines to Linux clients, but we understand that this is probably an exception to the rule. The simplest solution used today is to install antivirus SOFTWARE locally on client machines, constantly update the operating system and virus signatures, and constantly remind you not to open unfamiliar files in mail.

However, even if your mail server is protected from intrusions, using your personal mail on mail.ru it will negate all the efforts of the sysadmin. And without it. as they say, now it's nowhere.

Modern technologies allow you to create fast enough processors that can analyze network traffic in real time at the packet and application level and using signature databases, identify and block malicious fragments. Imagine-you consolidate network security in a single device that is responsible for both VPN access and distribution of virtual VLANs, and provides fault-tolerant Internet access by switching one of the two channels. And most importantly , the same device has a built-in Firewall, antivirus, spam filter, and Web filter. Do you think it will slow down? NETGEAR States that their UTM (Universal Threat Management) series has antivirus throughput of up to 130 Mbit/s, and SPI of up to 900 Mbit / s in the UTM150 model. We were given the UTM50 model for testing, the second from the top in the company's model range. It is designed for medium-sized companies with fewer than 100 employees and supports all the same functions as the top one.

NetGear UTM50

In General, there are 5 models in the NETGEAR UTM model range today: UTM5, UTM10, UTM25, UTM50 and UTM150. The number in the name indicates the number of supported VPN tunnels. The first two SOHO-class models are designed for small offices, these devices support one WAN port, have antivirus scanning performance at 15 and 20 Mbit/s, and support up to 5 VPN tunnels (up to 2 SSL VPNs). For a small office , this is the best option, given the wild prices for high-speed Internet access.

Starting with UTM25, you get support for 2 WAN ports with load balancing, and from UTM50 you will get performance at the level of branches of large companies. Please note that the manufacturer has combined devices for both SOHO and Enterprise in one line. And since the implementation of software functions in the entire series is the same and the same signature databases are used, small companies can count on the attention of the Enterprise class from the manufacturer.

But no matter how fast the processor is, the traditional sequential filtering algorithm will kill all performance, because each packet must first pass through the ACL filter, and then through the antivirus, and the more filtering steps you set, the more delays there will be. In normal life, this will lead to the fact that even local traffic will turn from Gigabit to 50-megabit. However, NETGEAR specialists have applied streaming scanning technology, in which the gateway does not wait for the full packet to be accepted, but starts scanning it after the transmission starts and immediately sends it to the network. The benefits of this algorithm are clearly shown in the diagram below.

In many ways, this makes it possible to integrate the gateway into the network without compromising the performance of the infrastructure, no matter what applications you use-from the Bank client to database replication. Let all traffic go through NETGEAR UTM, regardless of protocols and ports.

What else can surprise this security gateway? The scourge of the modern Internet is spam, distracting from morning to night. NETGEAR UTM uses distributed incoming mail analysis technology. The gateway uses some semblance of blacklists and signatures from more than 50 million sources and requires no training time. However, it is not clear how to train the gateway yourself in order to unsubscribe, for example, from the annoying mailing list of Chinese partners or some mail list that is spam only for you.

Naturally, such an attack as malware (Trojans and other Malware), which are often missed even by the newest viruses, should not bother the office, which is protected by NETGEAR UTM. The manufacturer claims a signature database containing over 1 million malware updates every 15 minutes, with heuristic analysis that provides protection against emerging threats (Zero-Hour Protection). Again, NETGEAR emphasizes performance that is 400 times faster than the scanning speed of well-known antivirus and all-in-one programs. However, in fact, such a vague wording does not mean much. After all, for example, Kaspersky anti-virus constantly increases its performance, but both slowed down and slows down.

The next attack that NETGEAR is fighting is instant messaging clients and P2P programs. If you want to ban ICQ, Skype, and torrents , you just need to close the corresponding services. In fairness, these features are available even in modern home routers of the middle class. But "ICQ" and "Skype" in them is not so easy to close, especially QIP. Here is the analysis of the package on the L5-L6 seven-level OSI model.

Web site classifier, antivirus, spam filter and Firewall-these are the pillars of network security for both the home user and a large Corporation, and much more important - how this functionality is implemented in software and hardware.

UTM construction

NETGEAR UTM is made in a 1U enclosure designed for installation in telecommunications overhead cabinets. The lower versions are 21 centimeters deep, while the UTM25 and UTM50 are 25.3 cm. NETGEAR UTM5, UTM10 and UTM25 are only 33 cm wide, which allows you to simply install them on a nightstand in the office or attach them to a Cabinet or rack using the supplied mounts.

Netgear UTM50

Traditionally, the power cable is connected from the back, and the network and USB ports are connected from the front. The LAN and WAN ports are logically separated on the enclosure and have a simple activity indication.

Rear side

There are not enough WAN ports-only 2, and although you don't need more to reserve Internet access, some models have 4 WAN ports. But there are as many as 6 LAN ports, which means that you will have more options for configuring the intra-office network.

A single USB port is installed on the front side, but there is no information about USB applications in the characteristics of the NETGEAR UTM50, so in order to understand why it is needed, you will have to dig into the settings.

Mother Board Netgear UTM50

In its internal design, the NETGEAR UTM50 is more similar to routers and switches than to an application server, although in fact it has absorbed both. The abundance of free space in the case is depressing, but what can you do, because the 1U case, in which the top model of the gateway is executed, should be installed in the case without any adapters, like the younger models in the series. This is pure marketing, but in such a case, the electronics will not overheat, which means that the UTM50 will work silently, and if the fan breaks, it will not hang.

Mother Board Netgear UTM50

Interestingly, a 2 GB Apacer flash card is used to store virus signatures. The Board shows markings for an unspecified SODIMM slot, and it is possible that future models will use more RAM. But here so installed 1 GB of DDR2, typed 8 chips Samsung k4t1g164qe-hce6.

CPU of Netgear UTM50

The heart of the device is a 2-core 64-bit MIPS Octeon CN5020 processor from Cavium Networks with a frequency of 700 MHz. Given the RISC architecture of the processor, you can expect very high performance from it, especially in pipelined operations, such as checking packets transmitted to the network.

Web-interface

Well, it's time to look at the network security gateway settings, because we haven't configured this type of device yet. The interface is complex and confusing, so it's hard to remember where and what setting was located.

Interface

When you go to the admin menu, you get to the status screen page, which shows the main vital parameters of the device: the number of different connections, memory and processor usage, as well as the current versions of signatures and licenses. Thus, a single glance will be enough to understand whether the malware and spam databases have been updated, whether the gateway is functioning normally, whether an attack is underway, and if so, what protocols are used.

Web-interface

The status of virtual VLANs is also clearly displayed. By default, all LAN ports are combined in the first VLAN with DHCP enabled, but you can configure virtual networks as you want, including routing between virtual networks, as well as hard binding of the network LAN port to the virtual network.

Web-interface

The firewall allows you to configure traffic filtering rules between WAN and LAN ports, and define rules for the demilitarized zone (DMZ). Moreover, you can create a DMZ from both the wide area network (WAN) and the local area network (LAN).

And although many of the rules settings here look familiar (we've seen a lot in other routers), we are more interested in the features that distinguish Firewall from security gateway-antivirus, spam protection, and other sweets.

Web-interface

First of all, let's look at email protection. The easiest way to fight spam, known since ancient times, is to filter by keywords. If you want to get rid of" copies of Swiss watches " - be sure that none of your employees will talk about them by email. Well, if someone wants to send data by email in a password-protected archive, you can also find out about it and intercept the archive, or continue monitoring. So, is it safer to transfer data in non-password-protected archives?

And of course, filtering by file extension will save your email from mp3, Trojans, and various unwanted files. Importantly, for each Protocol (IMAP, SMTP, and POP3), the response to the filter may be different.

Web-interface

Well, for a more effective fight against spam, you will still have to use downloadable signatures from free services such as Spamhaus, Spamcop, and others. Information from thousands of servers will be used by your gateway to prevent spam from cluttering your network. And most importantly, the update is real-time and free of charge.

The distributed Spam Analysis technology gets data on spam distribution from more than 50 million sources around the world, which allows you to create a map of email distribution and get more information about the email than its header contains. This allows you to prevent the spread of spam at an early stage, before your network or your gateway becomes part of the botnet.

Scanning traffic for malicious code is also interesting. At this stage, scanning of HTTP and HTTPS protocols and files up to 10.2 MB is supported. Perhaps this will help to get rid of the most significant security problem in office networks - getting Trojans and viruses downloaded from the Internet.

web-interface

But no less important is the content filter, which here allows you to block entire categories of Internet sites. You can now prohibit viewing entertainment sites, anonymizers, gaming sites, p2p networks, web mail, and, of course, porn sites in whole categories. In addition, you can add your OWN URLs of banned sites if they are not in the list. But more importantly, you can set up exceptions for some IP addresses. For example, you can leave access to adult sites to the Director and chief sysadmin :)

Testing

To test NETGEAR UTM50, we used The time-tested IxChariot package. However, our standard Hi-Perf Throughput script could not show a normal performance picture: the LAN-to-WAN speed was approximately 1 Gbit / s with or without ACL filters enabled. Simply put, the artificially created traffic passed through the ACL safely, and the processor performance is sufficient to process the stream at the maximum bandwidth of the interface.

What does this tell us? In terms of performance, the ACL turns out to be free, and you can use any firewall rules without thinking that they will reduce network bandwidth. And even if we disable some services, such as torrents, it will not affect the speed.

DirectionThroughput (Mbps)
LAN-LAN977
LAN-WAN (Antivirus OFF, ACL ON)457
LAN-WAN (Antivirus On)44

Looking at how the antivirus cuts LAN-WAN performance by 20 times, you understand why the manufacturer did not allow this feature to be enabled for working in a LAN environment. On the other hand, the real speed of secure Internet access at the level of 40 megabits per second is more than enough for the next 4-5 years, since it is unlikely that Internet access rates for legal entities will become normal. This skill is quite enough for VPN access, working with several clients via RDP, and even from different platforms, not to mention web surfing, database synchronization, and working with a Bank client. We emphasize once again-this is the speed of a secure Internet.

Price

The average cost of NETGEAR UTM50 is $ 800. Compared to the more popular security gateway manufacturer, Checkpoint, the price gain is more than double. At the same time, you do not need to worry about buying any updates, licenses, or renewing a paid subscription.

Conclusions

NETGEAR UTM50 allows you to reduce the budget for the network infrastructure of a small office, its functionality will ensure uninterrupted Internet access through 2 dedicated channels, organize VPN access for employees "on the remote" and significantly save traffic and more expensive working time, fighting spam and blocking access to entire categories of unwanted sites. With proper restriction of user rights, you can completely get rid of antivirus programs on working machines, and this is an even more significant cost savings. However, I do not know how much you are willing to abandon local antivirus programs in favor of a consolidated device.

However, NETGEAR UTM50 is not a live sysadmin and not a panacea for all diseases. For example, it cannot prevent the spread of infection within its own network, and if someone brought the virus on a flash drive, count only on your own strength.

More importantly, with NETGEAR UTM50, you can share your network in any configuration and configure rules and exceptions for each virtual network. You can easily limit traffic and the number of available resources for one group, leaving the full functionality for another. You can even get information about who is trying to send password-protected archives from your office to prevent important documents from leaking. The security gateway will have the most informative, so it will be easy to monitor his condition, to understand whether an attack on your corporate network, how are you doing with zusammensto working mailbox, if the signature and the firmware does the device itself with its load.

Michael Degtjarev (aka LIKE OFF)
30/08.2012


Tags UTM NETGEAR UTM50

New articles

Read also:

NETGEAR ReadyNAS 516 powerful 6-drive NAS review

Today we are reviewing one of the most powerful desktop 6-disk NASs available on the market. It has a modern Core i3 processor, but with passive cooling. This NAS supports the installation of expansion cards, which means that...

NetGear SRX5308: Gigabit UTM for small offices

The NetGear SRX5308 firewall is designed for companies that require the speed of communication channels. Four WAN ports support two session-level load balancing modes, as well as switching for increased reliability. Support for ...