Security - Overview
NETGEAR utilizes what it calls “Stream Scanning Technology” for traffic flow security. This technology allows the router to receive, scan and deliver data via separate threads, similar to multi-tasking in a computer. Instead of waiting for an entire file to be received before scanning, Stream Scanning Technology analyzes data as it enters the router. NETGEAR claims this Stream Scanning Technology enables file scanning at up “five times faster than with traditional anti-virus solutions.” We'll cover throughput on the UTM10 further on in this review.
Like most other UTM products, NETGEAR's UTM10 leverages technology from multiple partners. It is refreshing that NETGEAR is forthcoming and proud of these partnerships. Other UTM vendors don't as readily disclose all their underlying partnerships. NETGEAR lists security partners Commtouch, Sophos, and Mailshell on their ProSecure Technology Partners page with links to each supplier. (Kapersky Labs is also listed as a partner, but their technology is used in the higher end NETGEAR STM devices, not the UTM devices.)
For content filtering, NETGEAR uses an “in the cloud approach” based on technology from Commtouch. This “in the cloud” technology allows NETGEAR to receive data feeds from service providers throughout the world to build a database of millions of classified URLs as depicted in the Figure 6.
Figure 6: UTM and Partner Feeds
The UTM10's anti-virus functionality leverages the Sophos engine and signature database containing over 1 million virus signatures. Virus updates are automatically sent from Sophos to NETGEAR's update servers. By default, the UTM10 polls NETGEAR's update servers every hour to ensure it can recognize the latest virus signatures.
Unlike the TZ100W, which can enforce PCs to run client anti-virus software, all scanning happens at the UTM10, so PCs are not checked or required to run anti-virus software. But good security practice should still include running anti-virus and anti-malware applications on each LAN client, because not all bad stuff comes from the Internet!
The UTM10's anti-spam is based on technology from Mailshell. Mailshell also provides the master database of email signatures for spam filtering. In addition to partnerships with Commtouch, Sophos, and Mailshell, the UTM10's Intrusion Detection and Prevention capability utilizes the open source solution, Snort.
Security - Email
For email traffic to be filtered, the data flow has to be identified as email. Out of the box, the UTM10 monitors SMTP, POP3, and IMAP traffic on the default ports of 25, 110, and 143. Additional ports can be monitored, with the exception of SMTP over SSL using port number 465, POP3 over SSL using port number 995, and IMAP over SSL using port number 993. Of note, Google email uses port 995, which I'll touch on shortly.
Email filtering on the UTM10 is done by checking to see if it the email is spam, then checking for malware. Even if an email passes the spam checks, it is still checked for malware. (Malware is a general term referring to viruses, worms, trojan horses, spyware, and other malicious and unwanted software.)
Emails are filtered for spam using four separate tools in the following order; whitelists, blacklists, real-time blacklists, and NETGEAR's Spam Classification Center. This order is important for throughput capability. If an email sender is listed in a whitelist, it will not be checked further for spam, speeding up the filtering process.
Real-time blacklists are third party services who maintain databases that can be queried for known spam senders. The UTM10 comes with the option to check emails against databases maintained by real-time blacklist services from Spamhaus, and spamcop. Additional real-time blacklist providers can also be configured.
If an email passes the the spam whitelist, blacklist, and real-time blacklists, it still has to pass the database at NETGEAR's Spam Classification Center, which houses the Mailshell technology for identifying spam.
NETGEAR reports that the ProSecure UTM series employs a “hybrid in-the-cloud approach” for spam analysis. This approach looks at both the content and header of emails for spam determination. This is advantageous, as looking only at email headers or relying purely on real-time blacklists may result in false positives/negatives.
Once an email is cleared as not being spam, it is inspected against the Sophos database for the presence of malware, and against any manually configured filters based on keywords in the subject line and by file attachments based on size and/or extension.
Inbound and outbound emails that pass the UTM10's filters can be tagged with a message indicating they have been scanned and are clean. Inbound and outbound emails that do not pass the UTM10's filters can be blocked, pass and have the offending attachment deleted, or logged. Further, the sender or receiver or both can be notified by email if the message was blocked or otherwise altered.
As mentioned previously, Google's Gmail uses port 995 for inbound POP3 email. Most ISPs use port 110 for inbound POP3 email. I tested the UTM10 with my ISP and Google email addresses. Emails to and from my ISP account were tagged with the below message:
“No malware was found: NETGEAR ProSecure Web and Email Threat Manager has scanned this mail and its attachment(s).”
Emails to and from my Gmail account were not tagged, regardless of what ports I enabled on the UTM10. Obviously, the UTM10 does not provide protection for Gmail accounts. On the other hand, my ISP-provided email account was filtered by the UTM10. Thus, it is important to know what ports your email uses to ensure it is being filtered by the UTM10.
It is important to note that verifying the threat mitigation and protection effectiveness of UTMs is difficult and best done by experts in the field. I don't claim to be such an expert. Even the most basic of tests are relatively useless today. I used to test anti-virus solutions by sending an email with a known virus attachment (eicar.org) from an unprotected computer. However, both my ISP and Gmail accounts now filter the eicar.org malware, defeating this test.
NETGEAR provided us with the following information, from testing they commissioned and paid for. (I paraphrased the below, the full content is available here.)
“Testing by a partnership of AV-Test GmbH and The Tolly Group, premier independent IT test labs, focused on the ability of the solution to stop malware and viruses. The tests measured security effectiveness against 3,583 virus and malware samples from the WildList Organization International's latest list of viruses "propagating in the wild" and 60,000 zoo malware samples from AV-Test GmbH.”
“The results were as follows:
- ProSecure -- blocked 100 percent of WildList samples and 90 percent of zoo malware samples
- Fortinet -- blocked 81 percent of WildList samples and 29 percent of zoo malware samples
- SonicWALL -- blocked between 75 to 81 percent of WildList samples and 35 to 70 percent of zoo malware samples, depending on model
- Watchguard -- blocked 32 percent of WildList samples and 20 percent of zoo malware samples
- More details on the results and the testing methodology can be found here.”
It's obvious why NETGEAR is proud of this data. They show that NETGEAR's UTM technology is 90-100% effective on blocking viruses and malware, while their top competitor is only 70-81% effective. But again, you'll have to take NETGEAR (and Tolly and AV-Test's) word for it, since I have no way of independently verifying these claims. It should be noted that Sonicwall did not submit its TZ100 to similar testing.