Netgear's new security appliance takes on small-to-midsize business stalwarts such as Fortinet and Barracuda by including antispam, antimalware, and Web content filtering in a single unit that offers easy deployment and budget-preserving pricing.
We tested the STM600, the high-end appliance Netgear started shipping in November, and found that it does an adequate job of blocking what you don't want, while making a minimal intrusion into your network.
The STM600 combines two main functions in a single appliance. First is e-mail protections, including antispam and anti-malware, as well as some content filtering. Second is Web and FTP client protections, including antimalware and content filtering.
The STM600 has an easy-to-use Web-based interface, and a separate out-of-band management port, which is a nice feature. In general, most network managers will be able to configure the STM600 in just a few minutes.
The e-mail protection features work on SMTP, POP3 and IMAP4 protocols. You identify what ports you're running these three protocols on, and then define a fairly simple policy on how to handle traffic.
Web protection is slightly more sophisticated. You start with the same configuration: define what ports you run HTTP, Secure-HTTP and FTP on, then say which policies will apply. The STM600 supports malware scanning, content filtering (such as blocking .EXE files or online shopping sites), URL filtering with your own block/allow lists of URLs and sites, application filtering for a list of about 18 common applications, such as BitTorrent, GoToMyPC, and Yahoo Messenger, plus man-in-the-middle HTTPS scanning.
The STM600 also allows HTTP users to authenticate themselves using a Web page, and you can use this authentication to apply exceptions to your basic policy.
Inline ins and outs
The STM600 acts as a “bump in the wire,” meaning that it sits transparently in your network, doing its job, without any additional configuration of your Web clients, mail servers or DNS. That's quite a departure from other products in this space, which usually act as separate e-mail servers or Web proxies.
The advantage is that you don't have to touch anything. But there are also disadvantages. The most obvious is that now the STM600 is sitting “inline” in your network, controlling all traffic. If the STM600 locks up or otherwise starts misbehaving, everything can slow down or be cut off entirely.
Netgear partially works around this by putting fail-open ports on the STM600, which let traffic pass through untouched if the STM600 loses power. We tested this and found that the STM600 is only “mostly” transparent. Both when we power-cycled it, and when it rebooted, we had to clear ARP caches before communications would resume. You've got to be comfortable putting another device in the critical path between your network and the Internet to consider this approach.
Another unusual part of the STM600 configuration is that you don't really make it aware of IP addresses, only ports to scan. This means that, by default, the STM600 will scan traffic to every IP address on the ports you list. That can be a benefit, or it could cause mysterious network problems if you don't realize that even your test lab is being filtered. Fortunately, there is a way to exclude specific IP addresses or subnets from scanning.
Baby steps in e-mail security
We looked at the STM600's e-mail security features, including antispam, content filtering and antimalware to see how it stands up against a well-entrenched and well-funded set of competitors.
Antispam in the STM600 uses a combination of content and reputation filtering, with detected spam e-mail either tagged, blocked outright, or sent to an on-box quarantine server. Spam settings are determined for the entire system, and there is no concept of “suspected spam,” which makes the STM600 very inflexible when it comes to antispam deployment.
There is no way to send quarantines to an off-box server, so Netgear provides up to 2GB of space in the STM600 (our system had an internal 160GB hard drive) for your quarantine. We found the quarantine to be particularly primitive, with no security, no directory integration, and no way to search for specific messages.
We tested the antispam performance of the STM600 and found that the catch rate is very similar to other antispam products, although the false positive rate is dramatically higher.
Netgear recently published a test showing the STM600 giving an antispam catch rate within a percentage point of systems from Barracuda Networks and Cisco Ironport. Our testing gave the same ranking, although with a more substantial range of about 3 percentage points between low and high scores. For a typical enterprise user who receives 100 non-spam messages a day, that translates into about 50% more spam in your in-box when protected by the STM600 than when protected by the Cisco Ironport, with seven times the false positive rate.
Our testing also showed that the STM600 is heavily dependent on reputation services for its antispam performance. This means that the STM600 cannot be a “second hop,” as without reputation filtering, its antispam catch rate drops to a dismal 71%. Because the STM600 cannot be used effectively without a reputation service, make sure you budget to pay for the required reputation service in addition to Netgear's subscription fees. Netgear puts Spamhaus at the top of its list of reputation services, an excellent choice based on our testing. Current Spamhaus pricing for 600 users is $420 a year.
Although the STM600 can inspect encrypted HTTP traffic, it doesn't inspect encrypted e-mail (SMTP, POP, or IMAP) traffic, which means that any spam that comes in over an encrypted SMTP connection won't get caught. Since about half of the Internet mail is now traveling over encrypted channels, including a substantial amount of spam, the STM600 only makes sense as an antispam appliance if you disable encryption on your SMTP receiver, which seems like a step in the wrong direction.
The same restriction applies if you are doing spam and malware scanning for IMAP and POP users — the STM600 is only effective for these users when encryption is disabled, which could mean passing plain-text usernames and passwords across the Internet, a severe no-no.
Netgear has positioned the STM600 as a 600-user appliance with published performance of approximately 250 message/sec. Our testing shows that at steady state, the STM600 actually handles between 6 and 8 message/sec with antimalware and antispam scanning. Although that's not as impressive as Netgear's claims, it should be more than enough for a 600-user community, especially with reputation filtering giving the STM600 a huge boost by deflecting 80% to 90% of the messages before they have to be scanned.
We found a different type of performance glitch during our testing when we noticed the STM600 backing up messages and slowing down significantly. We saw slowdowns so significant that sending MTAs would believe the STM600 to be down and queue mail for retransmission. We worked with Netgear's technical support, who initially thought the slowdown to be related to antivirus/antispam signature updates, which occur hourly (using typical settings). Although we never identified the exact cause of the slowdown, Netgear told us that they are designing a different updating strategy to have a lower impact on system performance during signature updates.
Overall, while the STM600 has a reasonable set of antispam features, it doesn't really move the bar when compared either with other low-cost appliances or spam-integrated UTM firewalls.
Web filtering made easy
With its bump-in-the-wire design, the STM600 is easy to slip in and out of small networks to protect end users and control Web usage. Web filtering on the STM600 includes antimalware scanning, category-based URL filtering, local block and allow lists, and some very basic content scanning, including blocking certain HTTP download file types and file extensions.
Although the Web security settings on the STM600 are system-wide, you do have the capability to apply some per-user rules which will override the basic settings. These can be done based on IP address or based on user authentication. We tested the STM600 by linking it to our corporate directory with RADIUS and Active Directory to verify that we could write rules so that some users could have full Internet access with minimal content filtering, while others were restricted to a subset of sites. The mechanisms in the STM600 are a good match for the small business market.
The STM600 can also inspect HTTPS traffic, a critical requirement for any Web security gateway. The STM600 does this by signing a new digital certificate for any Web site protected by SSL. (The STM600 comes with a generic signing certificate, or you can supply your own.) The STM600 splices together the two encrypted connections: one between the STM600 and the real Web site, and the other between the STM600 and the end user, enabling it to inspect the traffic as it passes by. Of course, this requires the end user to accept the STM600's signing certificate as authentic or the network manager to pre-load it into end user systems, a necessary inconvenience.
We tested the STM600's ability to identify recent viruses on Web pages, in encrypted traffic, and found it lived up to its billing. We also tested the category-based URL filtering, and found about the normal success rate at categorization and blocking.
An additional feature of the STM600, Application Control, didn't show up as well in our testing. These controls purport to give the network manager greater control over applications. With vendors such as Palo Alto Networks pushing this as a key feature in managing end-user access, we were interested to see how the SMB-focused Netgear would do. Answer: not very well.
On the STM600, Application Control includes four main categories of applications: messaging, media, peer-to-peer, and tools. Each category has between three and six applications. In theory, check the box and you turn off BitTorrent. We tested three of the four categories, but none of the applications we tested (BitTorrent, iTunes Music Store, Google Talk) were successfully blocked. Netgear needs to go back to the drawing board on that one.
Because the STM600 sits in-line for all traffic, whether HTTP or not, we ran performance tests to see how well it would behave under load. Running typical loads through the STM600 with antimalware (but without URL filtering), we saw our system max out at 100% CPU around 33Mbps. With HTTPS traffic, the STM600 was about 15% slower, decrypting, scanning and re-encrypting at about 28Mbps. Those speeds are fast enough for a typical small business Internet connection. However, if you have bulk traffic in your network, such as backups, it would be better to avoid sending that through the STM600, or make sure that you've configured the STM600 not to scan that traffic based on port number or IP address.
Our most significant criticism of the STM600's design as a Web security gateway is that it requires the network manager to know ahead of time all the TCP port numbers used to host malware. While most Web traffic is running on Port 80 (or 443 for encrypted traffic), someone hosting malware on Port 81, for example, would be able to fly right by the STM600.
Although the STM600 doesn't match the feature set and flexibility of some of the high-end Web security gateways from vendors such as Bluecoat, Cisco, and Trend Micro, it has a robust and solid design appropriate to midsized and small businesses.
By making a serious attempt to match the Web security needs of small businesses, Netgear has created a product that sits between the relatively spare feature set of the UTM firewall and the expensive depth of enterprise-class Web security gateways. The STM600 gives network managers an excellent option to add Web security at a reasonable price with minimum risk.