Open Source and free UTM solutions have most features which commercial UTM
appliance have and at the same time are also far cheaper. Not only that, as
these Open Source UTMs are installed on commodity machines we have the luxury to
upgrade and scale the hardware whenever required. We selected three free and
Open Source UTMs: Endian, Cobian, and Untangle. We tested four major components
of these:
Anti-virus
Testing for anti-virus capability is the easiest amongst all tests. We
simply need to create a Web, FTP and SMB server, and load of different types of
viruses on it. We used a Linux machine to host these viruses so that the hosting
machine itself doesn't get affected by them. The viruses that we used vared from
the old 16-bit viruses to the latest Trojans and malware. We used a set of
viruses with around 1000 virus files grouped under macros, zipped, old regular
and new regular viruses. This set was kept constant for all UTM devices. Once
the host machine was ready with all viruses hosted on it, we connected it to the
public port of the UTM devices one after the other and tried downloading all
viruses from the private network. Once done, we counted the number of viruses
that bypassed the UTM and downloaded on the private network.
Anti-spam
We setup a machine with a POP3 Mail server running on it and dumped around
1000 different spam mails on it. Then we connected the machine to the Internet
and gave it a public IP address which was mapped with the MX record of a domain.
We took the UTM devices one by one and connected their WAN port to the Internet.
We connected a few machines to its private network and started downloading the
spam. We then counted how much spam the devices had missed, to either tag or
block.
Firewall
As Nessus has become pretty common and all the UTMs do detect the tests done
by Nessus, we used a standard DoS attack and a port jammer. For running the DoS
attack, we used ettercap's Nice DoS plugin and we used Pjam for port jamming. We
connected the WAN port of the UTM device to the Internet with a public IP, ran
the DOS attack and Pjam, sitting on a machine connected to the Internet from a
different gateway.
IDS/IPS
To test the IDS/IPS functionality, we focused on the capability of the
device to detect internal attacks, or attacks that are generated from a
trusted/private network. To test this we ran an ARP spoofing tool on the IP
address of the private port of the device and checked if the device can detect
the attacks. ARP spoofing is a mechanism by which one can compromise the ARP
cache of switches, and divert all traffic intended for some other IP, to one's
own IP. We ran the tests in two modes. First, we spoofed the gateway IP and then
explicitly forwarded the data coming to the hacking machine, to the destination
gateway. And in the second mode we stopped forwarding all the data to the actual
IP.