June 30, 2014 at 14:38Traffic Inspector and competitors: who whom?
In our previous article , we examined the main features of the Traffic Inspector system, including a proxy server, SMTP gateway, tariff rules, network protection, load balancing, and traffic metering and filtering . Now we would like to compare the functionality of the Traffic Inspector with the capabilities of similar integrated solutions for managing IT infrastructure.
Despite the large number of very high-quality proxy servers (for example, Handycache) and traffic accounting systems (such as BWMeter and Internet Access Monitor), most of them are, in fact, highly specialized products and usually solve one or two problems. Meanwhile, there are really not so many complex solutions that you can completely entrust with managing network activity. The most famous of them (in addition to the Traffic Inspector) are Kerio Control, Lan2net, UserGate and Microsoft ForeFront TMG, the development and sale of which, unfortunately, was discontinued in 2012. We’ll talk about them.
Kerio Control (formerly WinRoute Firewall) is a comprehensive security solution that combines several functions - including a firewall (firewall) and router, intrusion detection and prevention system (IPS), antivirus, VPN and content filter. The main feature of Kerio Control is the presence of an intrusion detection and prevention system (IDS / IPS) based on the industry standard Snort. The system classifies and stops attacks on servers, applications, and infrastructure components.
Simultaneous support for IPv4 and IPv6, connection tracking (SPI), connection limit, anti-spoofing, protocol inspection, traffic policy settings wizard, DHCP server, DNS relay, IP blacklist, analysis of network activity history, a large number of flexible reports, warnings by Email, user authentication through Kerberos / Active Directory / Open Directory / proxy / NTLM, full support for VPN and NAT, P2P network blocker, integrated Sophos antivirus, load balancing and QoS, traffic shaper, powerful administration features, support 15 interface languages.
In addition, the product is ICSA certified in the corporate firewall category.
Summary:a very powerful and flexible integrated solution from one of the leading companies in this field. Perhaps the only drawback is the high price. A server license for 5 users (including 1 year of technical support) will cost almost 14 thousand rubles, while the same license for Traffic Inspector costs 5900 rubles.
The Lan2net product has been developed by NetSib LLC since 2004 and is a software firewall for organizing secure Internet access, monitoring and counting traffic, and protecting the network. The solution has the following functions:
• Built-in NAT for connecting a local area network to the Internet and online processing of network traffic.
• The DNS Forwarder function, which allows you to quickly perform centralized configuration of network parameters, as well as adjust its operation unnoticed by users.
• DHCP server for automatic allocation of IP addresses, which makes it easier to deploy an enterprise LAN.
• Redirecting connections to the specified port and / or IP address to organize access to local network resources from the Internet.
• Tracking information transmitted from the local network of the enterprise via the Internet (e-mail, Mail.Ru Agent, social networks, ICQ). All POST requests, correspondence history, sent files, emails, including attachments, are saved.
• Blocking access to sites on the Internet at URLs.
• Traffic counting.
• Speed limit for a group of computers or users with an even distribution of channel bandwidth between group members.
• Monitoring connections in real time.
• System of collecting statistics based on the built-in web server and reporting.
Summary: A good and inexpensive system for small and medium-sized businesses. However, it lacks some of the features needed by large companies with complex IT infrastructures, for example, full support for VPN and SIP, FSTEC certificate of conformity, client agent, and a number of others, and the built-in NAT is still slower than Microsoft's standard NAT.
UserGate is a comprehensive solution for connecting users to the Internet, which provides full accounting of traffic, access control and provides built-in network protection. UserGate allows you to charge users access to the Internet, both in terms of traffic and network hours. The administrator can add various tariff plans, dynamically switch tariffs and regulate access to Internet resources. The built-in firewall and antivirus module allow you to protect the UserGate server and check the traffic passing through it for malicious code.
UserGate consists of several parts: the server, the administration console (UserGate Administrator) and several additional modules.
The UserGate server provides access to the Internet, counts traffic, maintains statistics on users on the network, and performs many other tasks.
UserGate Administration Console is a program designed to manage a UserGate server. The UserGate administration console communicates with the server part via a special protocol over TCP / IP, which allows remote administration of the server.
In addition, UserGate includes four additional modules: UserGate Statistics, Web Statistics, UserGate Authorization Client, and Application Control module.
Summary:A good solution with a flexible modular architecture, but to provide the same functionality as the Traffic Inspector, you need to purchase at least four additional modules, which in the end will cost much more than one license for the Traffic Inspector. However, for small and medium-sized companies that do not require advanced functionality, this solution is one of the best on the market.
Microsoft Forefront Threat Management Gateway (TMG) allows employees to use the Internet safely and efficiently to work, protecting them from malware and other threats. It provides access to several levels of constantly updated security features, including URL filtering, malware scanning, intrusion prevention, application and network-level firewalls, and HTTP / HTTPS checking, which are integrated into a single and easy-to-manage gateway. The product has the following features:
• Support for 64-bit architecture.
• IPv6 support: Web Access Policy: this is the so-called “configuration node”, which contains all the settings of the web proxy service, user access to Internet resources via HTTP, HTTPS, FTP-over-HTTP (tunneled FTP), and Also, the configuration parameters of the module for checking user traffic for malicious code (Malware Inspection).
Malware Content Inspection module to check web traffic for malicious code. Allows you to inspect HTTP traffic, tunneled FTP traffic of web proxy clients, as well as traffic of outgoing HTTPS connections.
Network Inspection System for intrusion detection at the network level.
• Support for SIP, as well as VoIP (Voice over IP) NAT Traversal, which allows this type of traffic to pass through gateways with the Network Address Translation (NAT) service.
• Support for Secure Socket Tunneling Protocol (SSTP), which allows tunneling of VPN session traffic within the normal HTTP protocol as part of an SSL session. This mechanism allows you to easily establish VPN connections regardless of the configuration of the firewall, web proxy server or network address translation service.
• HTTPS Inspection function: inspection of HTTP / HTTPS traffic for the presence of virus and spyware code, as well as analysis of web content for compliance with corporate policies (filtering resources based on classification). ISP Link Redundancy Feature: Supports multiple Internet channels. ISP Link Redundancy allows you to organize a fault-tolerant connection to the Internet through two ISP channels.
• Enhanced NAT function: the ability to translate addresses according to the 1-to-1 NAT scheme.
Email Protection Feature: Integrates with the Microsoft Exchange Server 2007 Edge Transport Server role of the Microsoft Exchange Server 2007 mail system to protect email from malware and spam at the network perimeter. The Forefront TMG Management Console has everything you need to configure this functionality.
Summary: A very powerful and fundamental system from a giant in the IT industry. However, there are a number of drawbacks (without them): you can install it only on Microsoft Windows Server 2008 x64, there is no support for advanced routing, billing, and content filtering, as well as a complex licensing, deployment, and updating scheme. But this is not so bad: in 2012, Microsoft officially stopped developing and selling this solution, and the main support will end in April 2015, so betting on this system is very risky.
The Traffic Inspector system is a comprehensive product with a wide range of functionality and eliminating many of the disadvantages inherent in similar solutions:
• Certified billing. The Traffic Inspector billing system has a certificate of conformity of communication, which guarantees exceptional accuracy of calculations (accurate to byte). The calculation of traffic in the program occurs for each user, and you yourself determine the unit of account, limits, credits, locks, filters and schedules. It is possible to consider service headers of communication packets, TCP service traffic, Ethernet packet headers.
• Extensibility. Integration of new features by connecting expansion modules
• Advanced routing capabilities. Advanced Routing allows you to direct traffic to different access channels, including the satellite. Up to 32 external network interfaces are supported.
• The presence of its own API, which allows you to access the Traffic Inspector functionality from external scripts and programs.
• The presence of a certificate from the Federal Service for Technical and Export Control (FSTEC), which is a mandatory requirement for product implementation in government agencies, so the Traffic Inspector is used in the Ministry of Emergencies of Russia for the Volgograd Region, the MVKhrunichev State Space Research and Production Center and several others government agencies.
• Microsoft's NAT implementation is used, with the highest performance in its class.
• Affordable price: the minimum license for 5 accounts costs only 4900 rubles.
Traffic Inspector also has not so obvious advantages over competitors, for example:
• Many similar products do not correctly calculate traffic when working through a proxy server. Proxy servers do not take into account packet headers and TCP service traffic, which leads to an underestimation of the result by 5-15%. Traffic Inspector correctly considers traffic in all cases, including when working through its proxy server , SOCKS and SMTP gateway.
• When caching HTTP content, it is often difficult to find the optimal cache settings. The desire to save traffic as much as possible leads to problems viewing quickly updated resources. Traffic Inspector implements a unique feature that allows users to independently switch the cache operating mode. Due to the unique algorithm of operation, the use of cache in the Traffic Inspector is on average 25–35% more efficient.
In general, we can safely say that in terms of price / quality ratio, the Traffic Inspector is one of the market leaders in corporate information infrastructure management and network security systems. Well, the final choice remains with the CIOs and ordinary users.
Despite the large number of very high-quality proxy servers (for example, Handycache) and traffic accounting systems (such as BWMeter and Internet Access Monitor), most of them are, in fact, highly specialized products and usually solve one or two problems. Meanwhile, there are really not so many complex solutions that you can completely entrust with managing network activity. The most famous of them (in addition to the Traffic Inspector) are Kerio Control, Lan2net, UserGate and Microsoft ForeFront TMG, the development and sale of which, unfortunately, was discontinued in 2012. We’ll talk about them.
Kerio control
Kerio Control (formerly WinRoute Firewall) is a comprehensive security solution that combines several functions - including a firewall (firewall) and router, intrusion detection and prevention system (IPS), antivirus, VPN and content filter. The main feature of Kerio Control is the presence of an intrusion detection and prevention system (IDS / IPS) based on the industry standard Snort. The system classifies and stops attacks on servers, applications, and infrastructure components.
Simultaneous support for IPv4 and IPv6, connection tracking (SPI), connection limit, anti-spoofing, protocol inspection, traffic policy settings wizard, DHCP server, DNS relay, IP blacklist, analysis of network activity history, a large number of flexible reports, warnings by Email, user authentication through Kerberos / Active Directory / Open Directory / proxy / NTLM, full support for VPN and NAT, P2P network blocker, integrated Sophos antivirus, load balancing and QoS, traffic shaper, powerful administration features, support 15 interface languages.
In addition, the product is ICSA certified in the corporate firewall category.
Summary:a very powerful and flexible integrated solution from one of the leading companies in this field. Perhaps the only drawback is the high price. A server license for 5 users (including 1 year of technical support) will cost almost 14 thousand rubles, while the same license for Traffic Inspector costs 5900 rubles.
Lan2net
The Lan2net product has been developed by NetSib LLC since 2004 and is a software firewall for organizing secure Internet access, monitoring and counting traffic, and protecting the network. The solution has the following functions:
• Built-in NAT for connecting a local area network to the Internet and online processing of network traffic.
• The DNS Forwarder function, which allows you to quickly perform centralized configuration of network parameters, as well as adjust its operation unnoticed by users.
• DHCP server for automatic allocation of IP addresses, which makes it easier to deploy an enterprise LAN.
• Redirecting connections to the specified port and / or IP address to organize access to local network resources from the Internet.
• Tracking information transmitted from the local network of the enterprise via the Internet (e-mail, Mail.Ru Agent, social networks, ICQ). All POST requests, correspondence history, sent files, emails, including attachments, are saved.
• Blocking access to sites on the Internet at URLs.
• Traffic counting.
• Speed limit for a group of computers or users with an even distribution of channel bandwidth between group members.
• Monitoring connections in real time.
• System of collecting statistics based on the built-in web server and reporting.
Summary: A good and inexpensive system for small and medium-sized businesses. However, it lacks some of the features needed by large companies with complex IT infrastructures, for example, full support for VPN and SIP, FSTEC certificate of conformity, client agent, and a number of others, and the built-in NAT is still slower than Microsoft's standard NAT.
Usergate
UserGate is a comprehensive solution for connecting users to the Internet, which provides full accounting of traffic, access control and provides built-in network protection. UserGate allows you to charge users access to the Internet, both in terms of traffic and network hours. The administrator can add various tariff plans, dynamically switch tariffs and regulate access to Internet resources. The built-in firewall and antivirus module allow you to protect the UserGate server and check the traffic passing through it for malicious code.
UserGate consists of several parts: the server, the administration console (UserGate Administrator) and several additional modules.
The UserGate server provides access to the Internet, counts traffic, maintains statistics on users on the network, and performs many other tasks.
UserGate Administration Console is a program designed to manage a UserGate server. The UserGate administration console communicates with the server part via a special protocol over TCP / IP, which allows remote administration of the server.
In addition, UserGate includes four additional modules: UserGate Statistics, Web Statistics, UserGate Authorization Client, and Application Control module.
Summary:A good solution with a flexible modular architecture, but to provide the same functionality as the Traffic Inspector, you need to purchase at least four additional modules, which in the end will cost much more than one license for the Traffic Inspector. However, for small and medium-sized companies that do not require advanced functionality, this solution is one of the best on the market.
Microsoft Forefront Threat Management Gateway (TMG)
Microsoft Forefront Threat Management Gateway (TMG) allows employees to use the Internet safely and efficiently to work, protecting them from malware and other threats. It provides access to several levels of constantly updated security features, including URL filtering, malware scanning, intrusion prevention, application and network-level firewalls, and HTTP / HTTPS checking, which are integrated into a single and easy-to-manage gateway. The product has the following features:
• Support for 64-bit architecture.
• IPv6 support: Web Access Policy: this is the so-called “configuration node”, which contains all the settings of the web proxy service, user access to Internet resources via HTTP, HTTPS, FTP-over-HTTP (tunneled FTP), and Also, the configuration parameters of the module for checking user traffic for malicious code (Malware Inspection).
Malware Content Inspection module to check web traffic for malicious code. Allows you to inspect HTTP traffic, tunneled FTP traffic of web proxy clients, as well as traffic of outgoing HTTPS connections.
Network Inspection System for intrusion detection at the network level.
• Support for SIP, as well as VoIP (Voice over IP) NAT Traversal, which allows this type of traffic to pass through gateways with the Network Address Translation (NAT) service.
• Support for Secure Socket Tunneling Protocol (SSTP), which allows tunneling of VPN session traffic within the normal HTTP protocol as part of an SSL session. This mechanism allows you to easily establish VPN connections regardless of the configuration of the firewall, web proxy server or network address translation service.
• HTTPS Inspection function: inspection of HTTP / HTTPS traffic for the presence of virus and spyware code, as well as analysis of web content for compliance with corporate policies (filtering resources based on classification). ISP Link Redundancy Feature: Supports multiple Internet channels. ISP Link Redundancy allows you to organize a fault-tolerant connection to the Internet through two ISP channels.
• Enhanced NAT function: the ability to translate addresses according to the 1-to-1 NAT scheme.
Email Protection Feature: Integrates with the Microsoft Exchange Server 2007 Edge Transport Server role of the Microsoft Exchange Server 2007 mail system to protect email from malware and spam at the network perimeter. The Forefront TMG Management Console has everything you need to configure this functionality.
Summary: A very powerful and fundamental system from a giant in the IT industry. However, there are a number of drawbacks (without them): you can install it only on Microsoft Windows Server 2008 x64, there is no support for advanced routing, billing, and content filtering, as well as a complex licensing, deployment, and updating scheme. But this is not so bad: in 2012, Microsoft officially stopped developing and selling this solution, and the main support will end in April 2015, so betting on this system is very risky.
What is Traffic Inspector good for?
The Traffic Inspector system is a comprehensive product with a wide range of functionality and eliminating many of the disadvantages inherent in similar solutions:
• Certified billing. The Traffic Inspector billing system has a certificate of conformity of communication, which guarantees exceptional accuracy of calculations (accurate to byte). The calculation of traffic in the program occurs for each user, and you yourself determine the unit of account, limits, credits, locks, filters and schedules. It is possible to consider service headers of communication packets, TCP service traffic, Ethernet packet headers.
• Extensibility. Integration of new features by connecting expansion modules
• Advanced routing capabilities. Advanced Routing allows you to direct traffic to different access channels, including the satellite. Up to 32 external network interfaces are supported.
• The presence of its own API, which allows you to access the Traffic Inspector functionality from external scripts and programs.
• The presence of a certificate from the Federal Service for Technical and Export Control (FSTEC), which is a mandatory requirement for product implementation in government agencies, so the Traffic Inspector is used in the Ministry of Emergencies of Russia for the Volgograd Region, the MVKhrunichev State Space Research and Production Center and several others government agencies.
• Microsoft's NAT implementation is used, with the highest performance in its class.
• Affordable price: the minimum license for 5 accounts costs only 4900 rubles.
Traffic Inspector also has not so obvious advantages over competitors, for example:
• Many similar products do not correctly calculate traffic when working through a proxy server. Proxy servers do not take into account packet headers and TCP service traffic, which leads to an underestimation of the result by 5-15%. Traffic Inspector correctly considers traffic in all cases, including when working through its proxy server , SOCKS and SMTP gateway.
• When caching HTTP content, it is often difficult to find the optimal cache settings. The desire to save traffic as much as possible leads to problems viewing quickly updated resources. Traffic Inspector implements a unique feature that allows users to independently switch the cache operating mode. Due to the unique algorithm of operation, the use of cache in the Traffic Inspector is on average 25–35% more efficient.
In general, we can safely say that in terms of price / quality ratio, the Traffic Inspector is one of the market leaders in corporate information infrastructure management and network security systems. Well, the final choice remains with the CIOs and ordinary users.