Cyberoam CR 1500i UTM

With network security threats coming in various shapes, deploying and managing multiple devices to take care of those can be a real nightmare for a network admin. Let's look at how this UTM helps

Saturday, May 01, 2010

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

To start with let me talk about a few numbers (we picked up from IISSM 2009) to describe the security situation today. Simply visit hackerwatch.org and you would come to know about millions of attacks that are occurring every moment. Now add to this a few more earth shaking numbers: 60% of businesses don't know how much computer attacks cost them, the 5% who know about these attacks estimate cost associated with it at about $5 million per hour. Just about 1% of businesses have included computer attacks in their business continuity plan and about 3% address computer viruses. Approximately 1.9 million IP addresses have been linked with online child exploitation, which is now a $20 billion industry. We all know what happens to our computer when we connect it to the Internet without any security software; it is compromised within minutes. It is a well known fact that no security software gives 100% safety against attacks from the Web; the situation becomes further complex if your business is at stake. Again there are plenty of solutions available today but which one to choose is one of the biggest dilemma that decision makers face. Whether to go for an open source solution or to get a box that fixes it all, possibilities seem endless. In this article we would focus on enterprise class UTM appliance from Cyberoam.

Features
Though talking about physical appearance in context with UTM would be a little out of place, we would still like to raise a couple of points here. First, the display screen along with buttons provided in the front of CR 1500i is not yet functional and similar is the case with USB ports in the front; both these options would be available in future models. On the other hand, the presence of a redundant power supply is a good feature, especially if you're using this appliance in 24x7 scenarios. Other good features include: availability of 10 configurable ports (gigabit) plus two ports for connecting fiber optics cable, and a console port. CR 1500i also comes with an internal HDD. It is being categorized under the enterprise segment with capability of supporting 1500 users, with gigabit throughput. Meant for large enterprises, this appliance is packed with each feature one would like to have, a stateful inspection firewall, gateway anti-virus and anti-spyware, gateway anti-spam, in-built IPS or intrusion prevention system, content and application filtering, VPN, SSL VPN, bandwidth management, user identity and group based control, and last but not the least a comprehensive logging and reporting mechanism. All these features are simple to configure and use.

How we tested
Setting up this appliance is fairly simple. If you have basic networking knowledge you can easily configure it in a few steps. There are two modes of setting up this appliance: bridge and gateway mode. In our test setup we used the gateway mode. GUI is very simple, and a quick glance would make you understand most configuration options situated on the left. If you want a quick setup, you have a wizard on the top right. Simply click on the wizard and it would configure your device with default settings. For our tests we created a network with WAN on Port A and LAN on Port B of CR 1500i. The next important part is to register your product, which would synchronize your device with servers for effective protection against latest signatures of viruses, spywares, spam, etc. To do this, click on 'System>Maintenance> Licensing', and from this page you can register and then synchronize your subscribed services. Again if you want to try, there is one month free subscription available. To check if every service is working properly, open the GUI of CR 1500i on the dashboard, and under 'License Information' make sure that there is an expiry date given in front of subscribed services. The other way around is to click on 'System> Maintenance> Services' from this page. Check if every subscribed service is running. Now before we can check anti-virus and anti-spam blocking and reporting capabilities of CR 1500i we need to add required policies. Start with clicking on 'Firewall>Rules.' At the top select 'Select Column' and check the scan option and click on 'OK.' This would add a new column. Expand the 'LAN-WAN' rule and you would find a few alphabets highlighted in amber (in the Scan column). The amber color signifies that all these services are properly configured and running.

To test anti-virus capabilities of this device, we created a Linux machine with Apache web server running on it and then dumped different types of viruses (macros, zipped files, etc). We tried to download these viruses from a machine behind CR 1500i. For effective scanning and blocking, click on 'ANTI VIRUS>HTTP' (we used http protocol for downloading viruses) and change the scan mode to batch mode. Now while we tried to download viruses we found out that over 80% of those viruses were blocked, plus there was a custom message displayed stating that a particular URL had been blocked as it was harmful.

To test anti-spam capabilities we created a POP3 server using Microsoft Windows Server 2003, and created a test domain with a test user, and dumped spam mails in the mailbox (on the WAN side). Then we downloaded these mails from a mail client on the LAN side. But before doing this, we created a few rules by clicking on 'ANTI SPAM>Spam Rules'. Once we downloaded these mails we found out more than 90% of them were scanned and tagged by CR 1500i. Another important point to note here is that by default if the mail size is more than 1 MB it is not scanned. To change it, go to 'ANTI SPAM> Configuration'.

Besides checking these capabilities, we also found that CR 1500i was quite capable of blocking harmful web sites like porn sites. But no matter how good an enterprise class UTM is, it should provide elaborate reports on harmful activities. To check such activities, click on 'LOGS & REPORTS> View Reports.' This would redirect you to 'Cyberoam iVIEW.' Here log in and you can find all the necessary reports in a graphical manner for future analysis and immediate action.

Bottomline: This UTM is simple to configure and provides comprehensive security, and reports. So, even though its price is on the higher side, it shall prove to be a worthy investment.

Page(s)   1