Cyberoam CR 1500i UTM

To start with let me talk about a few numbers (we picked up from IISSM 2009)
to describe the security situation today. Simply visit hackerwatch.org and you
would come to know about millions of attacks that are occurring every moment.
Now add to this a few more earth shaking numbers: 60% of businesses don't know
how much computer attacks cost them, the 5% who know about these attacks
estimate cost associated with it at about $5 million per hour. Just about 1% of
businesses have included computer attacks in their business continuity plan and
about 3% address computer viruses. Approximately 1.9 million IP addresses have
been linked with online child exploitation, which is now a $20 billion industry.
We all know what happens to our computer when we connect it to the Internet
without any security software; it is compromised within minutes. It is a well
known fact that no security software gives 100% safety against attacks from the
Web; the situation becomes further complex if your business is at stake. Again
there are plenty of solutions available today but which one to choose is one of
the biggest dilemma that decision makers face. Whether to go for an open source
solution or to get a box that fixes it all, possibilities seem endless. In this
article we would focus on enterprise class UTM appliance from Cyberoam.

Features

Though talking about physical appearance in context with UTM would be a
little out of place, we would still like to raise a couple of points here.
First, the display screen along with buttons provided in the front of CR 1500i
is not yet functional and similar is the case with USB ports in the front; both
these options would be available in future models. On the other hand, the
presence of a redundant power supply is a good feature, especially if you're
using this appliance in 24x7 scenarios. Other good features include:
availability of 10 configurable ports (gigabit) plus two ports for connecting
fiber optics cable, and a console port. CR 1500i also comes with an internal HDD.
It is being categorized under the enterprise segment with capability of
supporting 1500 users, with gigabit throughput. Meant for large enterprises,
this appliance is packed with each feature one would like to have, a stateful
inspection firewall, gateway anti-virus and anti-spyware, gateway anti-spam,
in-built IPS or intrusion prevention system, content and application filtering,
VPN, SSL VPN, bandwidth management, user identity and group based control, and
last but not the least a comprehensive logging and reporting mechanism. All
these features are simple to configure and use.

How we tested

Setting up this appliance is fairly simple. If you have basic networking
knowledge you can easily configure it in a few steps. There are two modes of
setting up this appliance: bridge and gateway mode. In our test setup we used
the gateway mode. GUI is very simple, and a quick glance would make you
understand most configuration options situated on the left. If you want a quick
setup, you have a wizard on the top right. Simply click on the wizard and it
would configure your device with default settings. For our tests we created a
network with WAN on Port A and LAN on Port B of CR 1500i. The next important
part is to register your product, which would synchronize your device with
servers for effective protection against latest signatures of viruses, spywares,
spam, etc. To do this, click on 'System>Maintenance> Licensing', and from this
page you can register and then synchronize your subscribed services. Again if
you want to try, there is one month free subscription available. To check if
every service is working properly, open the GUI of CR 1500i on the dashboard,
and under 'License Information' make sure that there is an expiry date given in
front of subscribed services. The other way around is to click on 'System>
Maintenance> Services' from this page. Check if every subscribed service is
running. Now before we can check anti-virus and anti-spam blocking and reporting
capabilities of CR 1500i we need to add required policies. Start with clicking
on 'Firewall>Rules.' At the top select 'Select Column' and check the scan option
and click on 'OK.' This would add a new column. Expand the 'LAN-WAN' rule and
you would find a few alphabets highlighted in amber (in the Scan column). The
amber color signifies that all these services are properly configured and
running.

To test anti-virus capabilities of this device, we created
a Linux machine with Apache web server running on it and then dumped different
types of viruses (macros, zipped files, etc). We tried to download these viruses
from a machine behind CR 1500i. For effective scanning and blocking, click on
'ANTI VIRUS>HTTP' (we used http protocol for downloading viruses) and change the
scan mode to batch mode. Now while we tried to download viruses we found out
that over 80% of those viruses were blocked, plus there was a custom message
displayed stating that a particular URL had been blocked as it was harmful.

To test anti-spam capabilities we created a POP3 server
using Microsoft Windows Server 2003, and created a test domain with a test user,
and dumped spam mails in the mailbox (on the WAN side). Then we downloaded these
mails from a mail client on the LAN side. But before doing this, we created a
few rules by clicking on 'ANTI SPAM>Spam Rules'. Once we downloaded these mails
we found out more than 90% of them were scanned and tagged by CR 1500i. Another
important point to note here is that by default if the mail size is more than 1
MB it is not scanned. To change it, go to 'ANTI SPAM> Configuration'.

Besides checking these capabilities, we also found that CR
1500i was quite capable of blocking harmful web sites like porn sites. But no
matter how good an enterprise class UTM is, it should provide elaborate reports
on harmful activities. To check such activities, click on 'LOGS & REPORTS> View
Reports.' This would redirect you to 'Cyberoam iVIEW.' Here log in and you can
find all the necessary reports in a graphical manner for future analysis and
immediate action.

Bottomline: This
UTM is simple to configure and provides comprehensive security, and reports. So,
even though its price is on the higher side, it shall prove to be a worthy
investment.