Cyberoam CR 1500i UTM

To start with let me talk about a few numbers (we picked up from IISSM 2009)

to describe the security situation today. Simply visit hackerwatch.org and you

would come to know about millions of attacks that are occurring every moment.

Now add to this a few more earth shaking numbers: 60% of businesses don't know

how much computer attacks cost them, the 5% who know about these attacks

estimate cost associated with it at about $5 million per hour. Just about 1% of

businesses have included computer attacks in their business continuity plan and

about 3% address computer viruses. Approximately 1.9 million IP addresses have

been linked with online child exploitation, which is now a $20 billion industry.

We all know what happens to our computer when we connect it to the Internet

without any security software; it is compromised within minutes. It is a well

known fact that no security software gives 100% safety against attacks from the

Web; the situation becomes further complex if your business is at stake. Again

there are plenty of solutions available today but which one to choose is one of

the biggest dilemma that decision makers face. Whether to go for an open source

solution or to get a box that fixes it all, possibilities seem endless. In this

article we would focus on enterprise class UTM appliance from Cyberoam.

Features



Though talking about physical appearance in context with UTM would be a

little out of place, we would still like to raise a couple of points here.

First, the display screen along with buttons provided in the front of CR 1500i

is not yet functional and similar is the case with USB ports in the front; both

these options would be available in future models. On the other hand, the

presence of a redundant power supply is a good feature, especially if you're

using this appliance in 24x7 scenarios. Other good features include:

availability of 10 configurable ports (gigabit) plus two ports for connecting

fiber optics cable, and a console port. CR 1500i also comes with an internal HDD.

It is being categorized under the enterprise segment with capability of

supporting 1500 users, with gigabit throughput. Meant for large enterprises,

this appliance is packed with each feature one would like to have, a stateful

inspection firewall, gateway anti-virus and anti-spyware, gateway anti-spam,

in-built IPS or intrusion prevention system, content and application filtering,

VPN, SSL VPN, bandwidth management, user identity and group based control, and

last but not the least a comprehensive logging and reporting mechanism. All

these features are simple to configure and use.

How we tested



Setting up this appliance is fairly simple. If you have basic networking

knowledge you can easily configure it in a few steps. There are two modes of

setting up this appliance: bridge and gateway mode. In our test setup we used

the gateway mode. GUI is very simple, and a quick glance would make you

understand most configuration options situated on the left. If you want a quick

setup, you have a wizard on the top right. Simply click on the wizard and it

would configure your device with default settings. For our tests we created a

network with WAN on Port A and LAN on Port B of CR 1500i. The next important

part is to register your product, which would synchronize your device with

servers for effective protection against latest signatures of viruses, spywares,

spam, etc. To do this, click on 'System>Maintenance> Licensing', and from this

page you can register and then synchronize your subscribed services. Again if

you want to try, there is one month free subscription available. To check if

every service is working properly, open the GUI of CR 1500i on the dashboard,

and under 'License Information' make sure that there is an expiry date given in

front of subscribed services. The other way around is to click on 'System>

Maintenance> Services' from this page. Check if every subscribed service is

running. Now before we can check anti-virus and anti-spam blocking and reporting

capabilities of CR 1500i we need to add required policies. Start with clicking

on 'Firewall>Rules.' At the top select 'Select Column' and check the scan option

and click on 'OK.' This would add a new column. Expand the 'LAN-WAN' rule and

you would find a few alphabets highlighted in amber (in the Scan column). The

amber color signifies that all these services are properly configured and

running.

To test anti-virus capabilities of this device, we created

a Linux machine with Apache web server running on it and then dumped different

types of viruses (macros, zipped files, etc). We tried to download these viruses

from a machine behind CR 1500i. For effective scanning and blocking, click on

'ANTI VIRUS>HTTP' (we used http protocol for downloading viruses) and change the

scan mode to batch mode. Now while we tried to download viruses we found out

that over 80% of those viruses were blocked, plus there was a custom message

displayed stating that a particular URL had been blocked as it was harmful.

To test anti-spam capabilities we created a POP3 server

using Microsoft Windows Server 2003, and created a test domain with a test user,

and dumped spam mails in the mailbox (on the WAN side). Then we downloaded these

mails from a mail client on the LAN side. But before doing this, we created a

few rules by clicking on 'ANTI SPAM>Spam Rules'. Once we downloaded these mails

we found out more than 90% of them were scanned and tagged by CR 1500i. Another

important point to note here is that by default if the mail size is more than 1

MB it is not scanned. To change it, go to 'ANTI SPAM> Configuration'.

Besides checking these capabilities, we also found that CR

1500i was quite capable of blocking harmful web sites like porn sites. But no

matter how good an enterprise class UTM is, it should provide elaborate reports

on harmful activities. To check such activities, click on 'LOGS & REPORTS> View

Reports.' This would redirect you to 'Cyberoam iVIEW.' Here log in and you can

find all the necessary reports in a graphical manner for future analysis and

immediate action.

Bottomline: This

UTM is simple to configure and provides comprehensive security, and reports. So,

even though its price is on the higher side, it shall prove to be a worthy

investment.