Cyberoam CR50ia UTM appliance
UTM (Unified Threat Management) security solves the device sprawl for SMBs but throws a problem to the vendors: how do buyers, including prospective resellers, distinguish one UTM from another? They all feature more or less the same set of security modules, covering anti-virus, anti-spam, URL, email and web filtering, firewalling and sometimes some form of intrusion prevention system.
It turns out that in the five years since they first emerged as a class of device, UTMs have been maturing beyond the basic premise that a range of security layers can be combined in single boxes under one management console.
There are a number of approaches, with Cyberoam’s called ‘identity-based’ security, a fancy way of saying its products can relate the activity of by individuals or departments to actual security events logged by the appliance. Easy to say, but it is actually quite a subtle idea and complex to implement. Assuming all UTMs can log the same events (by no means certain but let’s assume so) how do admins make sense of all this data? How do they use it to build a more sophisticated picture of security events without spending their whole working lives tweaking abstract settings?
The complex bit is coming up with the policies to do useful security work without generating false positives or turning the admins into little Big Brothers. In that sense, UTMS involve the same hard work that a separate firewall would generate. What is the policy? How does anyone know that the policy, if it does exist, is being followed? A lot of challenges, then, even allowing that few admins start from scratch.
Cyberoam (a subsidiary of Indian-founded EliteCore Technologies) won’t be a company well known to UK-based companies nor perhaps even many US enterprises as well, but it seems to have quietly built up a sizable customer base since being founded in April 2006. We’d rate it as one of those extremely ambitious newcomers that pop up in networking technology from time to time, helped by its Indian-based product development centres.
Cyberoam’s CR 50ia is classed as a 1U Soho or branch office product but despite its apparently lowly billing is really a remote office or SMB security gateway of some complexity and sophistication. Given the spec, we’d position it firmly in the remote or medium enterprise office space, supporting centrally-defined security policies for around 50-150 users. Otherwise, as with all UTM ranges, there’s a box for all seasons, ranging from the basic 15i at one end (3 x 10/100 ports) up to the 1500i (a 6,000Mbit/s firewall with 10 GBE ports). It uses the same multi-core architecture as the rest o f the range.
The box itself is outwardly unremarkable despite coming with no fewer than six Gigabit Ethernet ports (plus a console port), probably overkill unless it is designed to sit at the core as a distribution node. The lower-specified, 50i has only four 10/100 ports. Ideally, it would have been nice to have had at least one Gigabit uplink on this as a halfway house option but perhaps this will appear in future versions. Each port can be allocated to WAN, DMZ or in the case of subnets, the LAN. Internal subnets will obvious need to be the latter, but this is easily achieved using the web interface.
Noise from the twin-fan cooling was severely noisy, which won’t be an issue when sitting in a rack or course. On this model, there is no PSU or cooling redundancy beyond there being two fans rather than one.
The ICSA certified firewall on the 50ia is rated at a meaty 750Mbit/s throughput, or 125Mbit/s in UTM mode; that’s 120Mbit/s anti-virus throughput by Cyberoam’s reckoning. In terms of what is on offer securitywise as optional subscriptions, it ticks the usual boxes of anti-malware (Kaspersky), gateway anti-spam (CommTouch), intrusion prevention, content/URL filtering, with bandwidth and IPSec and SSL VPN management topping it off.
An IPS subscription is also on offer an extra purchase, a security element that is harder to assess. Using a quoted database of 3,500 signatures of Cyberoam’s own devising, this does cover HTTP, FTP, SMTP, POP3, IMAP, P2P and IM, and comes with a proxy shield, but in our experience the intrusion prevention part of any UTM is always the part to ask the detailed questions about if this is an important requirement.
Configuration and features
The interface offers a lot to get to grips with at one time, and hinges on the core functions of user-focussed control and reporting. Unlike a conventional firewall that might set up traffic security on the basis of protocols, the opening of application ports and traffic types, Cyberoam’s UTM assumes that what is allowed will be defined down to user level. This is an interesting design outlook and will appeal to admins, even though it requires asking some questions about what a particular user or department should actually be able to do, and not do.
The heart of this in the 50ia is content filtering, which has a wide range of options, right down to setting up blanket blocks on the basis of certain sites (i.e Facebook or IM sessions), or doing so at certain times. Internet access policies can also be set up to positively allow certain clusters of sites to be visited by named users from the active directory list.
The power of the identity-based design is that such policies can be created for specific users in every security category, including, say, web filtering. Such flexibility avoids the problem of having to dedicate the UTM’s processing power to large numbers of users who probably never do anything untoward with a resulting performance hit.
Fascinatingly, as well as defining what traffic heads into the enterprise, the system also offers some intelligent features as to what goes out as well, for instance in its data leakage prevention. The latter can manage http upload to block attachments being posted to webmail systems, as well as stopping similar file transfers via P2P or IM. Similar rules can be applied to email. This addresses a major area of weakness of first-generation UTMs, namely that they naively assume security to be mainly an external threat.
None of this would be worth much without clear reporting, and it appears that some thought has gone into this area of the Cyberoam, which is not always a strong point of rival products without buying add-on modules. Drill-down reports provide full data on every type of attack and vector, from individual users to graphical presentations of general trends. In addition, the system funnels key data into one of a series of compliance reporting formats.
The company also produces a full-blown reporting and security compliance suite, iView.