Sophos CR10iNG UTM Review

Sophos CR10iNG security appliance is made keeping the business security demands in mind as well as the growing risk from several threats. Additionally, this provides wired and wireless network functionality as well as anti-spam, content filtering, anti-virus, intrusion detection and prevention, anti-spyware, SSL VPN services along with a powerful firewall.

The CR10iNG has the 7 layer technology that includes Application, Presentation, Session, Transport, Network, Data-Link, and Physical, additionally it treats “User Identity” as the 8th Layer in the protocol stack.

The space saving design and easy to setup web console: The CR10iNG hardware is equipped with a 1.8 GHz Atom CPU, 1 GB of system memory, a 4 GB compact flash card for the OS and a trio of Gigabit ports. When it comes to security services, you can choose between the Security Value Subscription (SVS) or the Total Value Subscription (TVS). In which Security Value Subscription (SVS) includes Gateway Anti-Virus & Anti-Spyware, Intrusion Prevention System, Web & Application Filtering (Web Filtering & Application Visibility & Control) and 8 x 5 Email, phone and chat Tech Support. And Total Value Subscription (TVS) includes Gateway Anti-Virus & Anti-Spyware, Intrusion Prevention System, Web & Application Filtering (Web Filtering & Application Visibility & Control), Gateway Antispam and 8 x 5 Email, phone and chat Tech Support.

This has the capability to function in two modes – Gateway or Bridge. When deployed in Gateway mode, it acts as a Gateway for the networks to route the traffic, while when deployed in bridge mode can work as a layer 2 (transparent bridge) or layer 3 bridge. Depending on the network requirement, this can be setup easily using the web-based user-friendly interface.

Using its web console quick stat wizard we set up the device in our existing network. The web console lets us set up the network ports and provides the option of a passive monitoring mode or applying a choice of predefined security policies.

This comes with Sophos’s identity-based security or layer 8th security. Using this added security layer, admin can create a permanent profile for the user which makes all future authentication possible based on identity-based decision parameters such as username, IP address, MAC address and session ID. Using the credentials, the user can get access to The internet based on various usage parameters including access time, Internet quota, security policies, web filtering, etc. Also, the user profile can't is changed, no matter what machine he/she operates from in the organization.

Securing the network

Setting up the appliance is fairly simple, in our test setup we used the gateway mode. We created a network utilizing just two ports (LAN and WAN). Then we registered the product using the key so that it can be synchronized with the Sophos servers and update the firmware as well as latest signatures of viruses, spyware, spam, etc.

The appliance works as a firewall as well as can protect websites and web-based applications from Application Layer (Layer 7) attacks like SQL injection, cross-site scripting (XSS), URL parameter tampering, etc. This can work with Ipv6-based URLs. Its IPS provides protection against DoS attacks, backdoor activity, blended threats, etc.

To test anti-virus capabilities of this device, we created a Windows machine with Apache web server running on it and then dumped different types of viruses (macros, zipped files, etc). We tried to download these viruses from a machine behind CR10iNG. For effective scanning and blocking, click on ‘ANTI VIRUS>HTTP’ (we used HTTP protocol for downloading viruses) and change the scan mode to batch mode. Now while we tried to download viruses we found out that over 85% of those viruses were blocked.

To test DoS capabilities, we used a Windows 7 and Kali 1.1.0 machines, and setup a server. To flood the server, we used LOIC tool as well as used Kali flood commands. First we began with LOIC (DOS attacking tool) and ping our local server. The appliance protected the server and tool was unable to attack our server, Similarly using the Kali flood commands we tried to attack the server, and again it protected the server.

To test anti-spam capabilities, we created a POP3 server using Microsoft Windows Server 2003, and created a test domain with a test user, and dumped spam mail in the mailbox (on the WAN side). Next, we downloaded these emails from a mail client on the LAN side. But before doing this, we created a few rules by clicking on ‘ANTI SPAM>Spam Rules’. Once we downloaded these emails we found that more than 95% of them were scanned and tagged by CR10iNG.

Besides checking these capabilities, we also found that CR10iNG was quite capable of blocking harmful websites like porn sites. But no matter how good an enterprise-class UTM is, it should provide elaborate reports on harmful activities. To check such activities, click on ‘LOGS & REPORTS> View Reports.’ This would redirect you to ‘Sophos iVIEW.’ Here log in and you can find all the necessary reports in a graphical manner for future analysis and immediate action.

The web UI provides detailed logs of all activity. It's light footprint had no adverse effects on our host machine and performed well in all our security tests. Its iView console provides get the detailed graphs on web filtering, antivirus, anti-spam and more. A useful feature is the ability to view specific user activity, so you can see all web categories, domains, and sites an individual has attempted to access.