Cyberoam UTM vs. CISCO ASA 5500 Series CISCO ASA: Provides
Transcription
Cyberoam UTM vs. CISCO ASA 5500 Series CISCO ASA: Provides
Cyberoam Certifications Cyberoam UTM vs. CISCO ASA 5500 Series CISCO ASA: Provides Choices and not a Total Solution. Westcoast Labs Checkmark Certification: UTM Level 5 Categories: Enterprise Firewall VPN Anti-Virus and Anti Spyware Gateway Premium Level Anti-Spam IPS URL Filtering ICSA Certification Category: Corporate Firewall with Active- Active High Availability Awards Choose between: • Content Security Or • IPS There is only one available slot per chassis in ASA 5500 series. So the user can either deploy IPS, or content and virus filter, not both Cyberoam UTM’s identitybased access management paradigm offers the eighth layer of security, even in DHCP and Wireless environments. www.cyberoam.com Winner of 2008/2009 ZDNet Award Category: IT Leader Asia's Most Promising Asian TechnoVisionaries Winner of 2007 Global Product Excellence Awards Customer Trust Category: For Integrated Security Appliance For Security Solution for Education For Unified Security Product Review SC Magazine : Cyberoam UTM Overall Rating: ÌÌÌÌÌ - 5 Stars • PC PRO Recommended : Cyberoam CR15i UTM Overall Rating: ÌÌÌÌÌÌ - 6 Stars Cyberoam UTM is Certified by Virtual Private Network Consortium (VPNC) : Basic Interop AES Interop SSL Portal SSL Firefox SSL Java Script SSL Basic Network Extension SSL Advanced Network Extension Cyberoam in Numbers World wide Presence Deployed in 90+ countries Number of Anti Virus Signatures 1.5 Million Virus Detection Rate 98.46% Spam Detection Rate 98% False Positive Rate 1 in One Million Number of URL categories 82+ AIP (IPS) or CSC (Content and Virus Filter) - Choose Only One Adaptive Security Appliance (ASA) series comprises new hardware line which funnels VPN acceleration, antivirus, anti-spyware, intrusion prevention and DoS (denial of service) protections into one device. The products were developed with technologies plucked from the firm's stable of security gear including the IPS 4200 intrusion prevention appliance, the VPN 3000 concentrator and the firm’s PIX Firewall. It has Trend Micro’s anti-X - antivirus and network quarantine technology based on Cisco’s Network Admission Control (NAC) multi-vendor effort. The ASA series is plagued by one major limitation. There is only one available slot per chassis; it is not possible to deploy both; Advanced Inspection and Prevention (AIP) Module and Content Security and Control (CSC) Security Services Module. The AIP Module is responsible for IPS whereas the CSC Module is responsible for content security. In other words, one Adaptive Security Appliance (ASA) is not able to run both IPS and Content Security simultaneously. This is a serious drawback due to hardware based security modules. With just one additional security module running the throughput is bound to be good at the cost of security. Cyberoam: User Centric Security Approach • • • • • Who do you give access to: An IP Address or a User? Whom do you wish to assign security policies: User Name or IP Addresses? In case of an insider attempted breach, whom do you wish to see: User Name or IP Address? How do you create network address based policies in a DHCP and a Wi-Fi network? How do you create network address based policies for shared desktops? Cyberoam UTM approaches the Security paradigm from the identity perspective. The blended threats circumvent the perimeter defense and launch an attack from within. The network’s own resources are used to subvert it. The main target is thus the end user who knowingly or unknowingly breaches the perimeter defense. While providing a robust perimeter defense, Cyberoam’s Identity-based access control technology ensures that every user is encapsulated in a tight, yet granular security policy that spans across Cyberoam’s Firewall/VPN, Gateway Anti Virus, Anti-Spam, Web Filtering, Intrusion Prevention Solution (IPS) and Bandwidth Management solutions. Major Drawbacks of ASA 5500 Series • Insufficient use of Identity as a Control Parameter Like many other firewalls, ASA 5500 only provides authentication with internal /external databases but it does not use identity as a matching criteria in firewall rules. This seriously limits the flexibility of the security solution. • Self Limiting Approach – Mutually Exclusive Hardware Security Solutions This is a major drawback in the ASA series. AIP and CSC security modules are hardware based. AIP deals with IPS, while CSC module is responsible for content filtering, anti-spam and anti virus. There is just one expandable slot per chassis. This means that at any given point of time ASA is either equipped with AIP or CSC. The user cannot deploy both the modules simultaneously. This leaves a gaping hole in the security. • No Bandwidth Management ASA 5500’s Traffic Policy management and QoS degrade the throughput of the appliance. Hence, by default, they are disabled. Moreover these services are limited to the VPN module only. • No Multiple Gateways, Link Fail-Over and Load Balancing Support ASA 5500 series only supports Multiple Gateways, Link Fail-Over and Load Balancing for the VPN module. Other modules are not supported by these features. Let us look at these and some other ASA 5500 features in comparison with Cyberoam UTM. Head to Head Comparison Points to Ponder Cisco ASA 5500 Cyberoam UTM Enhanced Firewall Decision The firewall component is picked Cyberoam, in a paradigm shift, extends Matrix: from Cisco PIX. It is a good the firewall’s rule matching criteria to Firewall is a primary security firewall that stops short of include schedule and the user’s identity. component in network security. recognizing a user. Identity is an Similarly, the firewall actions are external component used for extended to include complete policy authentication only. based control over all the security A normal decision matrix in a firewall stops at the IP address of a solutions like, content filtering, IPS, machine. Internet access management, In the blended threat scenario, bandwidth management and anti-virus social engineering is used to target and anti-spam scans. the weakest link – end user. So a user’s identity becomes an important decision and control parameter in the firewall matrix. State-of-Art Identity-based ASA 5500 does not have this Cyberoam’s identity-based access Access Management: feature. management feature provides IAM is a combination of Identity, unparalleled flexibility, security and time scheduling and access control to the network administrator management. This is a powerful over the end user. control mechanism which reaches down to all the security solution in a UTM. Identity and time schedule are the two dimensions used to define a user’s real time identity in a security solution. Adaptable AV/AS Scans: ASA 5500 does not have such Cyberoam UTM has an OEM license For most users, missing a legitimate granular control over its virus and from Kaspersky’s Gateway AV. email is an order of magnitude spam scans. Using Cyberoam UTM you can define worse than receiving spam or virus. It has anti-X from Trend Micro. custom spam filtering rules based on To avoid such an unpleasant sender or recipient, IP address, mime situation you need to control the header and message size. parameters used to classify a mail Cyberoam UTM also utilizes as virus infected or spam and the configurable RBLs for complete anti- action taken thereafter. User-based spam coverage. customized scans can ensure that You have the flexibility to configure a not a single mailed business scan as per your needs, rather than opportunity is lost to security. adjusting yourself to the way a security solution operates. Points to Ponder Cisco ASA 5500 Cyberoam UTM Security Over Mail Protocol ASA 5500 scans SMTP and Cyberoam UTM covers the full protocol Spectrum: POP3, but does not support spectrum which includes SMTP, POP3 Email is one of the most potent IMAP protocol. and IMAP. It also provides you the vectors that affect security and ability to scan and block the widest business. While mail with a range of attachments. malicious payload is the single This ensures seamless business largest threat to security; mails are continuity and complete protection in the single largest medium to case of a Zero Day Vulnerability. conduct business. Hence the mail protocol spectrum – SMTP, POP3 and IMAP should be continuously monitored for blended threats. Self-service AV Quarantine Area: ASA 5500 does not have a The Self-service quarantine area from Quarantine area is a safe holding quarantine area. Cyberoam UTM enables individual mail area for all suspicious/ infected files. recipients to view and manage their This allows organizations to remove infected messages. infected files from general The self-service feature removes user’s circulation without deleting them. dependency on administrator to A gateway quarantine area should manage quarantine mails. be self-service as there are a large number of users involved. So the users ought to get notified that a mail has been quarantined and he can access and deal with it without depending on the administrator. Identity-based IPS Policies and ASA 5500 does not support this Cyberoam UTM provides IP address Reporting Ensures Transparency: feature. and User-based reports. Providing To deploy security policies the complete visibility, it thwarts anonymity administrator has to know his target. in DHCP, Wireless and Computer IP addresses are not target enough. sharing environments. The most harmful intrusion attempts In case of threat detection; it reduces are attempted from inside a the administrator’s reaction time. The network. In IP address based IPS administrator can personally contact the policies and reporting the identity erring user. gets lost. Identity based policies also lends To ensure complete transparency in unprecedented granularity to the IPS a network, the IPS policies and policies. reporting should also take the user’s identity into its ambit. Points to Ponder Cisco ASA 5500 Cyberoam UTM Identity-based Tunable IPS ASA 5500 does not support this Cyberoam UTM provides the Policy: feature. administrator with the ability to attach Blanket policies, over time force the an individual IPS policy to a administrator to open security loop combination of source, destination, holes. application, identity and schedule. Customized policies provide you the This ensures customized IPS policy as comfort to deploy customized IPS per your needs. policies as per your needs. Cyberoam UTM also provides you the Custom IPS signatures reach facility to use custom IPS signatures. deeper than a firewall and antivirus These features ensure that your to protect the network from blended network security is geared up meet any threats. exceptions as well as general threat conditions. User and Policy based Bandwidth ASA 5500 provides IP address Cyberoam UTM provides user and Management: based bandwidth management policy based bandwidth management. A Bandwidth management solution support for its VPN solution only. It also provides individual upstream and should provide the flexibility and downstream bandwidth control. power for policy based bandwidth Using Cyberoam UTM you can provide management in the complete QoS to a combination of source, network. destination and service/service group by committing bandwidth to users, applications and servers based on time schedules. Cyberoam UTM has user-wise bandwidth distribution and control over bandwidth usage individually both: Upstream and Downstream User and Schedule Based Web ASA 5500 is not equipped with Cyberoam UTM has the ability to club Filtering Solution: user and schedule based Internet access management and Web Web filtering is not mere allowing granular control over its content filtering to achieve policy and schedule- and blocking of internet access. filtering solution. based intelligent Web filtering. Most successful Web filtering It’s not equipped with an On Cyberoam UTM’s On Appliance solutions have: Appliance content filtering proprietorial URL database called Schedule and Identity based Web database. WEBCat is 60+ categories strong with Filtering millions of URL categorized within it. HTTP Based File Upload Control Using Cyberoam UTM you can control Logging Web Searches all uploads over HTTP and log all search performed on the Web. Points to Ponder Cisco ASA 5500 Cyberoam UTM Phishing and Pharming ASA 5500 has Phishing Cyberoam UTM protects against Protection: protection, but lacks any Phishing and Pharming, both. Its Phishing and Pharming are the next protection against Pharming. WEBCat database has a generation threats instigating the comprehensive category dealing with end users to breech the network Phishing site. security from within. Phishing is a In case of a host file corruption due to a passive baiting through mail and Pharming attack, the DNS configured in Pharming is an active process of Cyberoam UTM makes sure that the host file corruption which leads the user is not directed to a malicious site. user unknowingly to a malicious site. Control file transfer Over IM ASA 5500 provides blanket file Cyberoam UTM’s application filtering Prevents Loss of Confidential control blockage policies. solutions is powerful enough to control Information : file transfer over any IM application. Unmonitored content leaving an Identity can be used as a control organization through an IM parameter in these control policies. application introduces security, legal and competitive risk. It is difficult for the IT department to discover potential breaches of policy or to hold individuals accountable. User Identity Based ASA 5500 does not have this Cyberoam UTM has an on appliance Comprehensive Reporting: feature. integrated reporting module which Reports are an integral part of any provides IP address and user identity security solution as they are the based in-depth reports. tools to provide visibility. All reports are HTTP/HTTPS based, Clear and precise reports are the and so are platform, location and client most valuable tool that makes sure independent. that organization’s resources are productively focused. Data Transfer Accounting and ASA 5500 does not have this Cyberoam UTM provides a Control: feature. comprehensive, application and user Data transfer accounting and control based data transfer accounting and helps you see the actual bandwidth control. consumption by an individual or an This feature comes in handy in application. This feature also helps educational institutions where Internet find the exact Internet usage costing consumption per individual is important. in case of fixed data transfer quotas. Points to Ponder Cisco ASA 5500 Cyberoam UTM Gateway Failover and Load ASA 5500 has a limited feature Cyberoam UTM supports multiple links Balancing: for VPN only. and load balancing over them too. In case of multiple ISP links, a Cyberoam UTM’s gateway failover failover solution is indispensable. supports complex rules to check the However the criteria for classifying network status of a particular an ISP link as “non-working” are application. critical. There are times that a Cyberoam UTM can detect and mange mission critical application is a link failure for the true use of Internet. unreachable through a specific ISP link, while the same is reachable through the other one. In this case the failover solution should take over. In case of multiple gateway support, load balancing is indispensable. Automated Single Sign-On ASA 5500 does not have this Cyberoam UTM supports external ADS, Support: feature. PDC, LDAP and Radius; and internal Automated Single sign-on is the tool (database of users created in the UTM) to identify a user in a security Cyberoam UTM based authentication. system. It not only automatically authenticates a user, but also creates a single security bubble which can be audited and secured. Disclaimer: Confidential, intended for internal circulation only. The comparison is based on our interpretation of the publicly available information of the compared product. Either of the product features is likely to change without prior notice. Document Version: 4.0 – 96016 - 26062009