Cisco IronPort S160
Strengths: Quality range of security features. Much needed anti-spam service performs well, excellent reporting and monitoring tools
Weaknesses: Muddled documentation and tricky installation
Verdict: An easily customised UTM appliance, offering a wealth of security measures, along with very good anti-spam performance
Cisco's IronPort appliances have traditionally offered a powerful security solution to enterprises, but it now wants to make this technology available to budget-conscious SMBs. Along with messaging security, the IronPort family includes three web security appliances and the latest S160 delivers the same high level of features as its bigger siblings - but at a more affordable cost.
Prices for the S160 start at £1,900 for the appliance and to this you can add subscriptions for up to four security services. Anti-spyware and anti-malware are handled by Webroot, while McAfee looks after anti-virus scanning. URL filtering comes courtesy of Cisco's own IronPort service and to top it off you have the IronPort SensorBase web reputation service.
Other key features are the ability to scan http, FTP and https traffic, allowing acceptable use policies (AUPs) to be enforced for standard and encrypted web traffic. You get Layer 4 traffic monitoring, which scans all ports in real-time and detects and blocks spyware activities. It can also spot and stop malware that tries to circumvent Port 80.
Supporting up to 1,000 users, the S160 is a low-profile 1U rack appliance based on a good quality and commendably quiet Dell PowerEdge server. There are a lot of network ports and their usage is determined by your deployment method. At its foundation, the appliance acts as a web proxy and Layer 4 traffic analyser and needs to be inserted into the network where it can see all traffic.
Proxy and traffic analysis duties are handled by a separate quad-port Gigabit card and one of the two embedded network ports provides dedicated management access. The proxy offers two operational modes where the explicit forward option requires all client applications to be configured to use it.
Transparent mode does away with the need to reconfigure your client apps, but this will require an L4 switch or WCCP v2 router to work. The L4 traffic monitor can use either a switch span port or a network tap. For both proxy and traffic analysis you can use one of each port pairs in simplex mode, or use both pairs on the quad-port card in duplex mode.
For testing, we went for the explicit forward mode and set our clients to use the S160 as their proxy. For the L4 traffic analysis, we set our ProCurve Gigabit switch to mirror all traffic to one monitor port that allowed the appliance to see everything on the lab network.
No need to muck about with a serial port connection for initial installation, as you go straight to the appliance's intuitive web interface and follow the wizard. This takes you through configuring hostnames, selecting the management, proxy and traffic ports, providing IP addresses, choosing the proxy mode and securing administrative access.
The appliance starts up in monitor mode, so you can see what's occurring on the network. Default policy has both McAfee and Webroot services activated and the S160 only blocks uploads from websites that SensorBase doesn't like the look of.
The S160 employs a range of policies to enforce AUPs and can use identities to define users based on criteria such as host IP addresses, subnets, protocols and proxy port. Identities can also include the type of URL category being accessed while user agents allow you to define specific applications such as web browser versions or IM and P2P apps.
Policies determine whether specific https traffic is decrypted, dropped or passed on and decide how to route users' requests. IronPort data security policies use customisable reputation scores to decide whether access to a website is allowed and the appliance can also work with external DLP (data loss prevention) servers.
For URL filtering you have 53 categories to choose from and for each one you can select monitor, warning or block modes. The warning mode presents the user with a web consent form that they must agree to before they are allowed to access the site that set the alarm bells ringing. Access policies also allow you to block files over a certain size from being downloaded and specific file types, such as archives, documents and executables.
We found the IronPort filtering service extremely effective during testing. With the games and gambling categories blocked, we were stopped from accessing the first 50 online poker sites and for online bingo we only got through to two of the 50 sites visited. Another handy feature is the ability to apply a schedule to any of the categories, so they are only blocked at certain times of the day or week.
From the Monitor tab we could see clearly what was occurring on our network and could view activity by client, URL category or blocked content. The L4 traffic monitor reveals malware sites and ports detected and regular reports can be scheduled, exported to CSV or PDF and emailed to multiple recipients.
We did find one area where reports were lacking: you can't see precisely which websites a client visited. All that the reports and monitors will show you are the URL categories they visited and not the actual site. Data was short on malware too, as you can't find out what was actually detected.
The IronPort S160 is more costly than many competing web security solutions in this market sector, but it's worth the extra outlay as its filtering performance is second to none. Furthermore, https is supported as standard and its policies allow quite complex and varied AUPs to be easily created and enforced.