Cyberoam UTM vs. CISCO ASA 5500 Series CISCO ASA: Provides

Cyberoam Certifications
Cyberoam UTM
vs.
CISCO ASA 5500
Series
CISCO ASA:
Provides Choices and not
a Total Solution.
Westcoast Labs Checkmark Certification:
UTM Level 5
Categories:
ƒ
Enterprise Firewall
ƒ
VPN
ƒ
Anti-Virus and Anti Spyware Gateway
ƒ
Premium Level Anti-Spam
ƒ
IPS
ƒ
URL Filtering
ICSA Certification
Category:
Corporate Firewall with Active- Active High Availability
Awards
Choose between:
• Content Security
Or
• IPS
There is only one
available slot per chassis
in ASA 5500 series. So
the user can either deploy
IPS, or content and virus
filter, not both
Cyberoam UTM’s identitybased access
management paradigm
offers the eighth layer of
security, even in DHCP
and Wireless
environments.
www.cyberoam.com
Winner of 2008/2009 ZDNet Award
Category:
ƒ
IT Leader
ƒ
Asia's Most Promising Asian TechnoVisionaries
Winner of 2007 Global Product Excellence Awards Customer Trust Category:
ƒ
For Integrated Security Appliance
ƒ
For Security Solution for Education
ƒ
For Unified Security
Product Review
ƒ
SC Magazine : Cyberoam UTM Overall Rating:
ÌÌÌÌÌ - 5 Stars
•
PC PRO Recommended : Cyberoam CR15i UTM
Overall Rating: ÌÌÌÌÌÌ - 6 Stars
Cyberoam UTM is Certified by Virtual Private Network
Consortium (VPNC) :
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Basic Interop
AES Interop
SSL Portal
SSL Firefox
SSL Java Script
SSL Basic Network Extension
ƒ
SSL Advanced Network Extension
Cyberoam in Numbers
World wide Presence
Deployed in 90+ countries
Number of Anti Virus Signatures
1.5 Million
Virus Detection Rate
98.46%
Spam Detection Rate
98%
False Positive Rate
1 in One Million
Number of URL categories
82+
AIP (IPS) or CSC (Content and Virus Filter) - Choose Only One
Adaptive Security Appliance (ASA) series comprises new hardware line which funnels VPN acceleration, antivirus, anti-spyware, intrusion prevention and DoS (denial of service) protections into one device. The products
were developed with technologies plucked from the firm's stable of security gear including the IPS 4200 intrusion
prevention appliance, the VPN 3000 concentrator and the firm’s PIX Firewall. It has Trend Micro’s anti-X - antivirus and network quarantine technology based on Cisco’s Network Admission Control (NAC) multi-vendor effort.
The ASA series is plagued by one major limitation. There is only one available slot per chassis; it is not possible
to deploy both; Advanced Inspection and Prevention (AIP) Module and Content Security and Control (CSC)
Security Services Module. The AIP Module is responsible for IPS whereas the CSC Module is responsible for
content security.
In other words, one Adaptive Security Appliance (ASA) is not able to run both IPS and Content Security
simultaneously. This is a serious drawback due to hardware based security modules.
With just one additional security module running the throughput is bound to be good at the cost of
security.
Cyberoam: User Centric Security Approach
•
•
•
•
•
Who do you give access to: An IP Address or a User?
Whom do you wish to assign security policies: User Name or IP Addresses?
In case of an insider attempted breach, whom do you wish to see: User Name or IP Address?
How do you create network address based policies in a DHCP and a Wi-Fi network?
How do you create network address based policies for shared desktops?
Cyberoam UTM approaches the Security paradigm from the identity perspective. The blended threats circumvent
the perimeter defense and launch an attack from within. The network’s own resources are used to subvert it. The
main target is thus the end user who knowingly or unknowingly breaches the perimeter defense.
While providing a robust perimeter defense, Cyberoam’s Identity-based access control technology ensures that
every user is encapsulated in a tight, yet granular security policy that spans across Cyberoam’s Firewall/VPN,
Gateway Anti Virus, Anti-Spam, Web Filtering, Intrusion Prevention Solution (IPS) and Bandwidth Management
solutions.
Major Drawbacks of ASA 5500 Series
•
Insufficient use of Identity as a Control Parameter
Like many other firewalls, ASA 5500 only provides authentication with internal /external databases but it does not
use identity as a matching criteria in firewall rules. This seriously limits the flexibility of the security solution.
•
Self Limiting Approach – Mutually Exclusive Hardware Security Solutions
This is a major drawback in the ASA series. AIP and CSC security modules are hardware based. AIP deals with
IPS, while CSC module is responsible for content filtering, anti-spam and anti virus. There is just one expandable
slot per chassis. This means that at any given point of time ASA is either equipped with AIP or CSC. The user
cannot deploy both the modules simultaneously. This leaves a gaping hole in the security.
•
No Bandwidth Management
ASA 5500’s Traffic Policy management and QoS degrade the throughput of the appliance. Hence, by default,
they are disabled. Moreover these services are limited to the VPN module only.
•
No Multiple Gateways, Link Fail-Over and Load Balancing Support
ASA 5500 series only supports Multiple Gateways, Link Fail-Over and Load Balancing for the VPN module. Other
modules are not supported by these features.
Let us look at these and some other ASA 5500 features in comparison with Cyberoam UTM.
Head to Head Comparison
Points to Ponder
Cisco ASA 5500
Cyberoam UTM
Enhanced Firewall Decision
The firewall component is picked
Cyberoam, in a paradigm shift, extends
Matrix:
from Cisco PIX. It is a good
the firewall’s rule matching criteria to
Firewall is a primary security
firewall that stops short of
include schedule and the user’s identity.
component in network security.
recognizing a user. Identity is an
Similarly, the firewall actions are
external component used for
extended to include complete policy
authentication only.
based control over all the security
A normal decision matrix in a
firewall stops at the IP address of a
solutions like, content filtering, IPS,
machine.
Internet access management,
In the blended threat scenario,
bandwidth management and anti-virus
social engineering is used to target
and anti-spam scans.
the weakest link – end user. So a
user’s identity becomes an
important decision and control
parameter in the firewall matrix.
State-of-Art Identity-based
ASA 5500 does not have this
Cyberoam’s identity-based access
Access Management:
feature.
management feature provides
IAM is a combination of Identity,
unparalleled flexibility, security and
time scheduling and access
control to the network administrator
management. This is a powerful
over the end user.
control mechanism which reaches
down to all the security solution in a
UTM. Identity and time schedule are
the two dimensions used to define a
user’s real time identity in a security
solution.
Adaptable AV/AS Scans:
ASA 5500 does not have such
Cyberoam UTM has an OEM license
For most users, missing a legitimate
granular control over its virus and
from Kaspersky’s Gateway AV.
email is an order of magnitude
spam scans.
Using Cyberoam UTM you can define
worse than receiving spam or virus.
It has anti-X from Trend Micro.
custom spam filtering rules based on
To avoid such an unpleasant
sender or recipient, IP address, mime
situation you need to control the
header and message size.
parameters used to classify a mail
Cyberoam UTM also utilizes
as virus infected or spam and the
configurable RBLs for complete anti-
action taken thereafter. User-based
spam coverage.
customized scans can ensure that
You have the flexibility to configure a
not a single mailed business
scan as per your needs, rather than
opportunity is lost to security.
adjusting yourself to the way a security
solution operates.
Points to Ponder
Cisco ASA 5500
Cyberoam UTM
Security Over Mail Protocol
ASA 5500 scans SMTP and
Cyberoam UTM covers the full protocol
Spectrum:
POP3, but does not support
spectrum which includes SMTP, POP3
Email is one of the most potent
IMAP protocol.
and IMAP. It also provides you the
vectors that affect security and
ability to scan and block the widest
business. While mail with a
range of attachments.
malicious payload is the single
This ensures seamless business
largest threat to security; mails are
continuity and complete protection in
the single largest medium to
case of a Zero Day Vulnerability.
conduct business. Hence the mail
protocol spectrum – SMTP, POP3
and IMAP should be continuously
monitored for blended threats.
Self-service AV Quarantine Area:
ASA 5500 does not have a
The Self-service quarantine area from
Quarantine area is a safe holding
quarantine area.
Cyberoam UTM enables individual mail
area for all suspicious/ infected files.
recipients to view and manage their
This allows organizations to remove
infected messages.
infected files from general
The self-service feature removes user’s
circulation without deleting them.
dependency on administrator to
A gateway quarantine area should
manage quarantine mails.
be self-service as there are a large
number of users involved. So the
users ought to get notified that a
mail has been quarantined and he
can access and deal with it without
depending on the administrator.
Identity-based IPS Policies and
ASA 5500 does not support this
Cyberoam UTM provides IP address
Reporting Ensures Transparency:
feature.
and User-based reports. Providing
To deploy security policies the
complete visibility, it thwarts anonymity
administrator has to know his target.
in DHCP, Wireless and Computer
IP addresses are not target enough.
sharing environments.
The most harmful intrusion attempts
In case of threat detection; it reduces
are attempted from inside a
the administrator’s reaction time. The
network. In IP address based IPS
administrator can personally contact the
policies and reporting the identity
erring user.
gets lost.
Identity based policies also lends
To ensure complete transparency in
unprecedented granularity to the IPS
a network, the IPS policies and
policies.
reporting should also take the user’s
identity into its ambit.
Points to Ponder
Cisco ASA 5500
Cyberoam UTM
Identity-based Tunable IPS
ASA 5500 does not support this
Cyberoam UTM provides the
Policy:
feature.
administrator with the ability to attach
Blanket policies, over time force the
an individual IPS policy to a
administrator to open security loop
combination of source, destination,
holes.
application, identity and schedule.
Customized policies provide you the
This ensures customized IPS policy as
comfort to deploy customized IPS
per your needs.
policies as per your needs.
Cyberoam UTM also provides you the
Custom IPS signatures reach
facility to use custom IPS signatures.
deeper than a firewall and antivirus
These features ensure that your
to protect the network from blended
network security is geared up meet any
threats.
exceptions as well as general threat
conditions.
User and Policy based Bandwidth
ASA 5500 provides IP address
Cyberoam UTM provides user and
Management:
based bandwidth management
policy based bandwidth management.
A Bandwidth management solution
support for its VPN solution only.
It also provides individual upstream and
should provide the flexibility and
downstream bandwidth control.
power for policy based bandwidth
Using Cyberoam UTM you can provide
management in the complete
QoS to a combination of source,
network.
destination and service/service group
by committing bandwidth to users,
applications and servers based on time
schedules.
Cyberoam UTM has user-wise
bandwidth distribution and control over
bandwidth usage individually both:
Upstream and Downstream
User and Schedule Based Web
ASA 5500 is not equipped with
Cyberoam UTM has the ability to club
Filtering Solution:
user and schedule based
Internet access management and Web
Web filtering is not mere allowing
granular control over its content
filtering to achieve policy and schedule-
and blocking of internet access.
filtering solution.
based intelligent Web filtering.
Most successful Web filtering
It’s not equipped with an On
Cyberoam UTM’s On Appliance
solutions have:
Appliance content filtering
proprietorial URL database called
Schedule and Identity based Web
database.
WEBCat is 60+ categories strong with
Filtering
millions of URL categorized within it.
HTTP Based File Upload Control
Using Cyberoam UTM you can control
Logging Web Searches
all uploads over HTTP and log all
search performed on the Web.
Points to Ponder
Cisco ASA 5500
Cyberoam UTM
Phishing and Pharming
ASA 5500 has Phishing
Cyberoam UTM protects against
Protection:
protection, but lacks any
Phishing and Pharming, both. Its
Phishing and Pharming are the next
protection against Pharming.
WEBCat database has a
generation threats instigating the
comprehensive category dealing with
end users to breech the network
Phishing site.
security from within. Phishing is a
In case of a host file corruption due to a
passive baiting through mail and
Pharming attack, the DNS configured in
Pharming is an active process of
Cyberoam UTM makes sure that the
host file corruption which leads the
user is not directed to a malicious site.
user unknowingly to a malicious
site.
Control file transfer Over IM
ASA 5500 provides blanket file
Cyberoam UTM’s application filtering
Prevents Loss of Confidential
control blockage policies.
solutions is powerful enough to control
Information :
file transfer over any IM application.
Unmonitored content leaving an
Identity can be used as a control
organization through an IM
parameter in these control policies.
application introduces security, legal
and competitive risk. It is difficult for
the IT department to discover
potential breaches of policy or to
hold individuals accountable.
User Identity Based
ASA 5500 does not have this
Cyberoam UTM has an on appliance
Comprehensive Reporting:
feature.
integrated reporting module which
Reports are an integral part of any
provides IP address and user identity
security solution as they are the
based in-depth reports.
tools to provide visibility.
All reports are HTTP/HTTPS based,
Clear and precise reports are the
and so are platform, location and client
most valuable tool that makes sure
independent.
that organization’s resources are
productively focused.
Data Transfer Accounting and
ASA 5500 does not have this
Cyberoam UTM provides a
Control:
feature.
comprehensive, application and user
Data transfer accounting and control
based data transfer accounting and
helps you see the actual bandwidth
control.
consumption by an individual or an
This feature comes in handy in
application. This feature also helps
educational institutions where Internet
find the exact Internet usage costing
consumption per individual is important.
in case of fixed data transfer quotas.
Points to Ponder
Cisco ASA 5500
Cyberoam UTM
Gateway Failover and Load
ASA 5500 has a limited feature
Cyberoam UTM supports multiple links
Balancing:
for VPN only.
and load balancing over them too.
In case of multiple ISP links, a
Cyberoam UTM’s gateway failover
failover solution is indispensable.
supports complex rules to check the
However the criteria for classifying
network status of a particular
an ISP link as “non-working” are
application.
critical. There are times that a
Cyberoam UTM can detect and mange
mission critical application is
a link failure for the true use of Internet.
unreachable through a specific ISP
link, while the same is reachable
through the other one.
In this case the failover solution
should take over.
In case of multiple gateway support,
load balancing is indispensable.
Automated Single Sign-On
ASA 5500 does not have this
Cyberoam UTM supports external ADS,
Support:
feature.
PDC, LDAP and Radius; and internal
Automated Single sign-on is the tool
(database of users created in the UTM)
to identify a user in a security
Cyberoam UTM based authentication.
system. It not only automatically
authenticates a user, but also
creates a single security bubble
which can be audited and secured.
Disclaimer:
Confidential, intended for internal circulation only.
The comparison is based on our interpretation of the publicly available information of the compared product.
Either of the product features is likely to change without prior notice.
Document Version: 4.0 – 96016 - 26062009