|
| ||||||||||
| Home | Products | Comparison | Support | About | Contact | Press | |||||
|
|
| ||||||||||
| Home | Products | Comparison | Support | About | Contact | Press | |||||
| VigorPro 5510 UTM Firewall with Anti-Virus & Anti-Spam | Enterprise | |||
 |
|
|||
The VigorPro Security Firewall featuring UTM (Unified Threat Management) protects from network threats at the point of entry. Combined with your own prudent personnel policy, the VigorPro enables you to provide far stronger protection and detection than with simpler firewalls. VPN facilities also make the VigorPro ideal for your world connecitivity for remote offices and teleworkers.
The VigorPro also provides two WAN ports to allow you to have load balancing/bandwith aggegation across two separate WAN feeds, or use the secondary WAN port as a backup on another feed in case your first Internet feed (e.g. broadband connection) fails. In summary, the VigorPro provides your network with far greater security, productivity and resilience.
The VigorPro Security Firewall featuring UTM - Unified Threat Management, protecting from many types of Network threat at the point of entry. In this document we explain some of the threats your network faces, and how the VigorPro helps defeat those threats.
The online world is more extensive, useful and busy than ever, but with such ease of propagation, those with malicious intent have a far bigger ballpark with a greater variety and number of targets. A threat may not cause any damage, but is something you always want to avoid. There are various reasons why threats exist - some are deliberate, others not. All threats to your network or systems fall into one or more of the following six threat categories - these are the reasons for the threat existing (excluding circumstances where you deliberately stop or compromise your own network):
| The Five Network Threats | ||||
| 1 Malicious |
2 Mischeivous |
3 Fraudulent |
4 Consequential |
5 Failure |
Understanding each of the categories can be important in your network planning. Network border protection is just one aspect, and the one the VigorPro can help with (other protection includes physical security, such as door locks or alarms). The six categories can be descibed as follows:
| Malicious | Intended to cause loss, embarrasment or inconvenience for spite or commercial advantage. |
| Mischeivous | Intended to cause damage or inconvenience for noteriety, publicity, entertainment or to test/expose vulnerabilities. |
| Fraudulent | Intended to obtain either financial/commercial advantage or access to priviledged information. |
| Consequential | Unitentenional loss, effect, exposure or damage as a consequence of omission or other activity. |
| Failure | The failure or loss of a system or connection. |
The VigorPro provides many different types of threat detection and protection, each protection method covering one or more of the attack types mentioned above. Later on, we'll give examples of how each VigorPro defence method protects against each category. Of course, border control is not the complete solution - any installation should be coupled with prudent staff/household policies to protect data and hardware physically too but the Vigor's extensive range of protection methods goes a great way in helping to protect your network, data and resources.
In a plain routed connection, data passes freely from source to destination, across as many 'hops' as is required. As most Internet protocols are reciprocal (or connection-oriented) reply packets are sent, either as acknowledgement that the data was received, or a response requested in the originating packet. With a typical LAN, your PCs will not want to be left open to the outside world; an unsolicited and potentially harmful packet arriving at the WAN interace of your router should be blocked (discarded).
Note: If you are running a public service on a computer on your network, then you must allow unsolicited public access, but only on appropriate ports/services. For SPI here, we're referring only to PCs which are not intending to host public services.
In order to allow LAN users to access the internet, and get replies to page requests (for example) the firewall needs to distinguish between solicitied (requested) replies from the outside world, forwarding them back through to the LAN client, and incoming data which was not requested.
Worms and viruses are typically contained within emails as attachments but attachments are normally encoded in several different protocol layers for transport; each layer serves a specific purpose. Examining the data stream is not sufficient to detect hostile content as it would not be recognisable; each encoding method changes the appearance of the data. The VigorPro's deep packet inspection technology breaks down the protocol layers beyond ISO Layer 4, up to Layer 7 (application). A standard firewall doesn't examine beyond layer 3/4. Decoding each encapsulation or encoding layer reveals the next until eventually you have the raw data.
In a data stream there is firstly the transport layer itself; the TCP/IP packets which consist of a header and, typically, a payload. At this layer (layer 3 & 4, according to convention), the VigorPro's DoS (Denial of Service) Protection examines and verifies the headers for any suspicious signatures or patterns, and stateful packet inspection and IP filtering will stop unauthorised packets but in order to detect malicious content, the Payload must be examined.
Only once the data stream has been decoded all the way down is the raw binary data visible, and any trojan or malicious code recognisable. In the case of email for example, a virus/trojan might firstly be contained in a ZIP (compressed) format, then UUEncoded for 7-bit transport, then MIME encoded for email attachment, then transferred using the POP3 protocol. The example of an email containing a malicious attachment in a ZIP file is illustated in the diagram below:
| The VigorPro will decode each of these sequential methods in real time using DrayTek's patent-pending MSSI™ - Multi-Stack Stateful Inspection. With MSSI™, separate protocol stacks take care of each layer which allows for varied protocols and cross-packet inspection (where content is fragmented in transit). Most importantly, MSSI scans data inline in real time - there is no proxy and no file size limitation and thanks to the dedicated CICP (Content Inspection Co-Processor), active scanning adds no processing overhead to the VigorPro's main CPU. |  |
| In the above example, the trojan (or other malicious code) was contained in an email, but the VigorPro will also scan other common methods of transfer including HTTP, FTP, SMTP and IMAP and if you are using the VigorPro to create VPN connections too, the scanning engine will scan within the VPN tunnels as well as regular Internet traffic. The diagram on the right shows how cross packet inspection allows the VigorPro to detect content event when it is broken up or interrupted by packet borders. The VigorPro's Deep Packet Inspection can defend against Network Threat Categories 1 to 5. |  |
Using the above methods, the VigorPro scans connections for any virus or trojan signatures. On detecting a Virus, the VigorPro will destroy it; if the virus is in an email (IMAP/POP3/SMTP) that email is destroyed. If the virus is in a downloaded file (FTP/HTTP) then that file is destroyed. The VigorPro's response can be recorded via syslog. Instead of destroying the virus, the current connection can be reset, or even no action taken (other than logging), depending on your own preference. Where a an email file attachment has been removed, or destroyed, it is replaced with a harmless dummy file so that it's clear that something has been removed.
The VigorPro stores the current library of known threats. This is updated automatically by the VigorPro whenever a new signature library is available in order that your VigorPro is kept up to date. When you purchase the VigorPro, it includes 12 month's of Anti-virus/Anti-Intrusion updates from DrayTek Labs (D-SWAT Team). As an option, you can select Kapersky Labs virus signature file as an alternative at additional cost.
Spam (unsolicited bulk email) is one of the most serious threats to email productivity and also Internet bandwidth usage. It is estimated that a staggering 90 billion spam emails are sent every day and that over 80% of all email sent across the Internet is Spam. You can't stop it being sent so intercepting or identifying it before it reaches your PC at least reduces your wasted time, processing and annoyance.
The VigorPro uses a method called RPD (Recurrent Pattern Detection) for identifying Spam. RPD uses a signatureless method based on the spam's unique distribution patterns. This provides the ability to identify spam from zero-day distribution - i.e. before it has been widely distributed and recognised by specific content. This method also improves performance as it is not necessary for the whole message to be examined by a remote server. A VigorPro 5510 operating RPD anti-spam can process up to 180 emails simultaneously and process a single email in 200 milliseconds. By detecting spam at your network borders, the impact on local network bandwidth is reduced as well as the processing overhead on local resources (mail servers and clients etc.).
When the VigorPro determines that a message is likely to be spam or bulk email, the message headers (subject field) will be modified with a message string of your choice so that your email software or server can re-route or destroy the message as required.
Denial of Service (DoS) attacks generally and most commonly occur at Layer 3/4 - the TCP/IP protocol layer. Such attacks are intended to block, disrupt or slow a network's Internet access by either confusing or overwhelming the router with data patterns known to confuse some network devices. These attacks most often use deliberately corrupted packet headers.
A Distributed DoS attack (DDoS) is a DoS which is launched from several (even thousands) of different locations at the same target simultaneously. Normally the owner of the DDoS launch site will be an unwitting party, having had their network infected with the DDos code through a trojan, for example.
The VigorPro protects against DoS attacks firstly by having a robust TCP/IP stack - code which is designed not to be confused or act illogically by anomalous packet headers, secondly by recognising common DoS attack types by their telltale pattern signatures and thirdly, by helping to stop your own network being used as a DDoS launchpad by preventing infection from a DDos trojan. DoS atacks generally fall into Network Threat Categories 1,2 & 3.
Whereas a trojan virus is malicious code which is transferred in latent form within an otherwise innocent email or file awaiting execution (triggering) once delivered, other exploit types are carried on their own self-instigated transport stream. These non-trojan types of exploit typically rely on flaws within operating systems, web protocols or Internet-facing servers (for example the 'CodeRed' Exploit). They can also be code accidentally downloaded when visiting an infectioous web site where the user allows the download of malicious code without realising. The VigorPro, using MSSI™, will decode HTTP streams in real time to detect the signatures of any known exploits. The VigorPro's instrusion library has several categories of Exploit/Intrusion including:
Such exploits can fall into any of Network Threat Categories 1 to 5, however these are just common examples. There are many other network intrusions which can occur and the VigorPro's library is constantly being updated.
IDS (Intrusion Detection System) is a method of detecting intrusions and alerting the system administrator; typically the detection is carried about by a 'sniffing' device or proxy method. DrayTek's IPS uses inline-IDS which means that as well as alerting the system administrator, the suspicious content is blocked by the VigorPro (by resetting the connection or dropping the packets).
Internet Abuse - the unacceptable/unauthorised use of the Internet for non-work related matters during work hours - is an insideous problem which eats away at your company's effectiveness, harming your competitive edge and costing you money. Internet abuse is all too often overlooked by companies, and dismissed by the staff involved as insignificant. A little leeway and occasional use might be acceptable or tolerated, but there are some staff who will spend hours per week using the Internet instead of working. As well as the company time they waste, their usage can also impact of other people's legitimate usage, by creating unnecessary traffic on your Internet feeds. There is also the risk of exposing your company to embarrassment or litigation if a staff member uses access for any unlawful or immoral purpose (pornography, file sharing etc.). The problem of corporate espionage can also be exacerbated by weak AUPs or lack of enforcement (Network Threat 5).
Sometimes the problem exists because companies have not laid down AUPs (Acceptable Use Policies) for staff Internet Usage, but even where such policies exist, a minority of staff will still seek to abuse their employer's trust. Stealing company time can be as serious as stealing company property. Staff, or even household members who abuse Internet access are not only betraying their employer, but their colleagues too. This isn't the occasional checking of personal email, but sometimes hours upon hours of personal web surfing.
Whilst this might paint a picture that 'all' employees are betraying their employer's trust, thankfully it is only a small minority, but a small minority making serious abuses of company Internet access - perhaps hundreds of hours per year spent on personal Internet usage during work time - will effect the effectiveness of the whole team - cheating emloyers and hard-working colleagues alink. Of course, abuse of company resources isn't new - telephones and postage, for example, have been abused for years, but the Internet eats almost invisibly into your company's most valuable resource - people's time. Internet abuse can damage a company normally for one or more of the following reasons:
|
Some of the blocking methods can also be switched on and off according to time schedules, for example allowing access to employee's private email web sites during lunch times. The example screenshots to the right give an example of how easy it is to block content which is unacceptable to your company, for example instant messaging, file-swapping software or web sites. This can be specific web sites, for example, or categories of web sites (managed by the Surfcontrol™ database). IP filtering is also available to set up manual filters at the IP layer, for the more advanced sysadmin. |  |
The VigorPro has several functional relating to Internet facility blocking. You can combine these to make a system which corresponds with your own staff access policies or AUP and help protect your company resources (Typically Threat Categories 3 & 5):
Any Internet connection has finite bandwidth available and in an Enterprise/Corporate environment, different data will have different priorities. Company email, for example, might be most important, whereas general web browsing might be less important. The VigorPro's QoS management facilities allow you to select priority for different traffic types. The rules can be based on protocol, destination, source and various other factors. With QoS enabled, mission critical data will always be given the specified percentange or fixed amount of your available bandwidth. When the high priority application(s) doesn't need it, the bandwidth is made available for all other users. QoS helps against network threat No.4 - consequential problems of Internet use, in this case, delayed data due to sharing bandwidth with non-essential or low priority traffic.
The VigorPro 5510 has two WAN ports. These Ethernet ports are your connection to the outside world, via any Ethernet based Internet feed, for example a cable modem, ADSL modem or any other Ethernet based connection. In the simplest environment, you will have just one Internet connection in to the first WAN port.
If you have multiple Internet feeds, you can connect both of them to the VigorPro to provide greater total bandwidth by using both at once; this uses load balancing to distribute the traffic evenly across both feeds, or you can set an uneven ratio. With failover backup, the secondary connection is normally inactive but is used automatically in the event of the primary connection failing. Bandwidth-on-Demand (BoD) is where the second WAN interface is used whenever the first WAN interface exceeds preset throughput thresholds. This flexible dual-WAN facility provides redunancy and fault tolerance to your mission-critical network (Threat category 5).
As well as the two Ethernet WAN ports, the VigorPro 5510 can connect to a 3G USB modem or suitable cellphone to provide additional wireless backup using the new 3G data networks (Vodafone, T-Mobile, Orange, 3 etc.). For more details of the feature, Click Here.
VPNs (Virtual Private Networks) enable you to link two remote computers or networks securely using the public Internet. An encrypted tunnel is created to carry your private data between the two sites. Tunnels making use of PPTP, L2TP, AES and IPSec protocols have been available on Vigor routers for many years and provide a simple to set up solution for your site-to-site or teleworker VPNs. SSL VPNs provide a new method for teleworker to central site VPN, providing great convenience, low TCO and simplicity where other methods may not be possible.
One potential drawback of using the above methods for a Teleworker-to-central site VPN is that they need compatiable protocol stacks at each end (e.g. an IPSec client or hardware) and most importantly those protocols need to be freely passed by your local host network. This isn't normally a problem where you own the computers and the network in use and you can install any client, software or hardware you choose, as well as allowing any traffic types you like. Where it can become a problem is where you are using someone else's computer or network where either you cannot use the O/S VPN client, or the host network blocks VPN protocols or makes them unreliable. This is most commonly a problem when using WiFi hotspots or other public Internet access methods (hotels, conference centres etc.).
You may already have heard of SSL previously, and you have almost certainly used it. SSL (Secure Sockets Layer) is the protocol used by all web browsers for accessing 'secure' web sites. You will have used secure web sites whenver you have used your credit card online or accessed your banking web sites, for example. SSL is supported by all web browsers, and as it is so commonly used, all hotspots and other public Internet will always allow SSL to pass properly. By using the SSL protocol for your telework VPN tunnel you therefore have some important benefits:
| Traditional VPN (e.g. AES/IPSec | SSL VPN |
|---|---|
| Requires VPN Client or Hardware | Uses Standard Web Browser SSL |
| Support for popular O/S's only | Compatible with all computers/browsers |
| Licence fees all for some vendor client software (Not DrayTek though!) | No client licence fees |
| Requires user to operate VPN Client | No special operator procedures. Just use your web browser. |
| At OSI 'network' layer | At OSI 'session' layer |
| AES/DES/3DES Encryption | SSL Encryption |
| Full network access (unless filtered) | Ability to easily restrict users to specific web applications |
| Network Level Access as standard. | Network level access via DrayTel Active-X SSL Tunnel Plug-in |
| Teleworker or Site-to-Site (LAN-to-LAN) | Teleworker-to-Host site only |
Another advantage of web based SSL VPN is that your host Vigor router presents the user with his/her login page to the network within their browser and then can provide access only to the web based applications or local servers which you allow as opposed to a regular VPN which connects the user to the network directly for access to any resource which is accessible locally. No TCP/UDP ports have to be opened on your host router; if the user cannot login to the VPN, they won't get access.
As mentioned previously, an SSL VPN uses your standard web browser; this means that for your web based applications running at your office (webmail, Intranet, Thin Clients etc.) SSL VPNs work really well for this access method, which is called 'SSL Web Proxy' mode. A very common application for SSL VPN is remote desktop. By using the Windows 'Remote Desktop Web Connection', your office desktop will be accessible from your web browser whereever you are and whoever's computer you're using. In addition, by using Vigor web proxy, you can browse external web sites via the tunnel, thus bypassing any local web site blocking policy (content filtering or local polcies). If you are familiar with 'port redirection' or 'open ports setup' on Vigor routers, SSL Proxy to your internal web services is very similar in concept to this except that the data passes through a secured tunnel, hence increasing security and privacy.
SSL VPNs beyond the BrowserUsing the web browser for your remote access is great for accessing web-based applications (intranet, webmail, remote web desktop etc.) but it does not provide access to the actual network directly, for example for shared directory access, network resources or other applications which are not browser based. Only data or applications which are available in your web browser locally are available remotely via the SSL Proxy (see above). For full network access, DrayTek provide an Active-X Tunnel plug-in (a VPN client, effectively) which can transfer at the network layer, making a fully VPN tunnel. This is called SSL Tunnel mode. This plug-in is downloaded automatically by your browser from the host Vigor router when you log into the SSL VPN and select Tunnel mode. You are then fully connected to the remote network for direct network resource access. In this way, you are no longer limited to running web-based applications and can access shares and other network resources. |  |
If you'd like to see just how easy it is to set up a DrayTek SSL VPN, Click Here.
The VigorPro 5510's USB port can host a compatible 3G modem or cellphone for access to the cellular network for full Internet Access. Most UK networks now provide high speed HSDPA data connections at up to 3.6Mb/s download speed. The 3G connection can be used as your primary/only Internet access, or as backup to your main ADSL line connection. This is not only ideal for homes or offices which don't want to pay fixed line + broadband rental, but also for temporary locations, or those to where fixed lines aren't available.
|
Supported 3G Modems / Phones
A USB connection cable is required for your phone (not supplied). |
|
The VigorPro and 3G cellular modem setup is ideal for:
Note: DrayTek have no control over local network/provider operations, changes in network facilities/tarrifs nor make any claim over specific network compatibility. Please assure yourself that the router will be compatible with your chosen cellular network and provider and that you have adequate signal coverage before committing to any contract term. Please also ensure that your chosen provider and the tariff allows access to all of your required applications (e.g. VPN, VoIP, Messaging etc.) as many packages exist, some blocking certain data types.
For the full reviews, click on the logo or review rating:
Every day, new viruses, spams, trojans, web sites are being developed and distributed, so it's important that your VigorPro is kept up to date with the latest threat information. The VigorPro updates itself automatically to ensure that it has the latest threat information. There are various options and the VigorPro includes some subscriptions as standard.
| Feature | Service | Included | Renewal (1 Year) |
|---|---|---|---|
| Anti-Virus/Anti-Intrusion | DrayTek (D-SWAT) | 3-Years | TBA |
| Anti-Virus/Anti-Intrusion | Kapersky Labs | 1-Year | TBA |
| Web Content Filtering | SurfControl | 30 Days | US$50-US$240 est. |
| Anti-Spam | CommTouch | - | £90 |
The above comparison chart is provided for approximate guidance; please refer to the full specification of each model for the exact product capabilities. E&OE. ©2008
