Cyberoam Upgrade Training v9.6 build 16

Cyberoam - Unified Threat ManagementUnified Threat ManagementCyberoam

Cyberoam Upgrade Training

v9.6 build 16


1. Free On-Appliance SSL VPN

2. Complete Layer 2 to Layer 8 security

3. Category Based Bandwidth Management

4. Free RBL Support

5. IP Reputation Filtering Support in Anti-Spam

New Features:


Enhancements:

1. Provide Bandwidth to Branch offices over VPN

2. Total Threat Free Tunneling.

3. Clientless Automated SSO

4. Spam Quarantine Enhancements


New features


All free On-Appliance SSL VPN


On-Appliance SSL VPN

• Now the VPN feature is extended to include SSL VPN functionality within Cyberoam to provide secure access for the remote users.

• Easier to use and control to allow access to the Corporate network from anywhere, anytime.

• Any device that has browser can access SSL VPN


Client and Location independent access Authentication - AD, LDAP, RADIUS, Cyberoam Multi-layered Client Authentication - Certificate, Username/Password User & Group policy enforcement Network access - Split and Full tunneling End user Web Portal - Clientless access SSL VPN Tunneling Client - Granular access control to all the Enterprise Network resources Administrative controls: Session timeout, Dead Peer Detection, Portal customization• The SSL VPN feature would not be a chargeable module and would be enabled by default in all appliances 25i, 50i, 100i, 200i, 300i, 250i, 500i, 1000i and 1500i.

License Free SSL-VPN:


Key Advantages

1.Its FREE!!! (Promotional Offer)

2.Easy to use. No complicated configurations.

3.Device Independent. Can be used with Smart-phones, Iphones, Netbooks etc.

4.Works in restricted network environments where VPN traffic is blocked.

5.Data transfer is encrypted by SSL. Safe to use on an unsecured network.

6. VPNC certified



On appliance SSL VPN in detail


Who should access what?

• Cyberoam’s on appliance SSL-VPN gives full flexibility to the administrators to decide what type of access should be given by creating policies.

• SSL VPN policy determines access mode available to the remote users and also controls the access to the private network (corporate network) in the form bookmarks.


Two modes: Full Access and Web Access mode

– Web Access mode ( Web based or clientless )• Does not require any client to be installed• Can be accessed using browser • Limited to use on web resources only

– Full Access mode ( Client mode )• Require client to be installed • Works in two modes

– Split Tunnel» Allows access to only defined network resources in the policy

– Full Tunnel » Routes all traffic to Cyberoam, internet through HO» Allows access to only defined internal network resources» Full access to WAN


Creating SSL VPN Policy

Select the access mode by clicking the appropriate option

Accessible Resources allows restricting the access to the certain

hosts of the private network

Select tunnel type

Accessible Resources allows restricting the access to the certain hosts of the

private network

Bookmarks are the resources that will be available through

Web portal


•It provides the ability to create point-to-point encrypted tunnels between remote employees and your company’s internal network

•It requires a combination of SSL certificates and a username/password for authentication to enable access to the internal resources.

•To restrict the access to the Corporate network, it operates in two modes: Full Access and Web Access mode.

•User’s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy.


User Authenticates himself Access web-based resources available to him Install SSL VPN Client

End user experience


Enhanced security with L2 Firewall support


Identity-IP address-MAC address

• Enhanced security with Cyberoam. Cyberoam now extends down to the OSI Layer 2, to achieve a major security enhancement.

• Now MAC address (Machine Address) is also a decision parameter along with identity and ip address for the firewall policies

• All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on MAC firewall rule

• Now for any server running on dynamic IP Address, we can create a firewall rule to allow that server through firewall using MAC


Create firewall rule based on MAC address


Create MAC based host for Dynamic web serverNow create MAC based firewall rule


Web Category Bandwidth


Web Category Bandwidth features

• Bandwidth Restriction can be applied on Web categories

• Configuration provided in Web Category and Firewall

• Bandwidth will be shared among all the users/firewall rules for particular Web category

• Web category bandwidth will take priority with respect to all other bandwidth configuration

• If a users is given 32kbps of bandwidth and Web category he is accessing is given 16kbps of bandwidth user can draw a maximum of 32+16 kbps of bandwidth


Create web category based bandwidth policy


Allot bandwidth while creating web category


View which Bandwidth policy is applied to which web category


Apply through the firewall rule


Create a BW policy for online games sitesCreate a category for online gamesApply the web based BW categorization to all the LAN users


Free RBL support for Anti Spam

• Now get free Anti Spam protection with the RBL

• No need to purchase a separate license if you need RBL Anti Spam protection


IP Reputation Filtering Support in Anti-Spam

• Block 85% of incoming messages at entry-point even before these messages enter the network.

• Save load / processing power of mail server for unwanted spam messages.

• Save internet bandwidth.


How IP Reputation Filtering works?

The sending SMTP host (Sender Mail Server) attempts to connect over port 25 to your mail transfer agent (MTA) the mail server hosted behind Cyberoam.

The Cyberoam Anti-Spam engine delays the connection and queries the inbuilt reputation database about the reputation of the source and how to handle it.

The Cyberoam Anti-Spam engine is responsible for collecting real-time and dynamically updated reputation data about the source by communicating to the Commtouch Datacenter over HTTP protocol.


How IP Reputation data is collected?

The source data is gathered by monitoring its global email sending behavior and is composed of the volume of sent emails in several time frames,the spam ratio of its sent emails, a calculated risk level, computed IP class and other relevant information.

Additionally, Cyberoam Anti-Spam maintains local data in severaltime-basedwindows about the all the previous times that itwas already queried about this source. All of this information is used to generatea recommended action to apply on the source.


How to enable IP Reputation Filtering:

Anti Spam -> Configuration -> General Configuration


How to check reputation of any given IP:

http://www.commtouch.com/check-ip-reputation

Commtouch provides facility to check reputation of any given IP. You can check the same using below URL:


Enhancements


Branch office Internet Traffic Tunneling over VPN


Branch office Internet Traffic Tunneling over VPN

• Cyberoam now facilitates central Internet access and control for an organization with multiple branch offices

• All the branch office can now use the Internet facility at the head office to browse

• Supported only in Net-Net connections


All the branches can access internet through HO


Advantages

• Even if the branch offices don’t have internet access they can access internet through Head office.

• Centralized implementation of user policies from HO

• Central reporting in HO.

• Easy to manage the branch offices.


Threat free tunneling


• Cyberoam VPN zone traffic is now totally secure.

• It extends its firewall rule gamut to L2TP and PPTP VPN traffic, which is scanned for Malware, Spam and inappropriate Web content.

• This ensures that nothing dangerous can sneak through.

• All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on L2TP and PPTP traffic


Create L2TP configuration


Create PPTP Configuration


Create hosts for L2TP and PPTP configurations


Firewall rules for L2TP and PPTP tunnel users


Spoof prevention


• You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your network

• Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address

• It is also possible to filter packets based on IP-MAC pair


Spoof Prevention

– MAC filtering• Does not allow any IP Address to connect other than trusted MAC

– IP-MAC Pair filtering• Drops traffic where IP-MAC pair does not match• Allows all traffic for which MAC entry does not exists

– Spoof prevention• Drops any traffic that does not match with the subnet of the

incoming NIC



Spoof Prevention Settings

Packets will be dropped if the MAC addresses not configured in the “Trusted

MAC address” list.

Packets will be dropped if IP and MAC do not match with any entry in the IP-

MAC trusted list

Packet will be dropped if matching route entry is not available


ARP Management


Cyberoam ARP Management Features

– Facility to mange ARP entries

– Static entries can be added from GUI

– Shows list of ARP entries, both Static and Dynamic

– Do not add static ARP entry for any configured gateway, it will mark the gateway dead

– Cyberoam maintains two types of table for ARP entries: ARP Cache and Static ARP


How does Static ARP work in Cyberoam?

• Add Static ARP.

• These entries will be stored in static ARP as well as ARP Cache table.

• When the Cyberoam appliance receives the ARP request on a particular port, Cyberoam performs the ARP lookup in the static ARP table.

• If there is any mismatch in IP address or port Cyberoam considers it as an ARP poisoning attempt and does not update its ARP Cache.

• If entry is not available in the table, Cyberoam will lookup in the ARP Cache and adds MAC address to ARP Cache if required.


Add Static ARP


Manage ARP

Select from the drop down list to view ARP entries

It lists IP address, MAC address, port and type of the

entry


Clientless - Automated Single Sign-On


Clientless - Automated Single Sign-OnAdvantages

• No need to convince the administrators to modify the Logon scripts or make client side installations.

• With the new Clientless - Automated Single Sign On there is a single light weight installer that can be installed on any windows computer on the network

• Cyberoam will detect all logons and logoffs.

• Also works with Macintosh Clients authenticating with Microsoft Domain Controller.


Features

• New clientless SSO is agent based solution in that no need to configure any logon script or no need to push SSO client software on any of the client machine.

• This is platform independent that means if client OS is integrated with Active Directory then Cyberoam will automatically login them into Cyberoam once they login into Active Directory, example: Mac-OS, Linux, Windows (All Versions).

• In this new SSO, we just need to install one agent software on AD controller which will automatically send login information to Cyberoam for authentication.

• In case of multiple AD controller of same domain, we just need to install agent on all the AD controller.


Spam Digest


• Daily Spam Digest: Cyberoam will now mail the summary of Spam mails that have been quarantined by Cyberoam.

• Release the false positives to your mailbox: Now Cyberoam allows you to release the mail from the quarantine area and get it right in your mailbox,

• Promotes end user’s self-sufficiency

• Reduces network administrator’s dependency

Spam digest features


Spam digest configuration:

Anti Spam -> Spam Quarantine -> Spam Digest Settings


User’s Antispam Quarantine Area

User logon into his accountGo to the spam quarantine areaAccess as well as release the spam quarantine mails


Separate sub menu to manage digital certificates


Bundle Subscription


Details• Applicable from version – 9.5.8.52

• Cyberoam’s “Bundle Subscription” service provides subscribers a purchase option to choose between single subscription module and a bundle of modules.

• Cyberoam will also continue to offer single subscription modules also.

• Bundle can be the combination of or all of the following modules: • Gateway Anti Virus • Gateway Anti-spam • Intrusion Prevention System • Web and Application Filter • 8 X 5 Support


Benefits

• Subscription bundle will reduce Administrator’s task of subscribing each module individually as all the modules in the bundle will be subscribed in a single step using just one key.

• Along with customers, the feature is also beneficial to the suppliers as one can achieve the desired cost reduction for the bundled pack.


How to subscribe

• Subscriber will be provided a single key for all the modules included in the bundle.

• For renewal, subscriber can choose to renew the pack or the single module.


One time subscription


DHCP Enhancements


DHCP Enhancements

• More user friendly interface

• Configuration for Dynamic as well as static lease

• IP Address conflict detection

• Facility to lease primary and secondary DNS

• Option to lease Cyberoam’s DNS configuration

• DHCP can now lease WINS server

• DHCP Relay configuration



Configure for Dynamic Lease


Configure for Static Lease


Manage DHCP Servers



Thank you

Documents

Cyberoam Upgrade Training v9.6 build 16