Jump to content


Photo

Spyware Firewall First Impressions


  • This topic is locked This topic is locked
5 replies to this topic

#1 pbennett

pbennett
  • Members
  • 5 posts

Posted 08 July 2005 - 11:58 PM

I got my 210 earlier this week and was able to get it up and running fairly quickly after a call to tech support. There is a known issue on the post installation procedure, and the work-around can be found here.Since then, I have had the opportunity to play with most of the features available on the 210 (save clustering) and gauge the unit in a production environment. I would normally test it in an off-line setting, but my customer had a compelling need, so we dove in with both feet.What follows are my impressions and requests for change. I am very interested in what everyone else has to say as well.I was pretty excited to get the firewall in. The chasis is in a rackmount configuration, and the color scheme and general design are very sleek. I mounted the 210 into a standard telco rack along with my switches and patch panels and it makes a handsome addition to the equipment already installed. For giggles, I also checked it against my HP rack, and it would have mounted there just fine if I had room.The installation process is seamless with the exception noted above. Basically, anyone with even a limited knowledge of networking should be able to install and configure the Barracuda Spyware Firewall. Since it is a layer 2 device, it acts as a transparent bridge and assigning an IP address is only needed for management purposes. There is no need to change any of your IP addressing scheme (gateway, DNS) with the Barracuda. Using TCP port 8000 at the assigned IP address, you can perform all management functions via a web browser (I was pleased to see no problems using Firefox). I was surprised to find that secure http (https) was not an option for management, and this is something that Barracuda should probably consider in future releases.In essence, the 'Cuda is a proxy server with a nice web interface for configuration and basic reporting purposes. While, with a huge amount of work, you could attain a similar result using a basic LAMP setup running Squid, the Barracuda Spyware Firewall comes with "Energizer Updates" that save you the hassle of trying to stay on top of the multitude of spyware websites and virus signatures floating around. Additionally, basic content blocking is built in although the implementation is somewhat crude at this point. Actually, most of the functionality is crude at this point, but I can certainly see that this is a diamond in the rough. Being an early adopter is normally a pain, but in the case the early adoption goes to the software, not the hardware.In other words, this isn't like buying a Beta when VHS is in the works.The network I installed the unit on has over 100 nodes, to include VPN Terminal Server Sessions:Spyware:The Barracuda does an excellent job of identifying client PC's with spyware installed. I was able to identify 3 computers that were infected with various spyware software (we have an extremely tight image, so 3 was actually somewhat of a surprise). We use AdAware for spyware removal, and while the Barracuda identified Alexa as Ads.Mediaplex, the end result was the same. We were able to locate and fix the infected machines, although I feel we had to take an extra step. The Barracuda gives the IP of the infected machine, but I had to do a ping -a to get the host name, at which point I could nail things down to a specific machine. It would be nice if the unit would use a host name instead of an IP for management purposes.The firewall also seems to do a good job of blocking inbound spyware requests. All in all, AdAware seems to back up our clients state of operations in comparison to the Barracuda - Limited to no spyware and I have yet to find anything on a client that the Barracuda missed.VirusesBased on the online help file, the Barracuda only scans for viruses within emails. I am a little hazy on this point, although I would assume that outbound virus traffic would be detected and blocked if it attempted to use port 80. Documentation on the Spyware Firewall is sorely lacking, and is something the company needs to address. This will be a handy feature, however, if you have a client using webmail. At least, I think it would. Again, documentation would be helpful.Content FilteringVery crude. I hate to be blunt, but this is the case. To give some real life examples:Eonline (Entertainment Online) is classified as porn. Dating sites are similarly classified. While this might not seem to be much of an issue, consider things from the end user side. They attempt to surf to a site they have always used (policies vary per organization, but these are not overly racy sites) and get a notification in their browser that the website they are trying to access is "porn". You end up with some very concerned users, and rightfully so. I would have thought that an administrator would be able to access the content database to add or remove items, but this isn't the case. While you can "whitelist" a site to avoid the browser notifications, you can only do so after a notification has been received from a frazzled network user or after reviewing the log file. The lack of access to the database is understandable to an extent (since this is the truly saleable aspect of the product) but it makes administration like swinging a stick at a pinata. You are always blindfolded, and you are just hoping to get the candy.The ability to modify the browser notifications will be a nice change when (if) implemented. I don't want to scare my end users silly. Also, as stated, being able to browse the sites listed in each category would be a plus. If these features aren't implemented (and they should be) make sure you communicate with your end users extensively so they don't feel singled out. Also, well written web usage policies will help to ease the pain.ReportingStatistics are the butter on the IT departments bread. The stats currently available on the Barracuda Spyware Firewall meet the minimum standards, but lack any major degree of sophistication. I do feel I can justify the (upcoming) purchase of the unit based on the stats, but some of the reports are just flakey. Barracuda needs to work on filtering results and tailoring reports to at least some degree.Additionally, parsing the log files could use some enhancements also. I like a little more granularity when I am searching for certain things in large files. While being able to search the access log by using the category "Blocked Requests" is nice, I would like to further refine the search to category "Blocked Requests" and reason "Advertising". Being able to search "Blocked Resuests" by "Category" by "Source IP Address" (or hostname, which is better) would kick butt.While we are at it, let's go ahead and measure bandwidth in terms of http requests, and allow for the blocking of users based on IP address or host name.The potential is there for this to be the killer app for SMB markets, and guarding bandwidth is still a part of the mix (especially in state or local government agencies with limited budgets). While this is addressed with the cacheing functionality in the larger units, the ability to block web requests in areas like advertising, content, and IM's make the Barracuda a compelling product for many businesses.First ImpressionsI am EXTREMELY impressed with the potential of this unit, and plan to recommend that my customer purchase it. Again, while some of the functionality is still crude at this point, all of the basics are in place and the upside for improvement is tremendous.Tech Support is a little overwhelmed (my opinion) as a result of their advertising blitz, but once you get in touch with them they are very knowledgeable. Also, this option is not off-shored (apparently) and the employees seem to be very excited about the direction the company is headed in. That is something I haven't seen a lot of since the dot.com bust.I am buying into the Barracuda Spyware Firewall for at least a year. If they address some of the concerns I have listed here, I will be a life long customer.Given the ability to upgrade the unit remotely (daily/hourly for spyware and virus definition updates) coupled with the apparent desire of the company to make a world class enterprise box (not to mention the cost, which is so far below the competition that is is insane) hanging in for there for the long run is the smart move.

#2 RasmusRask

RasmusRask
  • Members
  • 176 posts

Posted 11 July 2005 - 03:21 AM

Thank you very much for a very good and thorough review. It will certainly be included in our considerations on buying Barracuda antispyware.While it sounds very neat, my problem is that we have multible sites (about 9 as far as I remember :)), which will make this a very expensive solution compared to managed client-side antispyware. :(

#3 DesertStormVet

DesertStormVet
  • Members
  • 21 posts

Posted 25 July 2005 - 08:17 AM

pbennett,Excellent review. I have purchased the 310 after an online demo on the very hopes that you are stating. As you posted, it appears to be a diamond in the rough, but the potential is phenomenal.I spoke with a Barracuda rep for about 25 minutes after my demo. I mentioned many of the improvements you suggested. Here were some of my suggestions:1. Improved reporting was my number one suggestion. I currently use Websense for URL filtering. Websense used to be the top dog, and rightly so. Now they have lost a good amount of market share, and their product is not the quality it used to be. Their competitors are good, but this box promises to grab a large amount of market share if it can clean up the process and create some great reporting. Also, compared to Websense (who basically makes you buy the product again every year), the pricing is wonderful.2. One of the features Barracuda is using to sell their higher models is the ethernet hardware bypass. They have changed the wording since the initial announcement of the product. I believe it used to say something like fail open, or something similiar. Basically, with the 210 and 310, if your device fails, it fails closed. Since this device in inline, this is a major problem. I complained vociferously about this, and I was told that this had been mentioned by several other potential customers.There was more, but these were the top two by far.One of the reasons I purchased this box is for it's anti-virus capabilities. As an inline device, I need this box to block viruses in the data stream, mainly from webmail users (as pbennett mentioned). For political reasons, I cannot simply block my users' access to AOL, Roadrunner, etc. via the web. This box promises to solve (or at least mitigate to an acceptable level) this backdoor risk. The lack of documentation on this is a cause for concern. If the AV capabilty is there, I would also like to see a way of testing this. Maybe the Barracuda folks can put up a test site that we can use to download a bogus virus to test the engine?

#4 RasmusRask

RasmusRask
  • Members
  • 176 posts

Posted 26 July 2005 - 03:00 PM

If the AV capabilty is there, I would also like to see a way of testing this. Maybe the Barracuda folks can put up a test site that we can use to download a bogus virus to test the engine?

You can download a copy of the "Eicar" anti-virus test file from http://www.eicar.org/anti_virus_test_file.htm in various packaging (the bare exe file, zipped or with another extension) - it should get caught by the Spyware Firewall! :)

#5 terryrayc

terryrayc
  • Members
  • 2 posts

Posted 10 August 2005 - 01:43 PM

Well we have a 410 here that we are testing, Barracuda was nice enough to give it to use to test. We have 2 600s and a 300 that we use for email so the Barracuda name is well known to us.1st the device works well when it works. We've had 4 majors outages with the box that seem to all be related to logging issues. It seems at random times the logging system will die or the filesystem will get messed up and the system will start working. A quick call to tech support and they get in and fix the problem. However we've had to call them 3 times on the log files. The 4th outage was caused by some unknown problem and rebooting seemed to fix the problem.2nd I've gotten the impression this was a rush to market release. I understand the need for this product and getting it into the hands of the public was a must, but right now I feel as if we are all working as Barracuda's early beta test team. Might have been a good idea to wait a few more months.

#6 erics

erics
  • Members
  • 43 posts

Posted 16 August 2005 - 04:44 PM

A great summary, but yes, the content filtering aspect is seriously lacking. Not only are the following Advertisements blocked and labeled as Porn, there is no way to granularly classify what is in each category or modify categories.We are also a user of SurfControl Web Filter. Granted, with a software based filter you can get more in-depth with the specifics of each filter as is being requested, but I purchased the 'Cuda to eventually replace SurfControl and their grossly expensive per user rates.I cannot be blocking sites that are labeled porn but indeed are not. Advertisements are a bad example, but it is what I see at the moment. Perhaps the Advertisement filter will block porn better?Below are three examples of advertisement servers that are being categorized as Porn:http://speed.pointroll.com/PointRoll/Media/panels <several ads for GM/Chevy and General Mills Cereal>http://adserver.trb.com/ads <trb.com domain>http://img.xmradio.com/images/wmp_service/sm_menu_logo.png <XM radio site separator graphic>