Cyberoam CR1500i UTM Appliance | Unified Threat Management

Cyberoam CR-SGX800 SSL VPN Appliance Overview:

Cyberoam SSL VPN is an easy-to-use, simple application access and security solution for enabling high-trust, secure remote access to corporate applications and resources. Enterprises use Cyberoam SSL VPN to collaborate securely with employees, customers and partners.

Secure Application Gateway

Today, organizations of all sizes face the pressure of delivering applications and data to ever increasing numbers of mobile workers. Whether this is home users, roaming users, customers or partners, the need for a Secure Remote Access solution that is easy to use and yet secure is the key requirement; this is where Cyberoam SSL VPN can help.

When implementing the SSL VPN technology it is important for organizations to consider the technology. Current VPNs - either IPSec or SSL VPNs - rely on layer 2 VPNs to provide seamless access to applications. This creates a security hole in perimeter security deployed at corporate network and opens up the network to unknown vulnerabilities generated from unmanaged desktop machines. It should be noted that the requirement is to deliver the application and network services to end-users rather than necessarily bridging unknown endpoints placed at untrusted locations to the corporate network.

Cyberoam SSL VPN is an application gateway that provides secure access to the applications using standard-based SSL encryption. Cyberoam SSL VPN enables access only to specified applications rather than bridging the end-user's machine with the corporate network while maintaining full application compatibility. Cyberoam SSL VPN comes with unique network obfuscation feature which hides the internal network details from intentional or unintentional exploitation by a user or hacker.

Endpoint Security (Device Profiling)

The primary driving factor for wide adoption of SSL VPN is ubiquitous secure access from any device without any pre-requisites. However, this opens up a new challenge for organizations as unknown and unmanaged devices which could be potentially harmful devices can connect to corporate network. Moreover, compliance becomes a challenge as it becomes impossible to enforce corporate policies to end users.

Next generation SSL VPNs like Cyberoam SSL VPN bring strong device profiling features that measure and calibrate each endpoint connecting to the VPN against the corporate policies. Cyberoam SSL VPN provides a flexible policy framework for administrators to keep the corporate network safe from unclean devices either by keeping such devices out of the network, restricting them to a part of the network or remediating them to be able to access network services.

As part of device profiling, Cyberoam SSL VPN can check for status of endpoint security software like anti-virus, firewall and anti-spyware, OS and software updates and compliance to endpoint configurations. An intelligent cache wiper can clean the files and cache stored on the local hard disk by browsers or by users, including temporary folders or any of the drives. To protect from zero-day attacks, the Meta data about the latest virus signatures is pushed to the Cyberoam SSL VPN gateway every hour.

Granular Policy Control

An organization can have different types of users based on their location and their role. They can be trusted employees working from trusted or untrusted networks or they can be known partners, consultants who need access to applications from their location or workplace or they can be users completely unknown to the organization, requesting application access from just about any network. These users may use trusted or untrusted devices and may be working from trusted or untrusted networks. For each such use case, enterprises must protect the applications and network against unauthorized access and intentional or unintentional information leakage.

The remote access solution employed by the organization must provide a flexible and dynamic policy framework which can adjust on run time to accommodate users coming from different locations or devices but at the same time protect the applications in case the point of access becomes non-compliant to corporate security needs.

Cyberoam SSL VPN has a dynamic multi-layered policy engine that evaluates the user session at multiple levels before access to an application is granted. Each session is evaluated against policies set for the location of the user, method of authentication chosen by the user, trust level of the endpoint device and finally the role of the user. The evaluation is done on the fly and any application is restricted as per any of the failed criteria are hidden from the user.

Features & Benefits:

Key Features:

Application Support allows access to virtually any application, including all TCP, 802.11x and UDP applications, Microsoft Outlook, FTP, Cyberoam TSE, and Microsoft Terminal Servers. Even custom or proprietary applications and protocols are supported by the Cyberoam SSL VPN.
Secure Firewall Traversal of TCP/UDP allows local desktops to access UDP-based remote data services, without segregating the network, exposing UDP port ranges to hackers, using routable IP addresses, or publishing internal routes externally. Cyberoam VPN works alongside existing firewalls, andNAT devices.
Authentication and Authorization Architecture supports different group access policies via leading protocols (LDAP, Active Directory, RADIUS, and more).
Centralized Access Control control by source, destination, domain name, user group, port, host, or network, thereby increasing security and dramatically simplifying firewall configuration.
Single Mode Connectivity enables remote access to any application, including web-enabled and legacy applications, through a simple interface with the look and feel of the user's native desktop.
Load Balancing and High Availability automatically distributes application network traffic among multiple VPN Servers with integrated failover to available servers.
SSL VPN users may access applications from a standard portal interface or directly from their desktop, for an IPSec-like “in office” experience.
Clientless Browser-based Access provides secure remote access to applications through common web browsers. No clients to install or maintain.
Endpoint Security enforces access restrictions based on customizable policies such as Anti-virus, Antispyware and Firewall status.

Benefits:

Reduced Costs - Centralize management; consolidate data centers, lower administration costs.
Investment Protection - Utilize existing networks, firewalls, servers, clients and software.
Trusted Remote Access - Extend access to regional offices, partners, customers, telecommuters, wireless users.
Easy to Use - Fast installation and little ongoing management, reduced training, less down-time.
Continuous Access - provide reliable, available and scalable access.

Application Access:

Email Access - Use your local Outlook or Lotus Notes client to access corporate email system.
File Shares and FTP - Directly access the files and shares residing on the corporate network.
Web Applications - Access any HTTP/S based applications.
Cyberoam TSE and Terminal Services - Secure connection to RDP-based applications.
Other Applications - Provide access to any TCP/UDP based applications.

Specifications:

Technical Specifications:	CR-SGX800	CR-SGX1200	CR-SGX2400
Market	Entry-Level	Small-Medium Enterprise	Enterprise
Concurrent Users	Up to 100	Up to 250	Up to 2000
Throughput	100 Mbps	250 Mbps	500 Mbps
Gigabit Interfaces	2	2	4
High Availability	Yes	Yes	Yes
Dual Power Supply	-	-
Dual Hard Drives	-	-

Full Feature Set:

Deployment Scalability:

Scalable to 200,000 users
Active-Active N+1 cluster
Resource-based VPN Load balancing with multiple load balancer
Session Persistence: Users do not need to re-authenticate

Application Support:

All web-based, TCP and UDP based clientserver applications
Windows File Shares and Drive Mapping
Dynamic port-based applications
Special support for RDP virtual channels
Application load balancing
Session Caching for load balanced applications
Per application-based compression switch

Access Security:

SSL 3.0 and TLS 1.0
Encryption: Strongest available: DES, 3DES, AES(256), RC4
Authentication: MD-5, SHA-1, RSA 1024, RSA 2048
Internet network masking and IP address/hostname mangling
Works with Network Address Translation (NAT) and Firewall
VPN Chaining
Application level gateway
Hardened Gateway Operating System

Authentication:

Authentication based on user identity, endpoint identity, endpoint trust level
Multiple User authentication options: static passwords, client certificates, External two factor authentication solutions
Local database with full customization per user, password policies, password reset support
Fully integrated client-certificate based two factor authentication server with automatic CA and certificate provisioning
Enterprise PKI built-in with X509 standards
Email based user provisioning
Authentication method based application access control
Integrates with AD/LDAP/RADIUS/RSA SecurID , X.509 digital certificates
Automatic fetching of group information from AD/LDAP/RADIUS
Key Exchange
RSA & Diffie Hellman
Biometric authentication support

Authorization:

Publish applications rather than subnet or network
Simple access control mechanism
Access control based on
- Device identity and profile
- User Authentication method
- User Role
Dynamic policy evaluation based on run time information about device, authentication method and user role
Display of allowed applications and availability of the application server to users
Time-based restriction policies
Auto-detection of applications running in corporate network

Auditing & Logging:

Complete reporting of user logons and activity
Information logged includes
- Time of access
- Username
- MAC Address of endpoint
- IP address of endpoint
- Application accessed
- Device Profile
Logging of endpoint security scans
Detailed logging per device scans including
- Policies evaluated for user sessions
- Current profile of endpoint
- List of failed policies
- List of policies for which remediation information is sent to user
Session, connection, failed connection logging
Administrative auditing
Extract logs in CSV format for feeding to third party report generation
Monitor and disconnect live users

Device Profiling (Endpoint Security):

Support for checking for Anti-virus, Firewall and Anti-spyware products
Real time status check for
- Virus signature DAT file version
- Last update time
- Last scan time
- Real time protection check
Support for more than 200 products
Support for checking for MAC ID and IP address
Application control based on device profile
Mandatory profile for non-avoidable policy checks on all endpoints
Quarantine profile for devices that fails all other profiles
Option to block endpoints that fails to comply to required policies or option to allow them to login by putting them in quarantine profile
Real time updates about latest virus signature DAT file releases by AV/FW vendors are pushed to VPN gateway every hour to protect corporate network against any zero-day attacks
Integrated with OPSWAT™ endpoint security SDK

Access Modes:

Web Portal for easy access by end users
Clientless VPN with a browser agent for seamless access to applications
No configuration required on end user machines
Client platforms supported
- Windows 98 /XP /Vista /Windows7
- Windows server 2003 /2008
- Linux
- MAC OS X PPC/Intel 10.4 and above Site to Site access

Management:

Web-based management console Menu driven console interface for system configuration
Wizard driven installation procedure
Self-signed certificate generation CLI
Real-time status and monitoring
Delegated role-based administration
Certificate based login for administrators

Documentation:

Download the Cyberoam SSL VPN Appliance Datasheet (PDF).