1 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Cyberoam Upgrade Training v9.5.9.xx (Beta)
2 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam 1.Free On-Appliance SSL VPN 2.Complete Layer 2 to Layer 8 security 3.Category Based Bandwidth Management (Upcoming) 4.Free RBL Support (Upcoming) New Features:
3 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Enhancements: 1.Provide Bandwidth to Branch offices over VPN 2.Total Threat Free Tunneling. 3.Clientless Automated SSO (Upcoming) 4.Spam Quarantine Enhancements
4 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam New features
5 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam All free On-Appliance SSL VPN
6 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam On-Appliance SSL VPN Now the VPN feature is extended to include SSL VPN functionality within Cyberoam to provide secure access for the remote users. Easier to use and control to allow access to the Corporate network from anywhere, anytime. Any device that has browser can access SSL VPN
7 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Client and Location independent access Authentication - AD, LDAP, RADIUS, Cyberoam Multi-layered Client Authentication - Certificate, Username/Password User & Group policy enforcement Network access - Split and Full tunneling End user Web Portal - Clientless access SSL VPN Tunneling Client - Granular access control to all the Enterprise Network resources Administrative controls: Session timeout, Dead Peer Detection, Portal customization The SSL VPN feature would not be a chargeable module and would be enabled by default in all appliances 25i, 50i, 100i, 200i, 300i, 250i, 500i, 1000i and 1500i. License Free SSL-VPN:
8 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Key Advantages 1.Its FREE!!! (Promotional Offer) 2.Easy to use. No complicated configurations. 3.Device Independent. Can be used with Smart-phones, Iphones, Netbooks etc. 4.Works in restricted network environments where VPN traffic is blocked. 5.Data transfer is encrypted by SSL. Safe to use on an unsecured network. 6. VPNC certified
9 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam
10 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam On appliance SSL VPN in detail
11 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Who should access what? Cyberoam’s on appliance SSL-VPN gives full flexibility to the administrators to decide what type of access should be given by creating policies. SSL VPN policy determines access mode available to the remote users and also controls the access to the private network (corporate network) in the form bookmarks.
12 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Two modes: Full Access and Web Access mode –Web Access mode ( Web based or clientless ) Does not require any client to be installed Can be accessed using browser Limited to use on web resources only –Full Access mode ( Client mode ) Require client to be installed Works in two modes –Split Tunnel »Allows access to only defined network resources in the policy –Full Tunnel »Routes all traffic to Cyberoam, internet through HO »Allows access to only defined internal network resources »Full access to WAN
13 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Creating SSL VPN Policy Select the access mode by clicking the appropriate option Accessible Resources allows restricting the access to the certain hosts of the private network Select tunnel type Accessible Resources allows restricting the access to the certain hosts of the private network Bookmarks are the resources that will be available through Web portal
14 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam It provides the ability to create point-to-point encrypted tunnels between remote employees and your company’s internal network It requires a combination of SSL certificates and a username/password for authentication to enable access to the internal resources. To restrict the access to the Corporate network, it operates in two modes: Full Access and Web Access mode. User’s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy.
15 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam User Authenticates himself Access web-based resources available to him Install SSL VPN Client End user experience
16 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Open Issues / Limitations till v95933 beta: 1.Sites using redirection will not work properly 2.MS-Exchange not working (OWA) 3.Flash will not work 4.CARL will not work 5.URLs like http:// /test/ will not work with Webbased SSL VPN 6.Idle time out is not working 7.Host Groups will not listed in SSLVPN policy 8.Reporting is not provided 9.Password with extended characters like @ will not work 10.Same IP in IP Lease Range to and start (10.10.0.1 - 10.10.0.1) will stop SSL-VPN service. Need to specify correct range. 11.Firewall Implementation is not there and planned in Phase-II (Not this Final Release).
17 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Open Issues / Limitations in 2 nd EA (beta) v960xx: 1.MS-Exchange not working (OWA) Works – with limitations. With IE Browsers: OWA 2003, 2007 (and may be 2000) – works only with Basic mode (Not Premium/Advanced modes). With non IE Browsers: OWA 2003, 2007 (and may be 2000) – works 2.Flash will not work 3.Idle time out is not working 4.As of now Reporting is not provided. 5.Same IP in IP Lease Range to and start (10.10.0.1 - 10.10.0.1) will stop SSL- VPN service. Need to specify correct range. 6.Firewall Implementation is not there and planned in Phase-II (Not in coming final release).
18 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Enhanced security with L2 Firewall support
19 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Identity-IP address-MAC address Enhanced security with Cyberoam. Cyberoam now extends down to the OSI Layer 2, to achieve a major security enhancement. Now MAC address (Machine Address) is also a decision parameter along with identity and ip address for the firewall policies All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on MAC firewall rule Now for any server running on dynamic IP Address, we can create a firewall rule to allow that server through firewall using MAC
20 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create firewall rule based on MAC address
21 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create MAC based host for Dynamic web server Now create MAC based firewall rule
22 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Web Category Bandwidth (Upcoming)
23 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Web Category Bandwidth features Bandwidth Restriction can be applied on Web categories Configuration provided in Web Category and Firewall Bandwidth will be shared among all the users/firewall rules for particular Web category Web category bandwidth will take priority with respect to all other bandwidth configuration If a users is given 32kbps of bandwidth and Web category he is accessing is given 16kbps of bandwidth user can draw a maximum of 32+16 kbps of bandwidth
24 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create web category based bandwidth policy
25 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Allot bandwidth while creating web category
26 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam View which Bandwidth policy is applied to which web category
27 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Apply through the firewall rule
28 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create a BW policy for online games sites Create a category for online games Apply the web based BW categorization to all the LAN users
29 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Free RBL support for Anti Spam (Upcoming) Now get free Anti Spam protection with the RBL No need to purchase a separate license if you need RBL Anti Spam protection
30 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Enhancements
31 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Branch office Internet Traffic Tunneling over VPN
32 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Branch office Internet Traffic Tunneling over VPN Cyberoam now facilitates central Internet access and control for an organization with multiple branch offices All the branch office can now use the Internet facility at the head office to browse Supported only in Net-Net connections
33 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam All the branches can access internet through HO
34 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Advantages Even if the branch offices don’t have internet access they can access internet through Head office. Centralized implementation of user policies from HO Central reporting in HO. Easy to manage the branch offices.
35 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Threat free tunneling
36 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Cyberoam VPN zone traffic is now totally secure. It extends its firewall rule gamut to L2TP and PPTP VPN traffic, which is scanned for Malware, Spam and inappropriate Web content. This ensures that nothing dangerous can sneak through. All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on L2TP and PPTP traffic
37 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create L2TP configuration
38 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create PPTP Configuration
39 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Create hosts for L2TP and PPTP configurations
40 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Firewall rules for L2TP and PPTP tunnel users
41 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Spoof prevention
42 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your network Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address It is also possible to filter packets based on IP-MAC pair
43 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Spoof Prevention –MAC filtering Does not allow any IP Address to connect other than trusted MAC –IP-MAC Pair filtering Drops traffic where IP-MAC pair does not match Allows all traffic for which MAC entry does not exists –Spoof prevention Drops any traffic that does not match with the subnet of the incoming NIC
44 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam
45 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Spoof Prevention Settings Packets will be dropped if the MAC addresses not configured in the “Trusted MAC address” list. Packets will be dropped if IP and MAC do not match with any entry in the IP- MAC trusted list Packet will be dropped if matching route entry is not available
46 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam ARP Management
47 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Cyberoam ARP Management Features –Facility to mange ARP entries –Static entries can be added from GUI –Shows list of ARP entries, both Static and Dynamic –Do not add static ARP entry for any configured gateway, it will mark the gateway dead –Cyberoam maintains two types of table for ARP entries: ARP Cache and Static ARP
48 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam How does Static ARP work in Cyberoam? Add Static ARP. These entries will be stored in static ARP as well as ARP Cache table. When the Cyberoam appliance receives the ARP request on a particular port, Cyberoam performs the ARP lookup in the static ARP table. If there is any mismatch in IP address or port Cyberoam considers it as an ARP poisoning attempt and does not update its ARP Cache. If entry is not available in the table, Cyberoam will lookup in the ARP Cache and adds MAC address to ARP Cache if required.
49 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Add Static ARP
50 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Manage ARP Select from the drop down list to view ARP entries It lists IP address, MAC address, port and type of the entry
51 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Clientless - Automated Single Sign-On
52 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Clientless - Automated Single Sign-On Advantages No need to convince the administrators to modify the Logon scripts or make client side installations. With the new Clientless - Automated Single Sign On there is a single light weight installer that can be installed on any windows computer on the network Cyberoam will detect all logons and logoffs. Also works with Macintosh Clients authenticating with Microsoft Domain Controller.
53 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Features New clientless SSO is agent based solution in that no need to configure any logon script or no need to push SSO client software on any of the client machine. This is platform independent that means if client OS is integrated with Active Directory then Cyberoam will automatically login them into Cyberoam once they login into Active Directory, example: Mac-OS, Linux, Windows (All Versions). In this new SSO, we just need to install one agent software on AD controller which will automatically send login information to Cyberoam for authentication. In case of multiple AD controller of same domain, we just need to install agent on all the AD controller.
54 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Spam Digest
55 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Daily Spam Digest: Cyberoam will now mail the summary of Spam mails that have been quarantined by Cyberoam. Release the false positives to your mailbox: Now Cyberoam allows you to release the mail from the quarantine area and get it right in your mailbox, Promotes end user’s self-sufficiency Reduces network administrator’s dependency Spam digest features
56 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam User’s Antispam Quarantine Area User logos into his account Go to the spam quarantine area Access as well as release the spam quarantine mails
57 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Separate sub menu to manage digital certificates
58 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Bundle Subscription
59 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Details Applicable from version – 9.5.8.52 Cyberoam’s “Bundle Subscription” service provides subscribers a purchase option to choose between single subscription module and a bundle of modules. Cyberoam will also continue to offer single subscription modules also. Bundle can be the combination of or all of the following modules: Gateway Anti Virus Gateway Anti-spam Intrusion Prevention System Web and Application Filter 8 X 5 Support
60 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Benefits Subscription bundle will reduce Administrator’s task of subscribing each module individually as all the modules in the bundle will be subscribed in a single step using just one key. Along with customers, the feature is also beneficial to the suppliers as one can achieve the desired cost reduction for the bundled pack.
61 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam How to subscribe Subscriber will be provided a single key for all the modules included in the bundle. For renewal, subscriber can choose to renew the pack or the single module.
62 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam One time subscription
63 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam DHCP Enhancements (Upcoming)
64 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam DHCP Enhancements More user friendly interface Configuration for Dynamic as well as static lease IP Address conflict detection Facility to lease primary and secondary DNS Option to lease Cyberoam’s DNS configuration DHCP can now lease WINS server DHCP Relay configuration
65 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam
66 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Configure for Dynamic Lease
67 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Configure for Static Lease
68 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Manage DHCP Servers
69 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam
70 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Thank you