1 / 74

Cyberoam Upgrade Training v9.6 build 16

Cyberoam Upgrade Training v9.6 build 16. New Features:. Free On-Appliance SSL VPN Complete Layer 2 to Layer 8 security Category Based Bandwidth Management Free RBL Support IP Reputation Filtering Support in Anti-Spam. Enhancements:. Provide Bandwidth to Branch offices over VPN

amergin-hone
Download Presentation

Cyberoam Upgrade Training v9.6 build 16

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyberoam Upgrade Training v9.6 build 16

  2. New Features: • Free On-Appliance SSL VPN • Complete Layer 2 to Layer 8 security • Category Based Bandwidth Management • Free RBL Support • IP Reputation Filtering Support in Anti-Spam

  3. Enhancements: Provide Bandwidth to Branch offices over VPN Total Threat Free Tunneling. Clientless Automated SSO Spam Quarantine Enhancements

  4. New features

  5. All free On-Appliance SSL VPN

  6. On-Appliance SSL VPN • Now the VPN feature is extended to include SSL VPN functionality within Cyberoam to provide secure access for the remote users. • Easier to use and control to allow access to the Corporate network from anywhere, anytime. • Any device that has browser can access SSL VPN

  7. License Free SSL-VPN: • Client and Location independent access • Authentication - AD, LDAP, RADIUS, Cyberoam • Multi-layered Client Authentication - Certificate, Username/Password • User & Group policy enforcement • Network access - Split and Full tunneling • End user Web Portal - Clientless access • SSL VPN Tunneling Client - Granular access control to all the Enterprise Network resources • Administrative controls: Session timeout, Dead Peer Detection, • Portal customization • The SSL VPN feature would not be a chargeable module and would be enabled by default in all appliances 25i, 50i, 100i, 200i, 300i, 250i, 500i, 1000i and 1500i.

  8. Key Advantages Its FREE!!! (Promotional Offer) Easy to use. No complicated configurations. Device Independent. Can be used with Smart-phones, Iphones, Netbooks etc. Works in restricted network environments where VPN traffic is blocked. Data transfer is encrypted by SSL. Safe to use on an unsecured network. VPNC certified

  9. On appliance SSL VPN in detail

  10. Cyberoam’s on appliance SSL-VPN gives full flexibility to the administrators to decide what type of access should be given by creating policies. SSL VPN policy determines access mode available to the remote users and also controls the access to the private network (corporate network) in the form bookmarks. Who should access what?

  11. Two modes: Full Access and Web Access mode Web Access mode ( Web based or clientless ) Does not require any client to be installed Can be accessed using browser Limited to use on web resources only Full Access mode ( Client mode ) Require client to be installed Works in two modes Split Tunnel Allows access to only defined network resources in the policy Full Tunnel Routes all traffic to Cyberoam, internet through HO Allows access to only defined internal network resources Full access to WAN

  12. Creating SSL VPN Policy Select the access mode by clicking the appropriate option Select tunnel type Accessible Resources allows restricting the access to the certain hosts of the private network Bookmarks are the resources that will be available through Web portal Accessible Resources allows restricting the access to the certain hosts of the private network

  13. It provides the ability to create point-to-point encrypted tunnels between remote employees and your company’s internal network • It requires a combination of SSL certificates and a username/password for authentication to enable access to the internal resources. • To restrict the access to the Corporate network, it operates in two modes: Full Access and Web Access mode. • User’s access to private network is controlled through his SSL VPN policy while Internet access is controlled through his Internet Access policy.

  14. Install SSL VPN Client Access web-based resources available to him User Authenticates himself End user experience

  15. Enhanced security with L2 Firewall support

  16. Identity-IP address-MAC address Enhanced security with Cyberoam. Cyberoam now extends down to the OSI Layer 2, to achieve a major security enhancement. Now MAC address (Machine Address) is also a decision parameter along with identity and ip address for the firewall policies All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on MAC firewall rule Now for any server running on dynamic IP Address, we can create a firewall rule to allow that server through firewall using MAC

  17. Create firewall rule based on MAC address

  18. Now create MAC based firewall rule Create MAC based host for Dynamic web server

  19. Web Category Bandwidth

  20. Bandwidth Restriction can be applied on Web categories Configuration provided in Web Category and Firewall Bandwidth will be shared among all the users/firewall rules for particular Web category Web category bandwidth will take priority with respect to all other bandwidth configuration If a users is given 32kbps of bandwidth and Web category he is accessing is given 16kbps of bandwidth user can draw a maximum of 32+16 kbps of bandwidth Web Category Bandwidth features

  21. Create web category based bandwidth policy

  22. Allot bandwidth while creating web category

  23. View which Bandwidth policy is applied to which web category

  24. Apply through the firewall rule

  25. Apply the web based BW categorization to all the LAN users Create a category for online games Create a BW policy for online games sites

  26. Now get free Anti Spam protection with the RBL No need to purchase a separate license if you need RBL Anti Spam protection Free RBL support for Anti Spam

  27. Block 85% of incoming messages at entry-point even before these messages enter the network. Save load / processing power of mail server for unwanted spam messages. Save internet bandwidth. IP Reputation Filtering Support in Anti-Spam

  28. The sending SMTP host (Sender Mail Server) attempts to connect over port 25 to your mail transfer agent (MTA) the mail server hosted behind Cyberoam. The Cyberoam Anti-Spam engine delays the connection and queries the inbuilt reputation database about the reputation of the source and how to handle it.The Cyberoam Anti-Spam engine is responsible for collecting real-time and dynamically updated reputation data about the source by communicating to the Commtouch Datacenter over HTTP protocol. How IP Reputation Filtering works?

  29. How IP Reputation data is collected? The source data is gathered by monitoring its global email sending behavior and is composed of the volume of sent emails in several time frames,the spam ratio of its sent emails, a calculated risk level, computed IP class and other relevant information. Additionally, Cyberoam Anti-Spam maintains local data in severaltime-basedwindows about the all the previous times that itwas already queried about this source. All of this information is used to generatea recommended action to apply on the source.

  30. How to enable IP Reputation Filtering: Anti Spam -> Configuration -> General Configuration

  31. How to check reputation of any given IP: Commtouch provides facility to check reputation of any given IP. You can check the same using below URL: http://www.commtouch.com/check-ip-reputation

  32. Enhancements

  33. Branch office Internet Traffic Tunneling over VPN

  34. Branch office Internet Traffic Tunneling over VPN Cyberoam now facilitates central Internet access and control for an organization with multiple branch offices All the branch office can now use the Internet facility at the head office to browse Supported only in Net-Net connections

  35. All the branches can access internet through HO

  36. Even if the branch offices don’t have internet access they can access internet through Head office. Centralized implementation of user policies from HO Central reporting in HO. Easy to manage the branch offices. Advantages

  37. Threat free tunneling

  38. Cyberoam VPN zone traffic is now totally secure. It extends its firewall rule gamut to L2TP and PPTP VPN traffic, which is scanned for Malware, Spam and inappropriate Web content. This ensures that nothing dangerous can sneak through. All normal firewall policies like IAP, AV, IPS, Bandwidth policy etc can be applied on L2TP and PPTP traffic

  39. Create L2TP configuration

  40. Create PPTP Configuration

  41. Create hosts for L2TP and PPTP configurations

  42. Firewall rules for L2TP and PPTP tunnel users

  43. Spoof prevention

  44. You can configure MAC and/or IP address pair entry in IP-MAC trusted list to improve the security of your network Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address It is also possible to filter packets based on IP-MAC pair

  45. Spoof Prevention MAC filtering Does not allow any IP Address to connect other than trusted MAC IP-MAC Pair filtering Drops traffic where IP-MAC pair does not match Allows all traffic for which MAC entry does not exists Spoof prevention Drops any traffic that does not match with the subnet of the incoming NIC

  46. Spoof Prevention Settings Packets will be dropped if the MAC addresses not configured in the “Trusted MAC address” list. Packets will be dropped if IP and MAC do not match with any entry in the IP-MAC trusted list Packet will be dropped if matching route entry is not available 

  47. ARP Management

  48. Cyberoam ARP Management Features Facility to mange ARP entries Static entries can be added from GUI Shows list of ARP entries, both Static and Dynamic Do not add static ARP entry for any configured gateway, it will mark the gateway dead Cyberoam maintains two types of table for ARP entries: ARP Cache and Static ARP

More Related