CSG-2500 stands firm against malware

Network defender can carry a heavy load, though reporting and protocol support are lacking

Not too long ago, all a network admin had to do to ensure that the network was “clean” was to schedule a weekly virus scan and confirm the virus signatures were up to date. This kind of protection was sufficient when the attack vector was based on sharing floppy disks or opening an infected e-mail attachment.

But this isn’t the case anymore. Virus and malware threats are cropping up more in Web traffic than simple infected files. Malware code is hidden in Web pages, packaged as part of “legitimate” software installs and stuffed inside malicious e-mail messages. Preventing it from entering the network requires detection in the data stream at the network edge.

The CSG-2500 from CP Secure is a 2U appliance that scans HTTP, HTTPS, FTP, POP3, SMTP, and IMAP traffic in real time without adding excessive latency. It installs as a transparent bridge negating any network changes. Although it falls short in some areas — such as so-so reporting and the absence of IM and CIFS support — it’s still a solid contender for defending the networks of midsize to large organizations.

Click for larger view.

Setting up the CSG-2500 is fast and easy; I had my test unit online in about 15 minutes. The appliance comes with redundant power supplies, two hard drives in a RAID array, two Gigabit fiber and four Gigabit copper ports with an additional 10/100 administration port. VLAN and fail-over support is built into the appliance, as is optional load balancing.

One feature the company repeatedly stressed during my evaluation was the appliance’s overall performance under load. I tested the CSG-2500 by simulating between 1,000 and 2,000 concurrent users accessing HTTP traffic between a pair of HP ProLiant DL360 G3 servers. Latency ranged from 593ms at 1,000 connections to 1,075ms at 2,000. Throughput for the CSG-2500 under load was from 389Mbps (at 1,000) to 362Mbps (at 2,000).

By way of comparison, I ran the same test mix through a Cymphonix Network Composer DC30X and found latency numbers between 1,178ms and 1,240ms. The Cymphonix unit’s throughput was less than the CP Secure device because of its 10/100Mbps interfaces (a test with no appliance in the mix provided latency values from 50ms to 137ms, and throughput averaging around 888Mbps).

Hold the line
Blocking malware and viruses at the network edge is the first line of defense against network infections. With dual scanning engines from CP Secure and Kaspersky, the CSG-2500 looks inside inbound and outbound traffic. A combination of heuristics and signature-based scanning checks for malware embedded in the TCP traffic stream. When malware is detected, admins can choose from a number of actions, such as blocking, quarantining, or simply auditing the activity.

During my tests, I attempted to download various types of malware and viruses from live Web sites and known infected servers on my test LAN. In all cases the CSG-2500 detected the attempts and processed them according to my policy.

Admins also can decide which protocols to scan, and they can specify standard and nonstandard port assignments. For instance, I was able to scan HTTP traffic on port 80 as well as port 81 and 8080 (unique ports on my test Web servers). Unlike the Cymphonix offering, this release doesn’t include any scanning support for instant message or CIFS traffic. The company has said it would consider adding additional scanning if customer demand dictated it.

Content filtering is part of the HTTP and FTP scanning engines. Policies for blocking objects such as ActiveX and Java, or any file matching a specific extension, are available. IT can also manually create a list of blocked URLs or let the CSG-2500 forward traffic to an existing Websense server.

Administrators have the choice of defining a different policy for outbound e-mail. The unique outbound policy allows for notification to the sender that malware was detected in the message and the ability to filter messages based on keyword, password-protected attachments, file type, and name. Many enterprises will already have an e-mail content filtering solution in place, such as Sigaba Secure E-mail, but for some, this will be a welcome tool.

Cracking the code
One unique feature is CP Secure’s ability to crack open HTTPS traffic and scan the stream for potential problems. Without any changes to the end-user’s browser, the CSG-2500 acts like a “man in the middle” and decrypts the traffic, inspects it for viruses and malware, then re-encrypts it and sends it on its way. This process does add a little more latency overall, but not enough to be noticeable.

The policy engine with the HTTPS service provides a good range of options for dealing with various secure Web sites. A default list of trusted certificate authorities, such as Entrust.net, Thawte, and Verisign, is included, and admins can edit the list to meet their needs. They can even maintain a list of sites that have untrusted certificates that users can access to allow for internal-deployed self-signed certificates. Because the CSG-2500 is intercepting the SSL traffic, users will get a certificate-authenticity warning when connecting through the appliance. To eliminate this, IT can distribute a digital certificate for the appliance for import into each user’s browser. I did this and the warnings disappeared.

CSG-2500’s reporting and logging capabilities are a weak spot. IT can search the log based on specific criteria and either view the text output or send it to a CSV file. The most useful reporting feature is the report profiles. Each profile defines the protocols and date range (up to 30 days) to include in the malware and traffic summary, and send to a user via e-mail. While not nearly as sexy as the reporting engine in the Cymphonix offering, it is enough to help IT understand what is being detected on the network.

For medium and large businesses that need to protect a lot of users from Web-based threats, the CSG-2500 definitely scales well and doesn’t add excessive amounts of latency. I like the HTTPS scanning capabilities, and I couldn’t slip any malware through during its time on my bench. Reporting could use some improvement, the lack of IM and CIFS support is disappointing, and smaller installations may balk at the price tag. However, for those who need high performance near real-time Web traffic scanning, the CSG-2500 will handle the load.

InfoWorld Scorecard
Content filtering (25.0%)
Management (15.0%)
Value (10.0%)
Setup (10.0%)
Protocol support (25.0%)
Reporting (15.0%)
Overall Score (100%)
CP Secure CSG-2500 8.0 8.0 8.0 9.0 7.0 7.0 7.7