Security is an essential component of a UTM device. The Cisco ISA550W provides six key types of network protection, including spam-filtering, anti-virus protection, application controls, Intrusion Prevention (IPS), web filtering and network blocking based on IP. To use these six features, an annual license must be purchased from Cisco. I’ll cover the costs of that license at the end of this review.
The ISA550W leverages information from Cisco's Security Intelligence Operations (SIO) to provide these security features. Cisco claims they have over 1.6 million security devices around the world communicating information about threats to the SIO daily. The information from these 1.6m devices produces up to 75 TB of new data daily to be filtered and added to a massive security database. Updates from this data are streamed back to the same devices, allowing Cisco security devices to learn from each other and block network threats that may have been experienced elsewhere across the globe.
Some of the security features update a database on the ISA550W from the SIO, others query the SIO in real time to filter traffic. As you can see in the screenshot, spam filtering and web filtering perform real time checks while anti-virus, network reputation, application control, and IPS update local databases from the SIO.
Security Service Status Summary
Spam filtering options on the ISA550W includes tagging or blocking known or suspected spam email based on reputation. Reputation is based on the email sender's IP address “score.” Cisco's SIO scores email IP addresses on a scale of -10 (bad) to +10 (good). You can set the ISA550W to filter email with a Low (-4), Medium (-3) or High (-2) reputation/score. You can customize it to filter spam at a higher or lower value as you choose. Known good email senders can be entered into an Allowed Senders list, bypassing the spam filter if needed.
Spam Reputation Threshold
I did not test the ISA550W's spam filter, but Cisco filled me in on how it works. The ISA550W filters for spam sent or received via SMTP ( = port 25). Thus, if you’re running your own email server which uses SMTP to send and receive email, the ISA550W will filter spam before it gets to your server, thus preventing it from getting to your clients. If you’re not running your own email server and your client email software uses POP3 (= port 110) to receive email, the ISA550W may not filter incoming spam.
A UTM device isn't a replacement for host-based anti-virus software, but it can be a nice complement to your overall security plan. The ISA550W filters for viruses by comparing traffic to its virus database. The ISA550W gets its virus database from the SIO, which leverages Kaspersky’s database for virus scanning and Cisco’s SIO database to identify web sites containing viruses and malware. The ISA550W will scan HTTP, FTP, SMTP, POP3, IMAP, and NETBIOS traffic for virus signatures and either notify or block the traffic as desired.
An email notification can also be sent in the event a virus was detected. Below is the content of an email sent when I tried to download the eicar test file, a file that is useful for triggering anti-virus detection.
Alert – AntiVirus - Virus was detected in the file "eicar_com.zip" over a HTTP session.
Application control on the ISA550W is very configurable. Application signatures are downloaded from the SIO and are classified in 22 different categories. Each category has numerous listed applications.
Application policies can be created to permit or deny traffic based on category and application. Policies can then be applied based on network zone. The default policy is to permit all applications, so you have to either edit the default policy or create a policy and apply it to a zone to filter specific applications. I modified the default policy to block traffic to Facebook and received a “This page can't be displayed” message when I tried to access the site. A screenshot of the application control policy edit page is below.
Application Control Policies
Intrusion Prevention Systems (IPS) inspect network traffic for threats like worms, spyware, and other undesirable traffic by comparing packets to a database of network threat characteristics, called signatures. The ISA550W will automatically update its intrusion prevention signature database from Cisco's SIO on a regular basis. You can enable/disable IPS on the ISA550W, define which zones IPS will inspect, as well as enable or disable IPS blocking on any of the IPS signatures stored in the database. At the time of this writing, the ISA550W IPS feature recognized 1912 IPS signatures.
Web filtering is performed by reputation and URL. As stated in the ISA550W manual, “Web Reputation Filtering prevents client devices from accessing dangerous websites containing viruses, spyware, malware, or phishing links.” URL filtering is based on web site categories. Both filtering types are performed by real time checking the SIO database with each web site accessed.
Web site reputation filtering functions similar to spam filtering, with web sites being assessed a score from -10 (bad) to +10 (good). Web sites can be blocked based on settings of Low (-8), Medium (-6) or High (-4), or a custom level. Up to 16 websites can be omitted from web reputation filtering.
Website URL filtering is similar to Application Control, relying on policies and zones. There are 65 different web site categories that can be blocked or permitted. Up to 32 exceptions can be added to each policy to permit or block specific websites.
I modified the default policy to block traffic to URLs in the Computer and Internet category, which blocked access to the SmallNetBuilder website with the message shown below.
URL Blocked message
Per the ISA550W's manual, the “Network Reputation filter blocks incoming traffic from IP addresses that are known to initiate attacks throughout the Internet.” This feature isn't adjustable, it can only be enabled or disabled.
The ISA550W provides a Security Services Report, showing activity levels and actions for each of the six types of network protection. Specific incidents can be examined more closely to see action has been taken. Below is a screenshot showing the activity where traffic to Facebook was blocked by the application control feature.