Security - Web
For web traffic to be filtered, the data flow has to be identified as web traffic. Out of the box, the UTM10 monitors HTTP, HTTPS and FTP traffic on the default ports of 80, 443, and 21. Additional ports can be easily added for monitoring.
The UTM10 automatically filters web traffic for malware as it does for email, and has additional configuration options. Basic configurations include whitelist, blacklist and keyword filtering. More detailed configurations include category based filtering, embedded object filtering on sites using ActiveX, Java and Flash, as well as file type filtering.
Whitelists and blacklists can be useful to allow specific sites that are blocked via a category based filter or block specific sites that are allowed via a category based filter. For example, selecting the filtering category to sports will block espn.com. End users will see a web page with a banner as shown in Figure 7 below. If you wish to allow espn.com but block all other sports websites, setting the filtering category = sports and entering espn.com in the whitelist does the trick. The “*” wildcard is available, so a whitelist entry of *espn* would allow all websites with “espn” in the URL.
Figure 7: Blocked message
As a side note, sports websites may seem innocuous, but during several times of the year, such as March Madness, web traffic to sports websites can consume excessive resources on a company's network. Multiple end users streaming video highlights of their favorite college basketball team can consume a lot of bandwidth!
Keyword blocking is also manually configurable. For example, I entered all seven of George Carlin's famous “Words You Can Never Say on Television” in the keyword blocking section. This was a rather entertaining test, but effective. Once enabled, websites containing any of the listed words in text were blocked by the UTM10.
Category filtering on the UTM10 is hierarchical, with 12 main categories. The main filtering categories are Commerce, Drugs and Violence, Education, Gaming, Inactive Sites, Internet Communication and Search, Leisure and News, Malicious, Politics and Religion, Sexual Content, Technology, and Uncategorized. Each main category has 2 to 14 subcategories, for a total of 64 different category filtering options.
Category filtering blocks websites that have been categorized in the NETGEAR Classification database, depicted back in Figure 6. As with the SonicWall TZ100W and other UTM products I've reviewed, category based filters can be easily defeated. With the category pornography selected for content filtering, the UTM10 blocks browsing to adult sites. However, simply typing porn xxx in a search on Google.com and clicking the images option displays adult images which should be blocked.
There is an interesting list of websites known to be infected with malware, located at safeweb.norton.com/dirtysites. So to perform a rudimentary test, I tried to browse several of the websites on the list. Many of them triggered either the content filter or the George Carlin keyword list. But the first one, 17ebook.com, triggered the UTM10's malware filters which gave me the message in Figure 8.
Figure 8: Malware message
Additional web security options include filtering embedded ActiveX, Java, or Flash objects within web sites. This option is applied even on whitelisted URLs. I enabled the embedded object filtering option and then tried browsing web sites that utilize Flash.
Stattracker, a handy web page for Yahoo! Fantasy Football is a good test, since it uses Flash technology. With Flash filtering enabled, Stattracker failed to load; only a blank page would come up. Note that, according to NETGEAR, pages that aren't entirely Flash (or Java or ActiveX) based, will display and just the objects will be blocked.
HTTP file downloads can also be filtered based on extensions, such as .exe for executables and media files like .mpg and .mp3. Additional file extensions are easily added in the content filtering menu.
NETGEAR also provides useful tools for content filter management, including traffic logging, filter scheduling, a lookup tool to determine a URL's category, and a reporting tool to suggest reclassification of a URL.
To determine a URL's classification, and thus determine if it would be filtered by the UTM10, simply enter the URL in the web category lookup tool. As shown in Figure 9, smallnetbuilder.com is classified under Computers&Technology, and access to this website would be blocked if this category was selected for filtering.
Figure 9: Web Category Lookup
Note the link in Figure 9 labeled “Click here to Report a URL Misclassification.” This link allows for reporting a URL that may be misclassified. I tried this link, reporting a domain which was registering as “Computers & Technology” and recommended it be classified as “Information Security.” I received a message stating “The Web page that you entered is currently under review. It will be analyzed in the next 24 hours and if the classification is found to be incorrect it will be fixed.” I checked back after the recommended 24 hours, but the domain was still listed as “Computers & Technology.”
In addition to Email and Web traffic filtering, the UTM10 can filter FTP traffic for malware, size and extension type. Further, the UTM10 can be configured to pass or block traffic generated by Instant Messenger (IM) and Peer-to-Peer (P2P) traffic services. IM services that are monitored include Google, Yahoo, mIRC, and MSN. Note, however, that Skype traffic can't be blocked. PSP services that are monitored include BitTorrent, eDonkey, and Gnutella.
Security - Network
In addition to the protection offered by the UTM10's Email and Web filters, the UTM10 has a full-featured firewall. The functionality of the firewall is very similar to that on the FVS318G and FVS336G, but the Intrusion Protection (IPS) is new. NETGEAR takes a more economical approach for IPS, incorporating technology from the open source solution, Snort.
The UTM10's IPS functionality is more basic than other UTM devices I've reviewed. For example, SonicWall's TZ100W detects 48 different categories of possible network intrusions, whereas the UTM lists a total of 6. Once detected, intrusions can be either dropped or an alert can be sent.
Although basic, I verified the UTM10 is monitoring activity on the WAN port. I set up my UTM10 to send an alert email on possible Intrusion activity, then deliberately ran a port scan on the WAN interface of the router to generate an Intrusion condition. Almost immediately, I received the following email alert:
At time : 2009-11-22 09:00:03
Intrusion Prevention System of UTM detected : TCP Portscan .
Target host IP : 18.104.22.168
Number of ports which scanned in target host: 1663
The port range scanned in target host : 3:65389
The number of active attack connection : 1700
The attacker IP : 22.214.171.124