|At a glance|
|Product||CUJO Smart Internet Security Firewall () [Website]|
|Summary||Subscription-based "smart" firewall for protecting home networks.|
|Pros||• Protects all devices on network including PCs, tablets, handhelds|
• Pushes threat alerts to iOS & Android apps
• Can disable misbehaving IoT devices
|Cons||• Does not support user profiles|
• Access / parental control features are work in progress.
Typical Price: $249
Network security is a major issue for everyone. Most home networks are particularly vulnerable to network security threats and depend on a Wi-Fi router's firewall to secure our network. In this review, I'm going to look at a device called CUJO, which is a firewall for home users "designed to bring business-level security to the home network".
CUJO got its start as an Indiegogo project that met 763% of its funding goal. CEO Einaras Gravrock's background is mostly in fashion e-tailing. But Technology VP Robert Beatty has security background, most recently with senior software and systems engineer gigs at Prolexic Technologies and then Akamai (which acquired Prolexic).
CUJO's website says "CUJO is a smart firewall that keeps your connected home and business safe from cyber threats so that you can stay secure and private online". CUJO's website warns that hackers may be able to access your personal finances by exploiting security flaws in connected devices, tamper with a Wi-Fi router, hack a smart phone or plant malicious malware in a network enabled device.
CUJO is a local firewall that leverages cloud-based intelligence. This CUJO FAQ best describes how CUJO works:
Once the CUJO is logically or physically in the middle [between your internet connection and LAN], we sample metadata from your network's connections (using NetFlow). The metadata is strictly src/dest IPs and ports, bandwidth, packet count and connection states. We do NOT perform Deep Packet Inspection as it is too intrusive and has a pretty big performance penalty for us. These samples are hashed and sent to the CUJO cloud over an encrypted channel. In the cloud is where we do the heavy lifting.
CUJO engineering explained that its cloud runs a "behavioral analysis engine" to detect security threats. Similar to an Intrusion Prevention System (IPS) firewall (but without using deep packet inspection), CUJO's cloud detects threats by analyzing traffic statistics. CUJO detects and protects against malware and can determine whether a device on your network has been compromised and is possibly participating in a "botnet."
When a threat or suspicious activity is detected by CUJO's cloud service on a specific network, the cloud service instructs the CUJO firewall to create a rule to block that traffic. The cloud then sends a notification of the blocked traffic to the customer's mobile app. If the customer wants to permit the blocked traffic, this can be done via the CUJO app.
Note that because CUJO looks only at packet metadata, it can't block phishing email unless it comes from a known bad domain or IP address. Nor can it tell whether an email attachment or downloaded file contains ransomware, unless, again, it comes from somewhere known as a source of bad stuff. You'll still need automatically updated virus and malware protection on all devices that can run it.
The CUJO firewall has an interesting shape for a network device. As shown in the product photo above, it's an egg-shaped device with a flat top. There are two 10/100/1000 Ethernet ports and an AC power port on its backside. CUJO's FAQ page lists the device having a 1.2 GHz 64-bit MIPS Cavium Octeon Dual Core Processor with 1 GB RAM and two Gigabit Ethernet ports.
The only lights on the device are a pair of "eyes" on the front that indicate status. The eyes are two half circles. In normal operation, just the upper half of the eyes should be lit. If both the upper half and lower half circles are lit, a threat has been detected. If just the lower half of the eyes are lit, it means the CUJO is offline or disconnected.
CUJO Eye Status
In larger networks, a firewall is typically installed in front of your network so it can see all traffic going in and out of your network. In home networks with only a single network device, usually a Wi-Fi router connected to the Internet, this can be challenging. The CUJO firewall does not connect directly to the Internet; it needs a router in front of it.
CUJO's three installation modes (described here) are Direct/Automatic, Direct/DHCP, and Bridge mode. Each have their pros and cons.
Direct/Automatic mode is designed to automatically configure your router, so that all you have to do is connect the CUJO device to your router. This mode works with only some routers, however. For example, it didn't work with my Linksys LRT224 router. The CUJO folks told me they are phasing out Direct/Automatic mode.
The Direct/DHCP mode requires a few manual steps on the end user's part, described here. In this mode, CUJO is connected with a single Ethernet cable (the bottom Ethernet port on the CUJO) to a LAN port on your router, as shown below.
Connecting CUJO in DHCP Mode
The manual steps are to disable the DHCP server on your router and configure your router's LAN IP address as 10.0.0.1/24. You then enable Direct/DHCP mode on CUJO, via the app, which I'll discuss shortly, and reboot both your router and CUJO.
Once these steps are complete, CUJO becomes the DHCP server for your network as depicted in the below network diagram.
CUJO DHCP Network Diagram
Interestingly, CUJO forwards and receives traffic to/from your router via the 10.0.0.0/24 network and communicates to all your end devices via the 192.168.0.0/24 network through the same physical interface. Your end devices see the CUJO as their default gateway at 192.168.0.1. To communicate on two different networks with the same physical interface, the CUJO firewall uses two different MAC addresses and two different IP address on one physical interface.
This solution has its pros and cons. The pros are installation is simplified by just connecting a single Ethernet cable and making a few small changes. Further, all DHCP enabled devices will automatically communicate through the CUJO and be protected by the CUJO. Also, it requires the least amount of network equipment.
One of the cons to Direct/DHCP mode is that CUJO is also performing Network Address Translation (NAT). This means your network is now double-NATed, since your router already is performing NAT. Technically, this isn't a big deal for most traffic, but it can cause problems with VoIP, gaming, and other connection-sensitive traffic.
Another con to Direct/DHCP mode is all traffic on your network is going first to your router's built-in switch, then to the CUJO, and then from CUJO back to your router, which may reduce overall network throughput.
Two more cons to Direct/DHCP mode are devices with static IPs on your network will stop working. And if you're using the VPN option on your router to remotely access your network, VPN will no longer work. Statically addressed devices can be re-enabled by configuring them for DHCP or giving them a static IP on the 192.168.0.0/24 subnet.
Bridge mode is the third installation method. In this mode, CUJO sits between your router and another network device such as a second router or Ethernet switch. In this scenario, the bottom Ethernet port on the CUJO is connected to your first router, and the top Ethernet port on the CUJO is connected to a LAN port on the second router or to a port on your Ethernet switch, as shown below.
Connecting CUJO in Bridge Mode
No configuration is required on the CUJO, it automatically goes into bridge mode after a reboot when the upper Ethernet port is active. This mode is the best performance option, as it eliminates double-NAT and the issue of traffic going to and from your router twice.
The Cons for bridge mode is you need additional network equipment, you have to hook it up correctly and you have to configure it correctly. Typically, you'll use two routers with CUJO's bridge mode. The first router is your connection the Internet. Any devices connected to the first router will bypass CUJO. Wi-Fi needs to be disabled on the first router. The second router provides Wi-Fi and Ethernet ports to devices downstream of the CUJO. Wi-Fi should be enabled and DHCP disabled on the second router. CUJO bridge mode is depicted in the below network diagram.
CUJO Bridge Network Diagram
It's interesting to note, and as you can see in the two network diagrams, the CUJO is behind an existing router/firewall. Thus, installing CUJO on your network is adding a second firewall in addition to the router/firewall you're already using.
Per CUJO engineering, they are planning a possible future Routed Mode where the CUJO will act very much like a standalone router. CUJO is also exploring embedding its firewall protection in other models of routers at some point in the future.
As mentioned, CUJO lists Bridge mode as the best performance option, so I ran a test to measure throughput. I used two PCs running 64-bit Windows with their software firewall disabled. I used TotuSoft's LAN Speed Test client and server application, with a file size of 100MB to measure throughput. I ran baseline and CUJO throughput tests multiple times to ensure my results were consistent.
To baseline my PCs, I ran a test with my two PCs connected to a switch without CUJO connected. As you can see in the below screen shot, I could write and read data directly between my two PCs at over 400Mbps.
To test CUJO's firewall throughput while in bridge mode, I then connected one PC in front of the CUJO and the other behind the CUJO so the throughput test would be through the CUJO firewall. As you can see in the screenshot below, my upload throughput with the CUJO was reduced to 252 Mbps, while download throughput remained over 400 Mbps.
Clearly, CUJO is slowing upload throughput, enough to be worth mentioning. However, most home users are primarily concerned with download throughput. For those concerned with upload, unless your ISP connection is higher than 250 Mbps, you shouldn't have a throughput issue with CUJO in bridge mode.
As a final comment on CUJO installation, it is interesting to reference our review of a parental control device called Circle With Disney. The Circle device is focused primarily on providing parental controls on a network, a feature CUJO plans to roll out in the future. However, to provide parental control, the Circle Device has to be in position to filter all traffic going in and out of your network, just like CUJO.
As Craig discussed in the Circle review, the Circle device uses "ARP spoofing" so all devices on your network think the Circle device is the router and send their traffic to the Circle device. Circle doesn't require any reconfiguring of your network or router for it to work. CUJO's Direct/DHCP mode and Bridge mode both require a bit more effort from the end user.