Cisco IronPort S160 review

After being sufficiently impressed with Cisco's Spam & Virus Blocker appliance to put it on the A List, we were keen to see its latest S160 Web Security Appliance, which aims to put the power of IronPort in the hands of SMBs.

The starting price of £1,900 only gets you the appliance, so you'll need to factor in the cost of subscription services. There's a good choice as you have Webroot's anti-spyware and anti-malware, McAfee's antivirus measures and Cisco's very own IronPort URL filtering services plus SenderBase web reputation service.

The S160 is much smarter than many competing solutions, as out of the box it handles HTTPS as well as HTTP and FTP, allowing AUPs to be created for encrypted web traffic. Its L4 traffic monitoring scans all ports in real-time, allowing it to block spyware activity and catch malware trying to dodge port 80.

This 1U rack server sports a quad-port Gigabit card where up to two ports are used for web proxy services and the other two for monitoring traffic and blocking malware and spyware. It supports explicit forward and transparent proxy modes but for the latter you'll need an L4 switch or WCCP v2 router.

We used the explicit forward mode, which required our test clients to be configured to use the appliance as a proxy. We also connected one traffic monitoring port to our HP ProCurve switch and mirrored all traffic from the other ports to it, allowing the appliance to see everything on the network.

The tidy browser interface runs a wizard to speed up installation and you start off in a monitor mode where the McAfee and Webroot services passively scan traffic. Only the SenderBase service is set to blocking mode by default to stop users downloading from dodgy websites.

Identity policies make the S160 extremely versatile and range from host IP addresses, subnets, protocols and proxy ports to URL categories and the application being used. For HTTPS traffic, you can use policies to decide whether this is decrypted, dropped or passed. The IronPort URL filtering offers 53 categories and access policies allow you to apply filters to different identities.

Each category can be blocked or allowed, while the warning option presents the user with a customisable web consent form. Filtering performance is top-notch; with the games and gambling categories blocked, our attempts to access 50 online poker sites were thwarted.

The main interface provides an overview showing all web activity and blocked transactions. The traffic monitor offers a malware breakdown showing the top nuisance sites and the criteria used to block them. You can see which clients are most active on the internet, but reports only show which categories they have visited and not specific websites.

The IronPort S160 is more costly than many other solutions but offers some of the toughest web filtering available. SMBs that need to enforce a wide range of AUPs for standard and HTTPS encrypted web traffic should seriously consider this appliance.

Author: Dave Mitchell