Product Reviews

Mi5 Networks' Webgate Fills Security Holes

This Web security appliance can protect your network within an hour after unpacking the box.

• By Peter Varhol
• 12/01/2007

That approach poses a number of problems, including outdated definitions, sporadic support for mobile users and the need to install software on every client in the enterprise.

An alternative approach is a hardware solution, in most cases an appliance that provides the same type of protection across the network that's available from software installed on individual clients. A hardware approach has the advantages of a single installation and software updates at a single point on the network.

Mi5 Networks' Webgate is one such hardware solution. It provides protection from URL filtering, Web malware such as anti-spyware, anti-virus and anti-botnet protection, and file leakage.

The Webgate -- I tested the 005 model -- set up and configured easily. Mi5 provides technical support in the form of a call or visit by a support engineer to steer you through the process, and it helped primarily in understanding the many features and how to configure them. As for the hardware setup, it's simply a matter of taking the appliance out of the box, plugging it in and turning it on.

The Webgate is a 1U rack-mountable box that runs a commercial implementation of Linux. It has four network connections, one each for a WAN connection, LAN connection, Management connection and Monitor connection. There is also a nine-pin serial interface that enables you to connect directly to a PC and establish a Telnet connection. The Telnet connection provides a command-line interface to the basic management functions of the Webgate, letting you do some basic configuration prior to connecting it to your network. Your need to drop down to the command line should be minimal beyond initial setup, however, as all of the features can be configured using the Web interface.

Setup and Configuration
With phone assistance from an Mi5 service engineer, I set up the Webgate on my network, sitting between my router and network switch in order to monitor all incoming and outgoing traffic. The first step was to download the most recent updates for the OS and feature apps. Because software development is ongoing, it's likely that updates exist beyond those that are installed on the shipping hardware. In my case, the updates totaled over 300MB and took about 40 minutes to download and install.

The Web user interface for the Webgate is functional and feature-rich. You can select computers or computer groups on the network to protect, and set policies for the entire network or for groups. Those policies can include blacklists and blocked URLs, viruses, specific file types and file sizes, and several other characteristics. One unique feature is called file-leak detection. This capability allows network administrators to view and control nearly 300 different file formats in over a dozen different categories, effectively restricting the ability of network users to upload or download audio and video files, databases with proprietary information, or work files that may contain intellectual property.

I started with the Monitor function, which observed but didn't block any traffic. Once I had the device configured appropriately for my network and a couple of policies set, I switched the mode to Blocking, swapped a cable and started testing the features. The first step in the process was to hit a specific Web page on the Mi5 Networks Web site that confirmed that the appliance was blocking correctly. Once I confirmed it was working appropriately, I used a CD with various types of malware on a PC that I set up outside of the network and hit from inside. I also looked at accessing and downloading files from sites that I put on the blacklist.

Integrated Software
The Webgate uses a virus protection module provided by Sophos Plc., a third-party anti-virus software provider. While I didn't exhaustively test it, it kept my network clean during several days of operation.

For spyware detection, the Webgate combines Sunbelt Software's anti-spyware technology with Mi5-developed signatures and heuristics. One of the optional features was the Mi5 Enterprise SpyWash, which is an ActiveX agent that can be automatically dispatched from Webgate appliances to infected PCs for automatic spyware removal. Mi5 employs its own botnet detection and blocking algorithms in the Webgate to identify and halt an initial botnet infection, and also track the spread of botnet infections in the network.

Mi5 claims that the Webgate is a zero-latency appliance. While the activities it performs do require some latency, I pinged a number of external computers and noted no significant difference in round-trip times for the pings.

Reporting is a clear strength of the Webgate. It provides a graphical Executive Summary, as well as individual reports on infected clients, potential attacks, infection sources and Web destinations, just to name a few. You can also use the data collected by the appliance to create your own custom reports. All reports can be saved, exported or scheduled for e-mail delivery. With this kind of reporting capability, an enterprise should be able to determine exactly what its security status is at any given time, and be able to issue warnings on emerging malware and inappropriate URLs.

As I previously mentioned, I tested the Webgate 005 model. The other models are the 001, 003, 007 and 009. They differ essentially in their throughput and number of clients supported, with the 009 supporting over 10,000 users with a throughput of 1Gbps.

I usually prefer working with software rather than hardware, but the Webgate was easy to set up and configure. If I were responsible for dozens or hundreds of PCs on a LAN, I'd greatly prefer working with one network device, instead of the headaches of dealing with multiple PCs and end users. The Webgate fits the bill for a single device that provides Web security with a single point of management.