Equiinet - NetPilot, CachePilot, SecurePilot (pdf ... - West Coast Labs
Equiinet - NetPilot, CachePilot, SecurePilot (pdf ... - West Coast Labs
Equiinet - NetPilot, CachePilot, SecurePilot (pdf ... - West Coast Labs
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
FEBRUARY 2006<br />
<strong>Equiinet</strong><br />
<strong>NetPilot</strong> Plus<br />
www.westcoastlabs.org
2 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Contents<br />
<strong>Equiinet</strong> <strong>NetPilot</strong> Plus<br />
Test objectives and scenario ..................................................................3<br />
Test network ............................................................................................4<br />
Test methodology....................................................................................5<br />
Product test reporting ............................................................................6<br />
Certification ..............................................................................................7<br />
The product ..............................................................................................8<br />
Test report ................................................................................................10<br />
Test results................................................................................................17<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> conclusion ..................................................................18<br />
Security features buyers guide ............................................................19<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong>, William Knox House, Britannic Way, Llandarcy,<br />
Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.<br />
www.westcoastlabs.org<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 3<br />
Test objective and scenario<br />
The war for control of corporate inboxes has been raging for some years<br />
now as Anti-Spam solution providers seek to protect us from unsolicited,<br />
inappropriate and often offensive intrusions into our time.<br />
The originators of these emails are becoming ever more inventive and so<br />
more and more companies are coming to rely on automatic solutions with<br />
learning engines to protect their users and machines. The emails<br />
themselves are getting more sophisticated. Spam is now no longer just<br />
advertising material, but is evolving, and often acting as the precursor to<br />
identity theft.<br />
This Technology Report examines the functionality and performance of<br />
participating Anti-Spam products which are aimed at the small, midsize<br />
and corporate network environments. It has been open to both software<br />
and appliance-based solutions plus hosted services.<br />
The objective of our overall testing program, which is open to all Anti-<br />
Spam Vendors is, through a real-world test environment, to provide an<br />
independent validation of Anti-Spam solution effectiveness with particular<br />
reference to:<br />
■ A detailed view of the features and functions of the solutions<br />
■ Spam detection capability and rates of detection of each solution<br />
■ Integration into a network infrastructure and level of administration<br />
required to operate effectively.<br />
www.westcoastlabs.org
4 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Test network<br />
Software solutions are installed on servers that exceed the minimum<br />
specifications required by the vendor.<br />
Appliance-based solutions are installed on the network according to the<br />
vendor’s recommended placing.<br />
For hosted services, WCL test through identified email accounts and will<br />
change the MX records to divert the mail stream through the hosted<br />
service. In order to allow the DNS change to propagate, service providers<br />
allow a 2-day settling-in period.<br />
Details of the tuning and vendor customer support will form part of the<br />
additional feature testing and reporting.<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 5<br />
Test methodology<br />
WCL has a number of domains available which act as honeypots for<br />
spam, receiving genuine, not canned spam. These domains receive<br />
varying levels of spam and are intended to mirror different email<br />
environments.<br />
Within each domain are designated user accounts with a variety of email<br />
practices and needs - some are subscribed to a variety of newsgroups and<br />
mailing lists. Some user accounts actively contribute to mailing lists. The<br />
domain designated for testing purposes will be that which currently<br />
receives spam at a level consistent with the test requirements.<br />
For testing in this Technology Report and for the certification of each of the<br />
participating solutions, we used live mail feeds coming in to various extra<br />
domains wholly owned and controlled by <strong>West</strong> <strong>Coast</strong> <strong>Labs</strong>. Each domain<br />
used contains a number of individual user accounts with established email<br />
addresses, along with distribution lists.<br />
To maintain the flow of genuine mail, test engineers used several internal<br />
and external accounts, to send emails that simulated real life email<br />
transactions common in business: for example requesting meetings,<br />
sending notifications to groups and non-business related social emails.<br />
Emails were also sent from web-based accounts to simulate external<br />
users sending non business-related emails and home workers. Individual<br />
user accounts were subscribed to several mailing lists and daily<br />
newsletters for grey mail purposes.<br />
For each solution we configured the device or software to fit in with the test<br />
network and placed it into a stream of live mail to see how it would cope<br />
in an ‘out-of-the-box’ configuration with real-world traffic. However, we do<br />
recognize that a large part of spam detection relies on an initially intensive<br />
learning process. Hence, we will be placing these devices in the mail feed<br />
in coming months for longer periods of time, interactively training them,<br />
and updating the performance data included in the online White Papers.<br />
www.westcoastlabs.org
6 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Product test reporting<br />
For each product that we test, we will issue a report which will address the<br />
following aspects of the product:<br />
1. Management/Administration<br />
■ Ease of Setup/Installation<br />
■ Ease of Use<br />
■ Logging and reporting function<br />
■ Rule creation<br />
■ Customization<br />
■ Content Categories<br />
■ Technical Support Available<br />
■ Program Help Menu<br />
2. Functionality<br />
■ Email Processing Steps<br />
■ Allow/Blocking of Email<br />
■ Quarantine Area<br />
■ Additional functionality reporting<br />
■ Block Email Addresses<br />
■ Blacklist/Whitelist<br />
■ Allow Email Addresses<br />
3. Performance<br />
■ Volume or % of spam detected<br />
■ False positive rate<br />
■ Spam incorrectly passed through<br />
■ Legitimate mail blocked<br />
■ Legitimate subscription mail blocked<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 7<br />
Certification - Checkmark<br />
Upon successful completion of the catch rate testing, participating<br />
solutions will be accredited to Checkmark Certifications for Anti-Spam<br />
subject to achieving the following catch rates:-<br />
Checkmark Anti-Spam Certification<br />
PREMIUM – 97% and over Catch Rate.<br />
www.check-mark.com<br />
Checkmark Anti-Spam Certification<br />
STANDARD – 90% and over Catch Rate.<br />
www.check-mark.com<br />
www.westcoastlabs.org
8 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
The product<br />
The protection provided by the <strong>NetPilot</strong>’s SmartUTM is the most<br />
comprehensive available and includes anti-spam, anti-virus, anti-spyware,<br />
intruder detection and prevention, advanced Firewall, URL Filtering, email<br />
policy controls and secure VPN support. For just over 1p per day per user<br />
(for the average <strong>NetPilot</strong> configuration) organisations can remove the<br />
nuisance and time wasting of spam.<br />
url : www.<strong>NetPilot</strong>.com<br />
<strong>Equiinet</strong> says…about the <strong>NetPilot</strong> Plus Business Benefits<br />
<strong>NetPilot</strong>'s anti-spam capability now offers Spam Assessment, SpamCop<br />
plus, Bayesian Filtering. When coupled with the <strong>NetPilot</strong>'s Email Policy<br />
controls this adds yet more power and flexibility to defeat spam,<br />
All new <strong>NetPilot</strong> Plus and Enterprise units ship with Anti-Spam<br />
functionality included within the price of the unit.<br />
url :www.netpilot.com<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 9<br />
The product<br />
<strong>Equiinet</strong> says…about the <strong>NetPilot</strong> Plus Technical Benefits<br />
<strong>NetPilot</strong> offers a two layered approach with Anti-Spam controls, with both<br />
having been integrated to provide common controls and reporting. Firstly<br />
the <strong>NetPilot</strong> provides Spam Assessment and Spam Cop together with<br />
Bayesian learning, giving a powerful combination of standard spam<br />
countermeasures. In addition, Email Policy Controls can be applied to the<br />
<strong>NetPilot</strong> and this can additionally provide quarantine, black and white<br />
listing, and much greater flexibility for individual organistions to handle<br />
spam in their specific environment.<br />
url :www.netpilot.com<br />
www.westcoastlabs.org
10 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Test report<br />
Introduction<br />
The <strong>NetPilot</strong> Plus device is a compact Unified Threat Management (UTM)<br />
unit with a sealed fascia that is ideal for sitting on a desktop or on a rack<br />
shelf in a server room. Indeed, the only components on the front are power<br />
and disk lights. The rear of the unit contains a PS/2 keyboard connector,<br />
parallel port, serial connection and VGA connection, and a rocker-style<br />
power switch. The collection of two onboard NICs plus a further one on an<br />
expansion card allows for a variety of network set ups to be implemented.<br />
The documentation arrived as three well written and cleanly styled A5<br />
sized Getting Started Guides covering various aspects of the device and<br />
a Resources CD. There were also two large manuals in folders that<br />
provide a training course in administration of the device. During the course<br />
of testing, the <strong>Equiinet</strong> released a new version of the Operating System,<br />
so the device was upgraded from version 3 to version 4.<br />
Thankfully, the interface look and feel has not really changed and the<br />
knock-on effect in terms of the way that Spam is handled is not huge.<br />
There are, however, significant alterations in other parts of the Operating<br />
System, for example the firewall component has now been expanded in<br />
response to user requests and allows a lot more control to be taken than<br />
was previously possible.<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 11<br />
Test report<br />
Installation and Configuration<br />
Initial configuration can be performed either via a PS/2 keyboard and VGA<br />
monitor plugged into the unit itself; alternately a private network range is<br />
already set up on one of the NICs and a client machine may undergo an<br />
IP address alteration if necessary. All interactions are handled via a secure<br />
web interface – the client may use a standard web browser, and the device<br />
itself uses the text browser LYNX.<br />
The opening wizard asks for some basic details to perform the set up.<br />
Version 4 of the system is capable of performing lookups on both the<br />
internal network and an external ADSL line. This means that if DHCP is<br />
enabled the device can be plugged straight in to a network and it can take<br />
a good guess at how it should be set up.<br />
In practice this works fairly well, although if the administrator has specific<br />
IP address set aside for the device, the network settings may need some<br />
alterations after the wizard has run. Thankfully, these changes are simple<br />
to find and quick to perform, although for users familiar with version 3 the<br />
methods of altering the network settings have slightly changed.<br />
www.westcoastlabs.org
12 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Test report<br />
The Interface<br />
Following the preliminary configuration of the device, the SSL encrypted<br />
web interface is available to devices on the internal network. This has<br />
retained the clean and attractive look and feel from the previous versions<br />
but has added in extra options where appropriate.<br />
Upon initial login to<br />
version 4, there are<br />
several shortcuts now in<br />
place on the front<br />
screen enabling the<br />
administrator to quickly<br />
jump to various sections<br />
in order to expedite any<br />
configuration. There is a<br />
quick link to directly<br />
alter the network<br />
connections which then<br />
links the user through to<br />
screens where they may alter the behaviour of each interface and it’s trust<br />
group. This is accompanied by a link to the Firewall overview, with options<br />
to proceed further and alter firewall rules if necessary, a link to change the<br />
admin password, and usefully a link to the licensing options screen, which<br />
was previously buried under the menu structure.<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 13<br />
Test report<br />
The Interface (continued)<br />
As the device is multi-purpose there are several sections in the main menu<br />
available that deal with Firewall, Antivirus and VPN functionality. The<br />
Spam functionality that is under review here is easy to find with the more<br />
generic settings being found under the section heading of Email. Policy<br />
actions can be found under the Email Filter Policy section, and there are<br />
options here that allow for the creation or editing of policies in some detail.<br />
Spam functionality is<br />
enabled as part of the<br />
wider UTM functionality<br />
on version 4 or as a<br />
separate component on<br />
version 3 via a license<br />
key system, with keys<br />
obtainable from<br />
<strong>Equiinet</strong> resellers. The<br />
provided keys need to<br />
be entered into the<br />
interface along with the<br />
hardware serial number<br />
(found on the rear of the device) in order to benefit from the maximum<br />
protection that this device can offer. The device then authenticates these<br />
keys online and activates the protection.<br />
www.westcoastlabs.org
14 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Test report<br />
The Interface (continued)<br />
The Spam Filter section under the major heading of Email deals with the<br />
more universal settings and as such has a link that allows for the quick<br />
turning on of spam functionality with a single tickbox. There is also a link<br />
here to set the spam thresholds and to decide what the device should do<br />
with suspected spam. The ability to use the SpamCop blacklist can be<br />
turned on or off, and there is the opportunity to reclassify individual mails<br />
using a MID value from a specialist header that the Netpilot Plus adds in<br />
called X-Spam-Reclassify. Finally for this section there is the option to<br />
view some statistics about Spam and genuine mail that has already been<br />
learnt. The interface also notes that the inbuilt Bayesian spam adjustment<br />
starts when 200 of each have been through the system.<br />
The <strong>NetPilot</strong> plus has<br />
several options for<br />
dealing with suspected<br />
Spam – it is possible to<br />
deliver it as normal with<br />
extra headers or to<br />
quarantine it on the<br />
device itself. Alternately<br />
the administrator can<br />
choose to have the<br />
message delivered to<br />
the administrative<br />
mailbox, either as a<br />
copy of the original or as an attachment. Although the device adds in extra<br />
headers to emails, it does not currently allow for the alteration of the<br />
message subject line to reflect the nature of the email. The device leaves<br />
it up to the client email program to interpret these and mark them up as<br />
appropriate, however the manual makes this clear from the outset, and in<br />
normal corporate usage the quarantine would be used so that messages<br />
would be unlikely to be delivered to the end users.<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 15<br />
Test report<br />
The Interface (continued)<br />
The other section for dealing with Spam is under the Email Filter Policy<br />
section – this allows the user to see how the mail policies are built up and<br />
alter individual elements of them. There is also the possibility of looking in<br />
the Quarantine for messages, and most importantly for this section to look<br />
under the Review and Learn banner to reclassify received mails en<br />
masse.<br />
This is achieved via a<br />
series of tickboxes and<br />
a drop down box at the<br />
end of the page. This<br />
process is as simple as<br />
the user choosing mails<br />
that they wish to classify<br />
as Spam or genuine,<br />
unticking all the others<br />
and pressing the submit<br />
button. In practice this is<br />
a quick way of getting a<br />
lot of data into the<br />
learning system of the device and it works well.<br />
www.westcoastlabs.org
16 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Test report<br />
The Interface (continued)<br />
Lastly under the Filter Policy menu is a series of Advanced options. These<br />
allow the user a lot more flexibility in building policies, and here the<br />
patterns and actions associated with a policy can be altered. It is also<br />
possible to configure the alerts and to upload a file to test against the<br />
policy that has just been built.<br />
It is worth noting that<br />
dependent on how an<br />
organisation sets up the<br />
<strong>NetPilot</strong> Plus to deal<br />
with mail, the Firewall<br />
options may need<br />
reconfiguring. This has<br />
been made as easy as<br />
possible within the new<br />
interface and is a quick<br />
process.<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 17<br />
Results<br />
Type of Mail Delivered as Genuine (%) Delivered as Spam (%)<br />
GENUINE 100 0<br />
SPAM 9 91<br />
The <strong>NetPilot</strong> Plus performed well, delivering 100% of the genuine mail<br />
correctly and correctly classifying 91% of the spam mail in a straight out of<br />
the box configuration.<br />
It is also worth noting that the <strong>NetPilot</strong> Plus solution delivers a good<br />
proportion of grey and list mail as Spam. This gives an organisation the<br />
flexibility and opportunity to define policies during a training period whilst<br />
not delivering mail that could potentially be offensive or defamatory.<br />
www.westcoastlabs.org
18 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> Conclusion<br />
The <strong>NetPilot</strong> Plus offers a good spam engine within an<br />
excellent UTM device. Although it is fairly reliant on training<br />
in order to achieve top levels of protection this is a solution<br />
that can nonetheless be recommended as a remarkable all<br />
in one package.<br />
The <strong>Equiinet</strong> <strong>NetPilot</strong> Plus device performed consistently<br />
well in the tests, and therefore <strong>West</strong> <strong>Coast</strong> <strong>Labs</strong> is pleased<br />
to award the <strong>Equiinet</strong> <strong>NetPilot</strong> Plus the Standard level Anti-Spam<br />
Checkmark.<br />
<strong>West</strong> <strong>Coast</strong> <strong>Labs</strong>, William Knox House, Britannic Way, Llandarcy,<br />
Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001.<br />
www.westcoastlabs.org<br />
www.westcoastlabs.org
EQUIINET NETPILOT PLUS 19<br />
Security features buyers guide as stated by <strong>Equiinet</strong><br />
SPAM FEATURES<br />
Does the product block spam out of box or does it require addition or<br />
tuning of rules? YES<br />
Is user feedback required over initial stage of deployment?<br />
Optional but performance does improve with training.<br />
FILTERING<br />
Does the product utilise keyword lists? YES<br />
Does the product utilise Bayesian filtering? YES<br />
Can white-lists/black-lists be set? YES<br />
Does product support RBL? YES<br />
Does the product support the setting of different confidence levels? Can<br />
actions be varied at different confidence levels? YES<br />
Can subject line of messages be altered? YES<br />
Can email headers be set/amended? YES<br />
ADMINISTRATION<br />
Can the product be automatically updated? YES<br />
Can filters be automatically updated? YES<br />
What are the update methods? Proprietary<br />
Can suspected spam be quarantined? YES<br />
If so, what type of quarantine (forward to Q mailbox / saved on device /<br />
etc.)? Saved on Device<br />
www.westcoastlabs.org
20 ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT<br />
Security features buyers guide as stated by <strong>Equiinet</strong><br />
END USER INTERACTION<br />
Can users see reports individual to them? No<br />
Can users process messages themselves? YES<br />
Can users review mail marked as spam? YES<br />
Can users free messages from quarantine? YES<br />
Can users set their own white lists/black lists? YES<br />
ADDITIONAL SECURITY FEATURES<br />
■ Anti-Virus for email<br />
■ Anti-Virus for browsing<br />
■ URL Filtering<br />
■ Regex Filter with allow and block lists<br />
■ Email Policy Controls<br />
■ Advanced Firewall<br />
■ CIPE and IPSec VPNs<br />
■ Intrusion Detection<br />
■ Intrusion Prevention<br />
■ User and Group Access Controls<br />
■ Time of Day Controls<br />
url : http://<br />
www.equiinet.com/netpilot/unifiedthreatmanagement/default.asp<br />
www.westcoastlabs.org