Easy to install, Nice price, Web cache included, Spyware filter seems to work well, No client installs
Minimal reporting, Content filter reporting non existent, Mime blocking currently broken, Mime blocking currently broken.
Barracuda Web Filter 310 review.
By Jeremy Wood
We have been looking into some kind of anti spyware solution for a year or so now and after reading reviews of several leading products, felt that the product offerings were either too expensive for what they offered or not feature rich ... Read full review
Barracuda Web Filter 310 review.
By Jeremy Wood
We have been looking into some kind of anti spyware solution for a year or so now and after reading reviews of several leading products, felt that the product offerings were either too expensive for what they offered or not feature rich enough. Most notably that they lacked comprehensive centralized management. I became aware of the Barracuda Web Filter products and being a very satisfied Barracuda customer with their excellent spam filter, so I decided to give the product a 30 day trial. I also liked the idea of a centralized appliance and the time savings of not installing a client on every one of my PCs. The Web Filter 310 allows for approximately 200 concurrent users with no licensing hard cap. For our network of about 200 machines the 310 sounded perfect.
The 30 day trial required that I send in a PO with net 30 terms and cancel the order before the 30 days were up. I could use my existing vendor but I chose to go directly through Barracuda as I it seemed the smoothest. In hindsight I would have gone through my usual vendor as the price and shipping would have been a bit cheaper. The unit arrived 3 days later.
The unit was packaged almost identically to the spam filter. The box contained the one unit high appliance with LAN / WAN ports, ps2 port for keyboard and a VGA video connector. The quick start guide is a 1 page double sided sheet and I had the unit running in my lab in 15 minutes. The device is an inline bridge between the Internet firewall and internal network. You start by plugging in a monitor, keyboard and an Ethernet cord from the LAN port into your LAN switch. The setup is simple and requires you to set an available IP address for the management console using the keyboard plugged into the unit. It took me a minute to understand that the unit passes through the IP address of the existing firewall on its WAN port to the LAN port that you plug into your LAN switches. In our case 192.168.20.1, this is nice as no IP setting need to be made on any other device. After setting the administration IP address, reboot the appliance and log into the management console via a browser and start configuring the unit.
Configuring the unit was simple and consisted of updating firmware, the virus and spyware definitions and configuring the same route statements you have in your firewall. When you’ve completed these steps your ready to connect the wan port to the firewall and make the device active. I unplugged the Ethernet patch cable from LAN side of the firewall from the network switch and plugged it into the WAN side. As soon as I did this I lost network connectivity. After a minute I realized that I needed a crossover cable, which solved the problem.
The look of the interface is very close to that of the spam filter. It has tables and graphs and gives statistics for the last hour, and week. The tabs for configuring the unit are laid out nicely and finding where you need to go is no problem. The device is designed to be internet spyware / antivirus filter, a content filter, a web cache and offers a spyware removal tool. The appliance also comes with a program that runs on your directory server that allows content filtering based on Active directory users. Since this was a demo I didn’t want to load this application on my domain server so that piece of the product is not reviewed.
First the spyware filter.
The appliance looks at all the traffic that comes through the device. If a piece of spyware is requested to be downloaded, it is blocked. If spyware is present on existing computers the traffic is blocked when it tries to communicate out. I was very curious to see what was on my organization’s workstations as I did not have any anti-spyware software in place. Our security configuration is that we allow only user security access to each of our workstations. We never allow users, administrative or power user access to their computers, so they are unable to install programs. I was surprised when the first day of filtering saw nothing. The second day however, found two machines with Adware. After a week we still only have seen 3 machines with adware and with no spyware programs or viruses blocked. I wasn’t sure what to think of this and couldn’t figure out if it should be accounted to well trained users or the device not picking anything up.
The product comes packaged with a Spyware removal tool that is run through the internet browser on the client. You can have clients run this tool but requires permissions that we do not allow, so the administrators run it. The removal application is an ActiveX applications powered by PC tools, and runs in a browser window. On our infected machines it found mainly cookies which it removed. Although the tool said it removed the spyware the appliance still said the machine was still infected. Subsequent scans however said the machine was clean. The application seemed well written but did take about 20 minutes on the aging 1Ghz Pentium 3 we ran it against. The reports showed Tracker.DivX and Adware.Coolsavings on three of our workstations.
The unit came with about 40 web filtering categories with several turned on to block sites by default. I reset them all to allow except for Phishing & Fraud, Porn, Advertisements & Pop-Ups, Proxies, Peer to Peer and Spyware. Custom black and white lists can also be set on IP addresses and domain names. I tested the category filters by searching for freebies smileys being a favorite avenue for spyware. The categories did a nice job of blocking sites and I was not able to infect my test machine. Exceptions can be set based on IP or address. However you can’t make groups of IP addresses to apply policies to. You can use subnets to specify groups of IPs but then they always had to be contiguous.
The reporting on the categories is misleading as every item or part of the webpage is counted on the reports page. So if a user goes to one bad page it can show up in the report as 50 items. The pop ups also created a lot of browsing exceptions skewing the reporting.. The reporting on the content filters almost worthless and looks like this.
Client Items blocked
1 192.168.20.43 4234
2 192.168.20.54 1343
3 192.168.20.145 1124
I will not be using the content filter for anything more that the aforementioned categories. The filtering also affords a way to block content on mime type. I thought these might be good for executable files. I setup a mime block for application/octet-stream to disable executable downloads but I am still able to download executables. I have a call into tech support and they acknowledge the problem and our working on it. This seems like basic functionality that is advertised to work but doesn’t.
One of the strengths of the product however, is that it can pass through IP addresses to the firewall. That said content filtering can be done on the edge firewall instead of this device.
The web cache appears to do its job. I downloaded files on separate machines and most of the time I could see they had been cached as the downloaded files were speedy. The only settings for the web cache were caching on, caching off and clear cache. It would be nice to have a least some reports on what it was actually doing or how much of the cache was used (it comes with 10GB). One nice thing about the cache is that you do not have to setup a proxy server on each workstations internet settings. I wish I had more to report on this but I don’t. I guess a test would be to enable and disable it and get a report from the firewall on a week’s traffic and see what it is actually doing.
The reporting is similar to the Barracuda SPAM filter as in it give you the basics for spyware and antivirus infection and not much else. The reports included are Infection Activity, Top infected clients, Top spyware download prevented, Top virus downloads prevented and Top blocked clients (content filter). The infection activity tells you what spyware it is finding on each of the clients. The anti virus lets you know of any viruses it finds. The other reports as mentioned above are all but worthless.
I was able to make the outbound reporting much better by getting the free Kiwi Syslog Daemon and running it on an XP box. The syslog collects all the logging information from the webfilter. You can then run reports on the logs using a program called Sawmill (http://www.sawmill.net). Sawmill is a reporting tool that can automatically recognizes 722 log report types. It recognized the webfilter log type and did a good job of analyzing the logs for outbound traffic, although it didn’t report on the content filters, or what was blocked by other policies. The cost of the professional product is $400. It seems at this cost this functionality might also be handled at the firewall.
I think the 310 is lacking some basic features for the $3400 it commands. In the two weeks it has been in production it seems like the content filter has done all the work in preventing the spyware infections. Many of the new Unified Threat Management firewalls offer this functionality at the same price point and include more features and proper reporting. The spyware removal tool doesn’t seem to be worth the price of admission as there are countless other tools that provide better functionality. I like the idea of two different anti virus products, internet gateway and a software client protecting each workstation and will be looking at providing this at the firewall level. Spyware and Adware a tricky to get a handle on and I think the barracuda doesn’t do enough to help an administrator know what’s going on and giving them tools to clean infections up.
The web cache seems to work but I would like a more definitive analysis.
The content filter is my opinion is almost worthless due to the lack of reporting. After evaluating products like Surf Control you can see that the Barracuda has a long way to go in this market. It isn’t surprising however as the product was re-branded as the Webfilter from its beginnings as the Spyware filter.
Support of lack thereof is also troubling. It seems that Barracuda has one person supporting the 310 unit. Although I have his direct number I have trouble reaching him. It makes me wonder the popularity of this device or size the 310 when the support staff size is one.
After the demo I’ve decided to return the device. I think there are better quality products out there for the price. The lack or reporting nonfunctioning mime blocking and support are the downfall of the device.
Easy to install
Web cache included.
Spyware filter seems to work well.
No client installs
Content filter reporting non existent.
Mime blocking currently broken.
Limited technical support