|At a glance|
|Product||CUJO Smart Internet Security Firewall [Website]|
|Summary||Subscription-based "smart" firewall for protecting home networks.|
|Pros||• Protects all devices on network including PCs, tablets, handhelds|
• Pushes threat alerts to iOS & Android apps
• Can disable misbehaving IoT devices
|Cons||• Does not support user profiles|
• Access / parental control features are work in progress.
Typical Price: $249 Buy Direct
My original review of the CUJO Smart Internet Security Firewall found its installation was a little rough around the edges. But the device met its goal of being easy to use, albeit with limited features. The CUJO folks recently reached out to tell us they had delivered on many of the promised enhancements with their V6 firmware. So with internet privacy and security becoming more front-of-mind to many of us at least here in the U.S., we agreed to take another look. I'll specifically be testing CUJO's promised performance improvements and looking at their new access (parental) control feature.
CUJO's three installation methods have been streamlined down to the Direct and Bridge methods shown below. You can get details about the difference between these methods in the original review. I still prefer the Bridge method, even though it requires adding a switch, because it avoids the double-NAT complication of DHCP mode.
CUJO setup options
Many buyers must prefer DHCP mode, however, since CUJO has added lots of Setup FAQ that describe how to configure many popular routers to operate with CUJO in DHCP mode. There is also a FAQ explaining the difference between the modes.
CUJO's hardware remains unchanged. It still uses a dual core 1.2 GHz 64-bit MIPS Cavium Octeon processor, 1 GB of RAM and 4 GB Flash storage. CUJO says the hardware "is fairly over-provisioned for most networks", meaning it should have more than enough computing power to protect most small networks without impeding performance.
CUJO tracks CPU utilization of its devices in the field and has found them running at only 5-8%. Further, per CUJO, "because we use algorithms that are not inspecting every single packet based on signatures, we have a lot less utilization of CPU then other IDS/IPS (Intrusion Detection System/Intrusion Prevention System) approaches".
CUJO said its latest firmware improves throughput to 750 Mbps,with all security measures enabled, so, of course I had to check.
To test CUJO's improved throughput, I used two PCs running 64-bit Windows with their software firewall disabled. I used TotuSoft's LAN Speed Test client and server application, with a file size of 100 MB to measure throughput. I ran baseline and CUJO throughput tests multiple times to ensure my results were consistent. To baseline my PCs, I ran a test with my two PCs connected to a switch without the CUJO firewall connected. In my baseline test, the max throughput I measured was over 927 Mbps, shown below.
Performance BaselineTo test the CUJO firewall throughput in Bridge mode, I connected one PC in front of the CUJO and the other behind the CUJO so the throughput test would be through the CUJO firewall. The below screenshot shows my best result, with a peak throughput of 667 Mbps. 667 Mbps isn't quite the 750 Mbps reported by CUJO, but much better than the peak of 425 Mbps I measured in my initial review.
How It Works Recap
Before we look at the new access control feature, let's first review how CUJO works. CUJO inspects packets as they come and go from your network. CUJO does not look at actual packet content as more expensive IDS/IPS appliances do. Instead, CUJO looks at packet metadata including Layer 3 (IP addresses) and Layer 4 (port numbers, such as port 80 for web traffic) information, connection protocol (TCP, UDP, ICMP) and any security certificates exchanged. Although CUJO now "inspects" HTTPS traffic, only the unencrypted portions of the packet header are inspected.
The heart of CUJO's protection mechanism is based on knowing two things: "bad" IP addresses and "normal" device behavior. CUJO's cloud keeps track of "bad" IP addresses, which can potentially harm your system.
CUJO checks "every site that is accessed over HTTP/HTTPS against a CUJO threat database (in realtime)". CUJO looks at the website you're trying to browse, talks to the CUJO cloud to see if this website is safe, then allows or blocks the traffic based on the information it receives from the CUJO database. As sites are accessed, they are cached locally, so CUJO cloud lookups can be minimized. The local cache also lets CUJO keep working if its connection to CUJO cloud is temporarily interrupted.
Phishing, malware, virus and other malicious sites are blocked by matching the destination IP address against CUJO's treat reputation database of known malicious sites. The CUJO threat reputation database is built on data compiled from commercial and open source databases, CUJO security partners, and data learned from their base of "tens of thousands" of CUJO devices in the world.
If you browse to an unsafe website, CUJO will present a block screen on your browser.
This CUJO basic function is mostly unchanged from my original review except it now handles HTTPS traffic and its speed has been improved. Because CUJO looks only at the packet header, its primary detection tools are IP addresses and web domains. But CUJO also looks at packet rate—helpful for determining whether a device has been hijacked to participate in a DDOS&mdashand behavior patterns.
CUJO says they learn "normal" behavior patterns for devices, so can remove internet access if they break pattern. The video below describes an example of this process.When traffic is blocked, a message will be shown on the CUJO app, allowing you to leave that traffic blocked, or to manually permit it if it is known good traffic.
CUJO said they currently consider more than 250 SYNs a minute to be a sign of a device participating in a DDOS attack. (SYN is part of TCP's three-way handshake.) This traffic level doesn't have to be to / from a known bad site; it can be to any IP address or domain. But when I ran my my own tests using nping as a packet generator, I wasn't able to trigger a block from CUJO. CUJO explained that DDOS protection has not been enabled in my CUJO because "we tend to not enable it globally for now, as we are shaping/fine tuning the thresholds with our beta users.