We already had to implement the Smart-Soft Traffic Inspector system of Internet access control, user traffic monitoring and securing for a few times in various mid-sized businesses and branches of bigger companies. And each time we had to select the hardware platform, install the OS, install and customize all components and further support the implemented solution. Fortunately, now you can purchase a key-ready version of the billing system, AquaInspector, the capabilities of which are going to be examined in this review.
AquaInspector hardware and software system comes in a black metal case and has dimensions of 275x264x112 mm. The device can be installed both vertically and horizontally on the desktop and on each side of the machine there are four seats for rubber headers which are supplied in box. The rack mounting without specially designated shelves is not supposed. As we have found out, the Smart-Soft company is planning to launch production of rack-mounted AquaInspector devices, which, as we think, is a sensible decision.
Let's examine some of the case pieces when the device is placed vertically. There are two ventilating grills of different sizes on the upper side and fans installed behind them.
The side and bottom panels are not remarkable at all, although there are stickers with the OS key and the device name on them. We believe that these white stickers on the black case look out of the way and mar the visual appearance of the device. By all means we understand that this kind of device will not be placed on public display, and though we still think that it would look better without these tacky stickers.
There are ON/OFF and reset buttons and LEDs indicating the device and hard disc statuses located on the front side. Also, there are two USB 2.0 ports and two jacks for microphone and speakers located there.
One of the panels on the front side can be opened and is designed for the CD-ROM installation which is not installed by default.
The rear side of the device is similar to the one of usual PCs. There are two PS/2 sockets for keyboard and mouse, one power socket, four USB 2.0 ports, two Gigabit Ethernet network interfaces, three audio jacks, as well as an analogue monitor output, located on it. Next to the network interfaces there are stickers with descriptions for each interface. The biggest part of the rear side of the device is occupied by a ventilating grill. It stands to mention that the case cooling system seems quite strange to us since the air will be flowing into the case through the rear side and flowing out of it through the upper or lateral side, depending on the mounting mode, as opposed to the conventional cooling system when the intake of cool air is carried out through the front side of the device.
Now let's have a look at the insides of the case.
It stands to mention that the electronic elements of AquaInspector are not only secured by seals on the case but also by glue clots which prevent anyone from replacing the parts.
One of the network interfaces is built in the motherboard, meanwhile the second one is made as a standalone Intel Pro/1000GT network adapter.
The hard disc is SATA III Seagate ST250DM000 with the overall disc space of 250 Gbytes.
That's where we finish the examination of the device hardware and pass on to reviewing its software capabilities.
In order to access the web-interface of the device one has to connect to 192.168.0.1, port 8081, using any fully updated browser.
To access Administration menu item a user will have to enter login and password. By default they are admin and admin correspondingly. As a rule, in this kind of situations we always advise users to change all standard passwords at once.
The capabilities of the web-interface are alike to the functional capabilities provided in the console of the Traffic Inspector utility used for managing user and group access. For instance, by using Users and Groups menu item an administrator can browse through the billing parameters of a certain user, receive the full list of sessions on a selected subscriber, add a payment or send a message.
By using Reports sub item an administrator can receive information on traffic by users and current connections, check the network statistics and users' billing history, learn the web proxy server queries (TCP-8080 port) and the user activity, upon availability of the respective license.
Diagnostics sub item may come in quite handy when solving varied problems; event log information and built-in WHOIS service are located there.
The Traffic Inspector web-portal is intended not only for use by administrators, but also by users; they can take a look at the parameters of their service plan, look through their sessions and the amount of traffic used, receive information on current connections and user account history, as well as to change the web-portal operation parameters.
The Traffic Inspector billing system supports several user authentication modes. There are Web and Client agents among them, and they are to be accessed using Client agent and Web agent menu items.
That's where we bring the review of web-interface capabilities of AquaInspector to a close and pass on to reviewing the management console features.
Most of the billing system preferences can be viewed or changed using the Traffic Inspector administrator console which is to be initialized either on the server itself or on any other PC that the administrator uses. Upon connection the administrator must type in login and password of either the user registered in the server system or that one of the Traffic Inspector local administrators. It stands to mention that upon remote connection a range of problems related to DCOM components access rules may appear; their solution is presented at the vendor's web-site.
After successful authentication the user finds themselves on the main page of the management console where he or she can find brief information on the server, type of license used and active warnings. AquaInspector is supplied together with the pre-installed and configured version of the Traffic Inspector utility; however, the administrator can manually launch the configuration tool in order to rewrite the interface roles or make any other changes.
Let's examine certain capabilities provided in the management console. Toolbox group allows an administrator to specify the IP and URL lists, content categories, attributes, as well as the user scripts.
By using User Management group an administrator can create new users and groups, manage user access and billing plans, and receive information on users' account status.
Operation parameters of the built-in proxy server are located in Web Proxy group.
By using External Networks group an administrator can manage the external firewall and access, as well as monitor varied counters.
Management of the SMTP is performed in SMTP Services group. The use of SMTP may be mandatory due to the need to filter the incoming messages from external servers, as well as due to the billing of all incoming traffic.
Management of the built-in web server is performed in Web Server group.
In order to manage plugins an administrator must use Plugins group. They are used in order to test the incoming user traffic for viruses, spam and phishing links, as well as to perform DDNS registration and support incoming RAS/VPN connections.
Management of administrative accounts is carried out in Administration group.
By using Reports group an administrator can gather statistics on usage of monitored resources over a certain period of time.
Backup, clean-up and data synchronization management is performed in Management group.
Upon occurrence of certain problems an administrator must use Diagnostics group in order to receive more detailed information on the system configuration and review the event log.
Activation of the software can be carried out using the same named menu item.
That is where we bring the brief review of management console capabilities to an end and pass on to reviewing the server maintenance and additional features provided in the billing system.
Following the purchase of AquaInspector an administrator becomes loaded with the billing system maintenance. The necessary operations include installation of updates for the OS, drivers and motherboard BIOS, updating the Traffic Inspector utility, anti-virus software and so on. Updating the OS and Traffic Inspector application will be the most frequent activities to carry out. The above noted procedures are of a standard nature and can be performed by an administrator without any difficulty.
After successful update of Traffic Inspector one may need to activate the software license once more.
The box does not include anti-virus software which protects the server from malware and therefore we strongly recommend users to install the anti-virus package by themselves. We would like to empathize that we are only referring to the protection of the OS, meanwhile the user traffic is secured by the built-in anti-virus modules of Traffic Inspector. The vendor advises users to avoid using anti-virus software which involves firewall components unless these components are inactive and the drivers are unloaded. The requirements are so strict since certain conflicts with Traffic Inspector may occur. The anti-virus systems which scan the information in real time should also be used carefully since the system performance may be significantly lowered. Generally, the server access restrictions and system tests in standby on a regular basis will protect the machine against malware.
In case of urgency one may need to upgrade the BIOS version. If this is the case, one must be sure that there is no-break power when the BIOS is updated since it's a very important process and even a slight mistake may result in the complete inoperability of the whole system. And though the process of BIOS upgrade for the motherboard we used (Intel D510MO) can only be carried out using the utility for Windows and can be performed remotely, we strongly advise users to make sure that all equipment is available for direct use before starting.
We are completely positive that in addition to the above noted procedures it'd be of use to back up configuration files, dispose of any old data and synchronize the machine with an external SQL server once in a while. These procedures can be performed using Maintenance group in the Traffic Inspector management console.
If a serious problem appears on account of the OS, the runnable version of the software can be restored from a hidden partition of the hard drive where the factory version of the OS is located in. The stepback will lead to the loss of all user data and configuration and therefore we recommend users to back up the billing system database or any other configuration on a rotating basis. In case the failure is really severe, for instance hard disc crash, in order to restore the system one will need to turn for help to the vendor's product support services which will provide a user with an image of the respective disc partition and the detailed instruction on the system restore procedure.
Apart from performing an array of essential functions like processed Internet traffic accounting, the hardware and software system can spy upon users carry out a wide variety of security functions, answer for the operation of VoIP media, as well as support the operation of Wi-Fi (only in the access point mode) and 3G networks. Even if the measures taken to support the wireless network operation seem easy (by using a wireless USB adaptor), the additional security measures are more difficult to carry out and we would like to say a few words about it. The CCTV and user activity control systems fall within the range of such measures. In order to set up the CCTV system with AquaInspector a user can purchase a D-Link DCS-930 IP-camera and D-Link D-ViewCam software which supports the operation of up to 32 cameras and allows the user to record and play videos shot, record videos according in time or event register mode, as well as to manage the operation parameters of cameras. One can also enhance the capabilities of the above noted system by using "Videonablyudenie" service by MegaFon.
User activity control is performed by the Mipko Employee Monitor utility which centrally saves the data typed from the keyboard, information on the applications initialized and internet activity, screenshots and so on. As a matter of course, client agents must be installed in the user PCs.
That is where the server maintenance review draws to a close and we pass on to testing the AquaInspector hardware and software system.
As always, we begin our testing section with estimating the booting time of the device, which is a time interval starting with the moment when the power is on until the first echo reply is received via ICMP. Smart-Soft AquaInspector boots in 51 seconds, which, as we consider, is a decent result for this type of devices.
The second traditional test was a security scanning procedure which has been carried out using Positive Technologies XSpider 7.7 (Demo build 3100) utility. The scanning procedure was performed via the local net and Traffic Inspector v. 188.8.131.524 was installed on the system. On the whole, there were 20 open ports discovered, and they are TCP-53 (DNS), UDP-53 (DNS), TCP-135 (Microsoft RPC), UDP-137 (NetBIOS Name), TCP-139 (NetBIOS), TCP-445 (Microsoft DS), TCP-3389 (MsRDP), TCP-5432 (PostgreSql), TCP-8080 (HTTP), TCP-8081 (HTTP), TCP-47001 (unknown), TCP-49152 (RPC Windows), TCP-49153 (RPC services.exe), TCP-49154 (RPC services.exe), TCP-49155 (RPC LSASS.exe), TCP-49156 (RPC dns.exe), TCP-49159 (RPC tcpsvcs.exe), TCP-49160 (RPC services.exe), TCP-49161 (RPC Windows) and TCP-49174 (RPC Windows). The most interesting data are presented below.
We do not believe that the discovered vulnerabilities are critical.
Also, we just couldn't help but pay some attention to the device performance tests. The primary specifications of the test stand we used are presented below.
|Motherboard||ASUS Maximus IV Extreme-Z||ASUS M60J|
|CPU||Intel Core i7 3770 3.4 GHz||Intel Core i7 720QM 1.6 GHz|
|RAM||DDR3 PC3-10700 SEC 32 Gbytes||DDR3 PC3-10700 SEC 16 Gbytes|
|OS||Windows 7 x64 SP1 Rus||Windows 7 x64 SP1 Rus|
At first we tested the TCP traffic transmission speed using JPerf, version 2.0.2, for 1, 5 and 15 concurrent data flows. Results of the measurements are presented on the diagram below.
The next thing we did was to create virtual discs in the RAM on the test PC and notebook in order to eliminate the effect of the in-house disc subsystems. The Apache HTTP server was initiated on one of the nodes and we used it for transmission of bigger files. A download manager which can download files from HTTP servers using several concurrent data flows (1, 5, 10 and 50) from WAN to LAN was installed on the second node. Results of the measurements are presented below.
Since the Traffic Inspector utility pre-installed on AquaInspector allows performing functions of a web proxy server, we decided to discover what speed range will be available to users when using AquaInspector as a HTTP web proxy server.
We think that such a speed outbreak upon using ten concurrent connections is quite surprising; however, all further results were the same and we didn't have any other option than to recognize this value as the real one.
The most actual features of Traffic Inspector, in our opinion, are the anti-virus check of user traffic by several anti-virus modules in succession. Results of the web proxy server speed measurements when the anti-virus check using several anti-virus modules is on are presented on the diagrams below. And though we have transmitted rather big files, their size was chosen in accordance with the restrictions of the anti-virus software.
During the whole testing procedure we have been keeping watch over the workload of the CPU cores. It turns out that only two of the four data flows (two physical cores with two virtual threads each) are used in full; that may happen either due to the presence of any other bottleneck than the CPU itself or irregular traffic distribution by the OS. At all accounts, we believe that the resource of the hardware platform is enough for the majority of nowadays' mid-sized offices and small companies. However, it may be necessary to upgrade the equipment in the very nearest time. We hope that the Smart-Soft company will supply their clients with a more efficient billing platform in the foreseeable future.
That's where we draw the testing chapter to a close and move on to summing it all up.
We have been left a bit mingled by the Smart-Soft AquaInspector key-ready solution for managing, controlling and securing the Internet access. On one hand, it's a pliant and not expensive user access and accountability solution to be used both on the global network and on users' PCs. On the other hand, in the very foreseeable future the performance of this platform may be not enough to be used in full taking into account the internet connection speed supplied by the internet service providers.
The strong points of AquaInspector are presented below.
- Pliant setting system
- Small-sized case
- Remote access support
- Support of various user authentication modes
- Availability of add-ons
- Support of VoIP
- CCTV system
- Support of collective accounts
- Ability to work in web proxy server mode
Unfortunately, we cannot help to mention certain drawbacks we have discovered.
- Irregular case cooling system
- The web-interface is a bit laggy
- No IPv6 support (it is in the works)
- Low data transmission speed
- No high availability mechanisms
As of when this article was being written, the price of an AquaInspector software and hardware system in Moscow online shops ranged from 33500 roubles for GOLD licence meant for 10 users to 71900 roubles for no-limits FSTEC certificate version.