Pros:

- Built-in IPsec endpoint
- Security reports & Email alerts
- Built-in 4 port 10/100 switch

Cons:

- No DMZ
- No port range forwarding
- No port filtering

9/17/01 Clarified VPN capability (Summary section). WAN MAC change being added in upcoming firmware release.

The Basics

Introduction

Startup Crossport Systems' Pivio is a Network Security System aimed at small businesses.  It provides IPsec VPN, network and Web site monitoring, Intrusion detection / logging, and AntiVirus capabilities on a paid subscription basis.  I found that it worked well,  but lacked some important features...

Background & Basic Features

The Pivio comes in two models, a single port model (the 2000) for $399 and the Plus (2500) priced at $479, which contains a 4 port 10/100 switch and is what they sent me for review.  Crossport is in the process of expanding their distribution, but you can buy products either from their Web site, or through TigerDirect.

When I first saw the Pivio, I thought it was a SNAPgear clone, since both companies use a hardware platform OEM'd from Lineo.  But although there may be the same engine under the hood, the products are quite different!

Where SNAPgear touts its Linux underpinnings, Crossport has hidden all that away, with a very streamlined interface that's intended to allow virtually anyone to set up and use it, and in many cases set itself up.

Crossport is targeting businesses with 5 to 25 users who want their Internet connection secured, have access to easily configured and managed IPsec based Virtual Private Networking, and automatically updated anti-virus protection for network clients.  They're using a subscription based business model, with a flat $150 per year fee (the first year's fee is bundled into the cost of the Pivio) for everything except the anti-virus capability, which is priced at $36 per client per year (with volume discounts for more than 5 clients). Although this may seem steep, Crossport says their pricing is significantly lower than comparable capability from Sonicwall or Watchguard.

 Setup

Setup was a non-event.  My test network has a DHCP server and my test client is set to obtain its IP address automatically.  When I opened my browser, it automatically went to a page telling me that Pivio was set up and connected to the internet!  Clicking on my browser's Home icon confirmed this.  Note that I didn't even need to know the IP address of Pivio's built-in Admin server, since you access it at config.pivio.com, which auto-redirects your browser as needed.

If I'd had to get my hands dirty with the LAN setup, Pivio provides pages that let me input PPPoE login info, static IP info, as well as set the system name for @Home.  I didn't see the ability to change the WAN MAC address or enter Domain info for the LAN DHCP server to hand out, however.  So ATT Broadband users may have setup problems and @Home users will have to enter the Domain info into their LAN clients manually.

Update 9/17/01 WAN MAC address change being added via firmware update.

Speaking of the LAN DHCP server, you can change its base address and IP range, reserve IPs (but not by MAC address), and control Lease time.  The server also has the ability to pass along WINS information, either obtained from your BSP or entered manually.

Features - Standalone

The Pivio has two classes of features - those that don't depend on communication with the Crossport security system "mother ship", and those that do.  If you want to dig into the details, I suggest you download some of the documentation that Crossport has available on line.  I'll cover the standalone features first.

NAT Routing
Pivio will handle routing duties on its own.  You can disable NAT routing, but there's no ability to enter static routes or support for dynamic IP protocols, so using Pivio as a LAN-to-LAN router isn't really an option.

Port Forwarding ("Services")
You can forward up to 16 single TCP or UDP ports, and there's no ability to edit or temporarily disable the definitions. There are no port ranges and no "DMZ" or "Exposed Server", i.e. the ability to place one computer on the WAN side of the NAT firewall.

VPN
You can define up to 5 IPsec (3DES) tunnels, using PSK (Pre-Shared Key) authentication only.  There are no limits to the number of users per tunnel.  Pivio will pass packets from PPTP clients through the NAT firewall, but there's no other support for PPTP VPN.

Intrusion ("Hacker") Protection
Pivio provides basic NAT firewall protection, plus protection against port scans, SYN floods, and fragmented packet attacks.  Note that this protection is always in effect, regardless of whether you subscribe to the pay-for Pivio services.

Remote Administration
This is done via SNMP and a Windows application (Pivio Dashboard) that you can download.  You can disable SNMP administration entirely, or allow read-only or read/write access to a specific IP or range of IP addresses.

Features - Subscription

Signing up for the Pivio Services packages ($150/year for unlimited clients, first year of service included in the Pivio price) adds access to number of other services:

Intrusion ("Hacker") Reporting and Control
Subscribing to the IDS (Intrusion Detection Services) gives you access to a number of reports, including emailed alerts about intrusion attempts on your network.  You also get the ability to define detection rules and actions taken against specific TCP Connection attempts, pings, and other types of intrusion exploits.

Connection Monitoring
Crossport servers monitor your Internet connection and can send an email alert if the connection goes down.  You also have access to reports on Internet connection and VPN tunnel uptime/downtime.

Site Monitoring
This feature lets you enter an unlimited number of URLs to monitor on a settable periodic basis for availability or changes.  Events can be logged or emailed as alerts.

Site Blocking
You can block up to 16 Web sites either by IP address or in the standard domain form, i.e. "www.Web site-to-be-blocked.com". Any LAN client who tries to access a blocked Web site will be redirected to a web page that tells them that they've tried to access a blocked site.  Curiously, there are no reports or alerts available for this feature!

Traffic
Charts of peak or average inbound and outbound Internet traffic (in bits per second) can be called up for Daily, Weekly, Monthly, or Annual periods.  You can also test the bandwidth of your connection via a link to bandwidthspeedtest.com

Anti-Virus
Crossport has partnered with F-Secure to offer anti-virus protection for $36 per client per year (with quantity discounts over 5 users).  This is on top of the $150 yearly fee for the other services.  The AV capability runs independently of Pivio, once you use the Anti-Virus admin page to order your licenses.  The AV clients have an auto-update app that constantly checks for and downloads application and virus definition updates, again, without any interaction with Pivio.

Features - Missing

No product is perfect, and the Pivio has its share of missing features.  Given the nature of the product and its target market, I found some of the omissions to be a little curious:

• Access Control / Port Filtering
  There's no ability to control services that Users can access by filtering specific TCP or UDP ports.  I'd think that this capability would be important for businesses to give them another tool to control Internet usage.

• DMZ
  You don't have the ability to place one computer completely outside the firewall, which may be required for using applications such as NetMeeting, gaming, or other applications that you can't get to work through the firewall.

• Content Controls
  You can't control the type of Web sites that users can visit.

• Traffic Logging
  Although you can get security related logs and alerts, and you can see nice charts of bandwidth usage, there is no logging of Web sites that are visited, and strangely enough, no logging of attempts to access blocked sites.

• Server "Loopback"
  You won't be able to access any of your mapped LAN based servers by using the Pivio's external IP address (or assigned domain if you have one).  You'll have to use the "private" LAN IP address instead.

Routing Performance

I ran the Qcheck suite to test routing performance. I ran my normal WAN-LAN and LAN-WAN tests with results are shown in the tables below:

(Details of how we tested can be found here.)

Comment: No problems encountered.  Plenty fast for most broadband connections.

Summary

Although the Pivio worked well, there was nothing that wowed me in its feature set.  On the contrary, I think it's missing some key business-oriented features such as port/service filtering and Web site traffic logging.  I also suspect that the IPsec setup parameters may be too limited to work with the wide array of IPsec authentication methods that are commonly used, and it's not clear that two Pivios can be used to set up an IPsec VPN between them.

Update 9/17/01 Crossport says that two Pivios can be used to set up a private IPsec VPN without using other products.

Crossport hopes to win business away from Watchguard and Sonicwall on the basis of being less expensive while providing comparable features.  But if they're really going to have a shot at getting some traction in the current business climate, I think they're going to have to sweeten the pot a little more.