Finjan Vital Security Web Appliance NG-5000S

Finjan has been refining its focus on network security and now concentrates purely on web content security. It's also improved its pricing structure, making the NG-5000S on review look a far more viable solution for SMBs than it did when we last looked at it a few years ago (here).

Finjan offers three unique features, with its patented active real-time content inspection capable of identifying malicious code by examining it to see what it would do if allowed to run to completion. It's superior to signature-based solutions, as it can deal with carefully crafted attacks that use, for example, dynamic code obfuscation.

Next you have Finjan's Anti.dote, which provides a protective umbrella during the time between a vulnerability appearing and a patch being delivered. As soon as Finjan is aware of the threat, it issues a rule set for download to the appliance that will block it during this period.

Finjan's behavioural analysis is also used against spyware, and it combines this with known spyware URL lists. Optional virus scanning is also available, and you can pick and choose between Kaspersky, Sophos or McAfee. There are more options, as you can also implement web content filtering, which comes courtesy of either Websense or IBM's Proventia.

The appliance can be deployed in all-in-one mode or as one of a group that provide load-balanced scanning and reporting to a central policy enforcement server. The appliance can function as an explicit or transparent proxy, and the additional support for WCCP (web cache communication protocol) means Cisco's firewalls and selected switches can forward traffic to the appliance for inspection.

Finjan's security policies use rule sets combining conditions and actions, and the X-Ray feature allows policies and selected rules to be run passively to test them prior to going live. We found the newly designed web interface much easier to use, as policies and associated rules are now presented in a tree structure making them easier to configure.

The active real-time content inspection acts as a last line of defence, and to test this required a number of rules in our policy to be turned off. We visited a known website that attempts to drop a very nasty trojan on your system and found we had to switch off rules for Websense, anti-virus, anti-spyware, missing digital signatures and suspicious file downloads before we could even get to the code analysis stage.

After blocking the executable the log file showed that it was attempting to terminate other processes, manage memory and invoke DLLs. The website in question also used dynamic code obfuscation, and subsequent attempts to visit the site from other systems also met with the same tough response.

Websense also impressed during testing, as we blocked the Gambling category and Googled for online bingo sites. We gave up after visiting the first 50 hits, as we were consistently blocked from them all with each attempt receiving a web-warning page. A valuable new option is the ability to scan HTTPS traffic, where the appliance terminates the encrypted stream and inspects the content before passing it on.

The NG-5000S clearly has the ability to deal with today's increasingly sophisticated web attacks. Its active real-time content inspection makes it quite unique, and this can be augmented with tough antivirus measures and web content filtering.

Author: Dave Mitchell