This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Citrix's administrative capabilities are basic, but well-managed through a simple and intuitive management GUI. We were able to quickly add users for administrative purposes, but our options were limited to either an application administrator or an application guest, whose account could view, but not modify, configuration settings. We felt this was essentially useless.
Breach breaks out administrative tasks into two groups as well--system administrators with access to everything, and site administrators who only have rights to sites assigned to them. Additionally, Breach includes two view-only accounts--a Super Viewer who can see everything and a Viewer with read-only access to sites to which they are assigned.
Assigning sites was effortless, as all active sites are displayed in one window and could be assigned with a mouse click.
All of the products included some sort of learning function, either the automatic learning of URLs or learning behavior and traffic patterns. Another significant policy designation was the firewall's ability to operate in a transparent mode, which allowed us to fine-tune actions prior to initializing full security measures, such as blocking and redirecting.
Breach provided the most predefined policy set out of the box, covering known attacks against popular applications such as IIS, Apache and SQL. We are skeptical that its controls have the robustness to be effective against unknown attacks.
The console isn't as complex or icon-driven as the other products, but is laid out in a way that let us drill down through our applications and review and set policies. Best of all, it provided one of the best visual interfaces along with information about security events.
We were particularly engaged by the use of Breach-Marks--regular expressions or custom strings used to identify sensitive information, such as credit card numbers.
This was first published in March 2008