This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
The first order of business with Citrix was switching from bypass mode to operating mode--basically turning on the firewall. From the same page, we were able to choose whether to include failover protection in our security policy, assign session timeout thresholds and toggle between two diverse degrees of overall security--Enterprise, which included full filtering and blocking, or Express, with basic Web server policies.
Citrix's Adaptive Learning mode examines traffic to determine what is normal and then builds recommendations that let users apply, edit and apply, skip or ignore. Unfortunately, when a recommendation is ignored, the firewall will no longer view that particular action as a threat when encountered. We would have preferred to see a threshold set for the skip option to allow change to meet new zero-day exploits and adaptive malware.
F5's policy management is quite flexible. Initially, the wizard walked us through each aspect rule definition. F5 also supports an assortment of adaptive learning tools to assist with policy generation. We found the Learning Manager and its
| counterpart, the Traffic Learning Screen, to be the most helpful in determining policy. Each time we created a potential violation, such as forceful browsing
or multiple failed login attempts, the Learning Manager made suggestions as to how to adapt our security policy.
F5 offers the ability to create security policy templates to facilitate large-scale deployments.
Between Barracuda's policy wizard and the dynamic application pro- filing, we were able to create security policies specific to the traffic generated during our testing. However, it's easy to see how in a high-traffic environment, the constant tweaking would be bothersome and ultimately create a security risk from multiple changes.
Barracuda's passive mode is very good at displaying what results would be if policies were actively enforced. While the other products displayed what was taking place on the network, they didn't offer the extensive understanding of the ramifications of the security policy had it been active.
This was first published in March 2008