NetContinuum's NC-1000 Application Security Gateway v4.3
Price: Starts at $29,000
Web applications are increasingly the target of choice for attackers burrowing through perimeter firewalls, launching crippling DoS attacks and
Sitting between the perimeter firewall and Web apps, the NC-1000 is a proxy that uses inbound and outbound deep-packet inspection and the enforcement of customizable policy settings, down to the session level. Deep-packet inspection is supported for HTTP, HTTPS and FTP; traffic is terminated and proxied at the gateway where it's decrypted and inspected. Because it's a proxy, the NC-1000 prevents attackers from conducting Web site reconnaissance and probing for vulnerabilities. It dynamically profiles applications by "learning" URLs, form fields, hidden fields, query strings and more to enforce legitimate behavior. In addition, the Web app firewall inspects outbound traffic for data leaks against specific types of information, such as credit card numbers.
The NC-1000 blocked everything we threw at it; default security policies deflected DoS attacks, malformed packets, encoding attacks, worms and scans of vulnerable applications, such as unpatched Web, SQL and mail servers.
We then tightened security policies using Web ACLs and request-length limits, and stopped attempts to activate back doors, buffer overflows, SQL injections and authentication hijacking. Web ACLs can be configured using blacklist URLs (phishing and data theft) and stringent control for parameters and headers (such as with form fields to prevent SQL injection and cross-site scripting attacks). Request-length limits prevent malicious code from being written into headers.
To prevent the unwanted dissemination of sensitive data through accessing unlinked pages—also called forceful browsing—the NC-1000 completely blocks any unauthorized data sets from appearing in outbound Web traffic.
Initial setup and configuration of the NC-1000 is a mixed bag. Documentation is excellent, and the Web-based admin console is well-designed and easy to navigate. But, the appliance can only be set up in a terminal session via serial cable, which is cumbersome compared to an Ethernet-based GUI; NetContinuum says its customers prefer to manage their data center consoles via serial port without network connectivity. Onboard routing, addressing and traffic management are seamless—no changing addresses or network topology.
The logging is comprehensive, recording event data from the firewall, applications, transactions and system. Each log is time-stamped, encrypted and digitally signed. The NetContinuum Security Manager provides a centralized console to manage multiple appliances.
The NC-1000 requires a security and network protocols-savvy admin to take full advantage of its horsepower. And this level of protection doesn't come cheap, especially if you step up to the $39,000 Web Services Edition. But, its effective and versatile protection power is worth the cost and effort.
This product review also appears in the July 2005 issue of Information Security magazine.