EXCLUSIVE: Finjan Vital Security NG-5100

Whereas many network security vendors have stretched themselves to cover every angle, Finjan has resisted the temptation and kept its focus firmly on web content security. This does mean you'll need to look elsewhere for your anti-spam and mail content filtering solutions but the Vital Security appliances offer some very unusual and quite unique abilities.

In this exclusive review we take a closer look at the NG-5100 which targets large businesses and enterprises and comes as standard with Finjan's Web Security Suite (WSS) which can be augmented with optional anti-virus measures and web content filtering. There's plenty of choice for the former as you can pick and choose from Sophos, Kaspersky or McAfee. For web content filtering the well respected SurfControl URL database delivers extensive features.

We found the NG-5100 easy enough to deploy as an explicit proxy which just required us to modify our client browser connection settings to point to the appliance. If you don't want to muck about with your client systems you can use the appliance as a transparent proxy but in this mode you can't use proxy-level user authentication and you'll need to redirect LAN to WAN traffic to the appliance for scanning. You get four Gigabit Ethernet ports but in most scenarios you'll only be using the first one. You can connect other subnets to the appliance but be aware that it will perform routing between them which will have security implications. SSL encrypted traffic can also be scanned but this service is currently provided by the separate NG-5400 appliance. This is placed in front of the NG-5100 where it decrypts the traffic, sends it on for scanning and then re-encrypts it if it has been cleared. We were advised by Finjan that it has plans to integrate this feature into the main appliance and offer it as an optional feature that can be activated with a license key.

First contact with the appliance will be via the dedicated management port where you point a browser at it and follow the quick start wizard. First you decide how the appliance will function and you have three modes to choose from. Smaller sites will go for the all-in-one mode but you can have multiple appliances acting as scanning servers and another functioning as a policy enforcement server. We opted for the all-in-one mode and just needed to set up the IP address of the main network port, add details of our gateway and sort out licensing.

Before we delve deeper into the management interface it is worth going over the features of Finjan's WSS first. At the top of the list is its behavioural blocking which is capable of identifying malicious content in web traffic. Unlike sandboxes, it doesn't actually run the code but holds it at the gateway and analyses it to determine what it would do if it was allowed to. If it doesn't like it then access is automatically blocked.

When a new exploit emerges all too often there is a delay before a patch or signature update appears and Finjan's Anti.dote aims to provide interim protection. This involves downloading a new set of rules to the appliance which allows it to detect and block the exploit and this is all done automatically. Spyware and phishing are also handled by WSS which, amongst other things, also uses behavioural rules to detect them.

User access to web content is controlled exclusively by the use of policies which comprise a collection of rules containing selected conditions and actions. Each rule is placed in the list in order of priority and an X-Ray feature allows specific rules to run passively where their actions are logged for further analysis.