EXCLUSIVE: Finjan Vital Security NG-5100

Whereas many network security vendors have stretched themselves to cover every angle, Finjan has resisted the temptation and kept its focus firmly on web content security. This does mean you'll need to look elsewhere for your anti-spam and mail content filtering solutions but the Vital Security appliances offer some very unusual and quite unique abilities.

In this exclusive review we take a closer look at the NG-5100 which targets large businesses and enterprises and comes as standard with Finjan's Web Security Suite (WSS) which can be augmented with optional anti-virus measures and web content filtering. There's plenty of choice for the former as you can pick and choose from Sophos, Kaspersky or McAfee. For web content filtering the well respected SurfControl URL database delivers extensive features.

We found the NG-5100 easy enough to deploy as an explicit proxy which just required us to modify our client browser connection settings to point to the appliance. If you don't want to muck about with your client systems you can use the appliance as a transparent proxy but in this mode you can't use proxy-level user authentication and you'll need to redirect LAN to WAN traffic to the appliance for scanning. You get four Gigabit Ethernet ports but in most scenarios you'll only be using the first one. You can connect other subnets to the appliance but be aware that it will perform routing between them which will have security implications. SSL encrypted traffic can also be scanned but this service is currently provided by the separate NG-5400 appliance. This is placed in front of the NG-5100 where it decrypts the traffic, sends it on for scanning and then re-encrypts it if it has been cleared. We were advised by Finjan that it has plans to integrate this feature into the main appliance and offer it as an optional feature that can be activated with a license key.

First contact with the appliance will be via the dedicated management port where you point a browser at it and follow the quick start wizard. First you decide how the appliance will function and you have three modes to choose from. Smaller sites will go for the all-in-one mode but you can have multiple appliances acting as scanning servers and another functioning as a policy enforcement server. We opted for the all-in-one mode and just needed to set up the IP address of the main network port, add details of our gateway and sort out licensing.

Before we delve deeper into the management interface it is worth going over the features of Finjan's WSS first. At the top of the list is its behavioural blocking which is capable of identifying malicious content in web traffic. Unlike sandboxes, it doesn't actually run the code but holds it at the gateway and analyses it to determine what it would do if it was allowed to. If it doesn't like it then access is automatically blocked.

When a new exploit emerges all too often there is a delay before a patch or signature update appears and Finjan's Anti.dote aims to provide interim protection. This involves downloading a new set of rules to the appliance which allows it to detect and block the exploit and this is all done automatically. Spyware and phishing are also handled by WSS which, amongst other things, also uses behavioural rules to detect them.

User access to web content is controlled exclusively by the use of policies which comprise a collection of rules containing selected conditions and actions. Each rule is placed in the list in order of priority and an X-Ray feature allows specific rules to run passively where their actions are logged for further analysis.

Usefully, a default policy for all users is set up during installation so the appliance can start filtering straight away. Policies make the NG-5100 very versatile as they can be applied to different users and groups and we had no problems downloading these from our AD server using LDAP. During testing we found the NG-5100 was very effective and each client that transgressed a policy was redirected to a customisable warning web page from the appliance which advised on the reason for the blocking action. If you're using SurfControl the various categories are accessed from a single rule which allows you to implement different browsing restrictions for selected groups of users. There are currently 42 different categories to choose from and we've always found SurfControl to be a top performer.

To test the behavioural blocking features required a number of policy rules to be switched off in succession. We located a dodgy web site that immediately tried to load a Trojan and this was blocked first by Kaspersky. We switched off anti-virus scanning and access was still denied by SurfControl as the URL was listed. We switched SurfControl off and Finjan's anti-spyware features then refused to allow access. With this deactivated, the file extension blocker still wouldn't let it in and even with this switched off the two rules that block binaries with either no digital certificate or an invalid one then came into play. Finally, with these deactivated the behavioural blocking was able to analyse the file after which it advised us that the site was blocked because the file or page contained malicious code. You can see what it was trying to do by going to the log file, highlighting the relevant entry and selecting the Component option. The response tab shows the behaviour the file would have exhibited which in our case was file writes, deletes, process creations and DLL load requests.

By trying to become a jack-of-all-trades in the network security market many vendors run the risk of spreading themselves too thin. Finjan certainly can't be accused of this as our testing showed it delivers some very tough web content security measures. Naturally, by going for the specialist product you do pay a premium but the NG-5100 does look good overall value and is remarkably easy to deploy and manage.

Verdict

The NG-5100 offers some of the toughest web content security measures on the market and backs them up with good anti-virus and URL filtering options. Policy based control makes it very versatile and we found the appliance particularly easy to deploy and use.

1U rack chassis

Pentium D 3.4GHz

2GB 533MHz SDRAM

1GB CompactFlash card

4 x Gigabit Ethernet

160GB Western Digital WD1600YS SATA hard disk

Monitor, 2 x USB mouse/keyboard and RJ-45 serial port

Linux kernel

Web browser management

Options:

501 users with 1yr Kaspersky AV and SurfControl included; £12,990 exc VAT.