Despite the exponential increase in the number of threats to corporate networks, the majority of security solutions currently on the market only offer a reactive approach. A new threat or vulnerability is discovered and you have to wait while the vendor comes up with a patch or an update to its attack database or virus signature files before you can feel safe again.
Finjan prides itself on its proactive stance to security threats and offers a range of appliance-based solutions. Using an IBM System x3650 2U rack server, the latest Vital Security NG-6100 appliance targets enterprises for which high availability is a priority.
All the Vital Security appliances run the same code and include Finjan's web security suite (WSS) as standard, to which you can add optional URL content filtering and one of three anti-virus packages.
The most prominent feature of WSS is the vendor's patented behavioural blocking technology, which aims to weed out malicious traffic without the need for constant updates. Working at the application level, it analyses web content to determine if it contains malicious code. Finjan takes a far simpler approach to the more common sandbox method, as it analyses each line to see what the code would do if it was allowed to run. If it doesn't like what it sees it simply blocks it.
Finjan's Anti.dote aims to shut the windows of opportunity that exist from the moment a threat is discovered to the time patches are released. As soon as a new threat is identified, the company downloads rule sets to the appliance that allow it to identify and block it. Spyware and phishing are also covered, with the device using a range of detection methods that include lists of known problem URLs and behavioural analysis.
We really like Finjan's slick deployment, and opted for the default mode of explicit proxy. This required us to update our test client's browsers with the appliance's IP address and port number. You can go for a transparent proxy, but you won't be able to use proxy authentication and LAN to WAN traffic must be redirected to the appliance for scanning.
Next, you directly attach a client to the default management port and follow the simple browser-based setup wizard that asks for network details, licence codes and a mode of operation. Finjan's larger appliances can function either in all-in-one mode or scanning can be spread across multiple appliances all controlled by a dedicated policy enforcement server.
The main web management interface is well designed and provides easy access to all the appliance's features. The policies it employs exclusively to manage security comprise sets of rules, each containing conditions and actions. Usefully, you get a set of default policies allowing the appliance to start filtering traffic straightaway. And you don't need to worry about letting your own policies loose on the live network as you can select the X-Ray option for each rule where it only logs its actions but runs passively.
Policies can be applied to different users and groups, and we found it a cinch to import these from our Active Directory server via LDAP. Anti-virus behaviour is configured using policy rules and Finjan offers a choice of Kaspersky, Sophos or McAfee scanning engines. The SurfControl URL filtering service is also configured with rules and currently provides 42 web content categories. If a user attempts to access a blocked site they will be redirected to a warning page advising them of the site category while the appliance records this in its logs and reporting database.
During testing we were impressed with Finjan's response to infections and spyware as it rebuffed all our attempts to access dubious sites or download malicious content. The rules in each policy are carried out according to their position in the lists and it is easy to change their priority. The WSS components generally reside low down in the list as they provide the final hurdle should any dubious content make it through the barricades.
To test the behavioural blocking it would have been easy to move these components to the top of the list, but we wanted to see what would have to be deactivated before it came into play. We accessed a live URL that was known to attempt to download a malicious executable and, with our default policy in action, we found it was necessary to turn off rules for anti-virus, URL filtering, anti-spyware, file extension blocking and binaries with no certificate or an invalid certificate before the code could be analysed. Sure enough, WSS picked up the fact that the code was attempting to modify our test system and promptly blocked it. We also found reporting to be particularly good as Finjan provides complete rundowns of code behaviour along with the ability to produce reports on anything from blocked sites to spyware or viral activity and deliver them in PDF, Excel or HTML format.
There's no denying that Finjan is offering a powerful web security solution and the NG-6100 delivers a classy hardware platform with an excellent specification. You will need to source firewall and anti-spam services elsewhere, but with Finjan's WSS on the case there will be no need to worry about getting caught napping by the latest round of web-based threats.