NetContinuum is jacking up the power of its application firewall with a new appliance that replaces its initial offering and adds new options for deployment that are less intrusive to the network.
Called the NC-1100, the device is a new hardware platform that will replace NetContinuum's NC-1000 platform in June and ups the performance of the old device tenfold, the company says.
The NC-1100 sits between Web servers and the Internet, terminating traffic, screening it and then passing it on. As a proxy device, it terminates TCP, HTTP and SSL sessions. Before passing along data it checks whether session cookies are good, whether forms within applications meet the policies that define them, whether hidden files remain hidden and the like.
The device is being used by Atlanta Public Schools to protect applications that are open to public use. The schools' annual audit showed that opening network firewall ports to allow this access was a security risk, so proxying with an application firewall became important, says Sam Pointer, the IT director for the schools. "Malicious traffic hits the NetContinuum [device] on a dummy address, and it stops it there," he says.
The device can also improve the response time of Web applications by caching, compressing, balancing loads and pooling TCP sessions.
The tenfold performance increase is a bold claim, and the actual improvements may vary depending on the mix of traffic that a NetContinuum device is handling, says Michael Gavin, an analyst with Forrester Research. "You need to put this in front of your own applications and see how you do," he says.
Software upgrades with the new device enable deployment without having to make changes to DNS table entries, something that is generally required of reverse proxies, and that some vendors say makes customers shy away from reverse-proxy application firewalls. For instance, competitor Imperva uses the fact that it is a network-layer device that requires no network address changes as a selling point.
The NC-1100 can be deployed either inline with traffic to block malicious packets and hide IP addresses, or off the monitoring port of a switch or router in bridge proxy mode to set a baseline for what normal traffic looks like. The device can also be set to a hybrid mode in which some applications are bridged and some proxied. This mode might be attractive to businesses that want high security for certain transactions but less for others, says Gavin.
The appliance can be set in passive mode, in which it logs traffic and notes policy violations but notes them without dropping the traffic. That mode can be used to determine whether policies as set actually permit all the traffic that is legitimate. For example, a policy may allow access only to resources only from a certain subnet, but one particular authorized user may be located in a different subnet or may move around. In such a case an administrator could set an exception for that user.
New software also gives customers an application dashboard that shows the status of each application - whether it is working, how much bandwidth it is using, how many transactions per second it is performing and the attacks it is subject to.
The NC-1100 can be deployed in pairs, with the standby constantly testing access to applications via the primary box, maintaining state with the primary box and jumping in if access to applications fails.
The new device also comes with software wizards for defining applications and to set security options for each. By default the machine sets security parameters as suggested in the Web Application Firewall Evaluation Criteria set by a group of application firewall vendors.
NC-1100 will ship next month in two models, the AF version that includes just an application firewall for US$30,000, and the AG version that accelerates traffic as well for US$35,000. The devices can also support XML for an additional US$10,000.