Finjan's focus has always been on web content security and its Vital Security appliances offer users a number of unique features which include its patented behavioural blocking technology. With hackers using ever more sophisticated attack patterns, security vendors in turn have to be equally devious.
Dynamic code obfuscation is a classic example, as this can easily circumvent traditional signature based scanners, but Finjan's active real-time content inspection can identify these types of threats and block them. Many solutions use a sandbox which allows the malicious code to execute in a fenced off area, but Finjan actually examines the suspect code to determine precisely what would happen if it was allowed to run to completion, and if it doesn't like it, then the code is blocked.
On review is the NG-6000S enterprise solution which is presented as a well specified 2U IBM rack server. All Finjan's appliances run the same code which delivers three unique features. Along with behavioural blocking, you have Finjan's Anti.dote which covers the window of opportunity between a threat being publicised, and a patch being made available. Once Finjan is aware of a new vulnerability, it downloads a new rule set to the appliance, allowing it to detect and block during this phase. The third is Finjan's spyware protection which employs behavioural analysis and known spyware URL lists.
The appliance can be augmented with operational anti-virus measures and web content filtering. For the former you can choose from Kaspersky, Sophos or McAfee whilst the latter is handled by Websense or IBMs Proventia. The NG-6000S was easy enough to deploy in the lab and to reduce the number of administrative GUIs, Finjan now offers a swift wizard-based CLI setup, where you can use a local monitor and keyboard, or remote connection over SSH (Secure Shell).
The appliance defaults to an explicit proxy so all you do is change your client browser proxy settings, which can be easily achieved by using group policies. The appliance can also function as a transparent proxy and Finjan has now implemented proxy authentication for this method as well. When operating in all-in-one mode, a single appliance handles all functions, but you can have multiple appliances providing load-balanced scanning services and all reporting to a single policy enforcement server.
Support is now provided for WCCP (web cache communication protocol) as used by Cisco's security appliances, allowing web content to be forwarded to Finjan's appliances for inspection.
The NG-6000S employs security policies which use sets of rules containing conditions and actions and they can be easily customised to suit. Rules are carried out in strict order within the policy, and the X-Ray feature allows policies and even individual rules to be run passively to see what their effect would be, before going live. The main web management interface has been redesigned to improve response times and policies are also now presented in a tidy tree structure, making them even easier to view and configure.
The Websense filtering service is also configured with policy rules and currently provides over fifty content categories. Whenever a user breaches their assigned policy, whether it is visiting a banned site or one containing dangerous content, they receive a warning web page from the appliance. Finjan now also offers an option to scan HTTPS traffic where the appliance terminates the encrypted stream, inspects the content, and sends a new stream to the client.
During testing we found the NG-6000S very easy to deploy and capable of delivering extremely tough web security measures. Finjan's active real-time content inspection delivers strength in depth, and it is clearly a superior alternative to traditional signature based inspection techniques. NC

Product: Vital Security Web Appliance NG-6000S
Supplier: Finjan UK
Tel: 01252 511118
Web site: www.finjan.com
Price: 250 users start from £7,495 excluding VAT