Review: Guard The Pearly Gates

Those very issues are what make enterprises of all sizes turn to solution providers for assistance. Luckily, VARs pursuing the security market have a friend in NetContinuum, a Santa Clara, Calif.-based vendor of gateways and firewalls. The company's latest iteration of its application firewall brings security to network applications without upsetting the existing infrastructure. In other words, VARs will find the product easy to deploy without having to redesign the network.

NetContinuum's NC-1100 application firewall offers a plethora of features and options aimed at keeping applications safe from attack and data safe from compromise. The unit functions as an in-line application firewall with the device sitting between the external and internal network connections. All network traffic is routed through the unit and analyzed for security problems. Out of the box, the unit offers protection from SQL injections, buffer overflows, cross-site scripting and cookie and forms tampering. Furthermore, any identifiable pattern can be masked from outbound traffic. That prevents the theft of credit card data, social security numbers, medical-record numbers and other confidential information.

The unit excels at identifying "bad access" attempts or injection-style attacks. Those attacks (and others) are designed to compromise security and steal data and can be delivered manually by an individual over the Internet or via scripts delivered in worms, viruses and other forms of malware.

Simplicity is one of the key offerings of the unit. Administrators will appreciate how the device becomes the central control point for access to all applications. The unit offers the ability to roll up numerous application security proxies from a variety of products into a single security proxy. That reduces administrative effort and management overhead while boosting the unit's return on investment. The NC-1100 offers an optional XML firewall, which inspects and validates SOAP requests in a Web services architecture. That option prevents SOAP requests that contain buffer overflows and SQL injections. To guarantee well-formed XML requests, the unit eliminates excessive recursion or other syntactical flaws and evaluates the SOAP request as a whole to make sure it conforms to the published service specifications.

Solution providers will find other features that are aimed at uptime and access. The integrated network card offers the capability to pass data packets through to the network if the unit fails. What's more, the capability to pass data packets functions even if the unit has no power.

The NC-1100 offers wizard-driven setup, full logging capabilities and reporting features. For granular user access control, NetContinuum offers integration with user and group control products such as CA's Site Minder. That level of integration allows administrators to use predefined policies to control access to applications. The NC-1100 is able to access the Site Minder database and actively monitor and control user access. That capability eliminates the need to set up a Site Minder proxy system and helps to speed access into the network while centralizing control under the NetContinuum umbrella. The 2U device is rack-mountable and is made of steel. Quality is evident in its design.

VARs will find the NC-1100 an easy device to configure and deploy, mostly due to its in-line capabilities. Setup requires no change to IP addresses, subnet masks or other network traffic elements. That provides a twofold benefit to users: It eliminates the need for address changes, which means installers don't have to touch other devices on the network, and it allows users to access applications if the NC-1100 fails or is taken out of service, albeit without security.

Setup tasks are also eased by the ability to import existing LDAP or other user directories. What's more, integration with existing directories eliminates the need to perform "double updates" when a user or group access policy changes.

Wizard technology further simplifies deployment. Administrators can set up access to applications with a few mouse clicks and the setup wizards handle the rest. The unit employs several layers of intelligence to identify applications and other network access devices. It offers wildcard-based protection, where administrators can use wildcards to select a bunch of applications to be protected without having to individually identify each application. That furthers the unit's ability to be simply dropped into a network and protect everything behind it, providing instant gratification for security-minded VARs.

The management console offers a comprehensive view of traffic moving through the network, while a dashboard application offers administrators a 10,000-foot view of network activity.

When defining policies, administrators can install active or passive controls. With passive policies, users are informed that an access event violates policy, but are then allowed to complete the request. Active policies block the access.

NetContinuum garners about half of its North American sales from its dozen or so partners and is recruiting new partners to help expand its geographic coverage. Its channel program offers certification and training, access to sales and marketing resources, a demo equipment program and a new lead-generation effort through which it teams with partners to host local seminars. Partners make average margins of 20 percent to 30 percent, the company said.

NetContinuum hits the high note when it comes to protecting applications and corporate data. Its product proves easy to set up, use and support. That "ease of everything" approach guarantees the NC-1100 will be easy to sell to enterprises with the discretionary spending for the latest in security wares.