Firewalls and virus engines are increasingly useless as hackers, spyware developers, and crimeware syndicates figure out how to circumvent the best defenses of enterprise IT shops in an endless game of tug-of-war. What's required to win the war against spyware, system corruption, and data loss is a different approach, and forward-thinking vendors like Finjan are tackling the challenge head-on.

Finjan's SP-6100 midrange secure gateway appliance unleashes real-time behavioral analysis to thwart spyware developers, who have become savvy to the inner workings of traditional URL filters and spyware engines. The SP-6100 runs on IBM server hardware and ships with dual quad-core Xeon processors, 2 GB of RAM, dual 73-GB drives, and a four-port Gigabit Ethernet controller. It takes URL and signature-based protection to the next level by actually executing the code of the site you're visiting in a sandbox in real time. So, for example, a site may be deemed safe by a traditional URL filter, but a detailed behavioral check by Finjan might reveal an attempt to write to your registry. Perhaps the same site is attempting a file operation on your local system--or overtly trying to install a toolkit, push down an .msi file, or execute destructive code embedded in a PDF file that circumvented your e-mail gateway.

While signature-based defenses are certainly faster than real-time behavioral inspection, they rely on your virus defense or URL filter vendor to write and deploy the update, which takes time. That won't help if you're one of the first victims of a new and devastating virus.

We took the SP-6100 appliance for a spin and were impressed with its features and ease of use. Setup was generally a snap, and the only cumbersome part of testing was having to manually point clients to the Finjan appliance as their proxy server.

You can get around that issue by purchasing an optional bridge pass-through card for a few hundred bucks. The bridge pass-through card cross-connects to your external firewall interface and acts like a transparent proxy for your clients, so no browser configuration is necessary. If the Finjan box fails or loses power, the bridge card fails open and maintains Internet access for the clients behind your firewall.

Keep Out The Bad Guys
The most impressive feature set in the Finjan appliance's formidable roster is the ability to scan for and block sites that are attempting to exploit specific Windows or Internet Explorer vulnerabilities. Adding to the diversity and robustness of its security and scanning capabilities is the ability to subscribe to signature-based URL and virus filters from Kaspersky, McAfee, Sophos, and Websense.

Other notables are Finjan's Boolean logic builder and its Active Directory integration. The logic builder allows IT to develop custom dictionaries that can be put to work for compliance and data loss prevention, or DLP. The Active Directory integration allows you to apply security and authentication policy based on user and group membership. Although the SP-6100 is by no means an enterprise DLP product, it does a good job as a man in the middle for decrypting, scanning, and applying security policy to SSL-enabled sessions.

Our Take

Finjan SP-6100 Web Gateway Appliance

Finjan Secure Web Gateway takes malware protection to the next level by combining signature-based detection with behavioral scanning engine technology The SP-6100's content awareness capabilities help prevent data leakage at the gateway, even within HTTPS/ SSL streams Built-in caching capabilities make the Finjan appliance a fairly robust solution for security and content acceleration in a single box

Recent code releases have turned the SP-6100 into an HTTP caching appliance as well, but if you need enterprise-grade, multiprotocol content acceleration, look to Blue Coat Systems' Proxy SG line of appliances for more robust caching features.

If you're unhappy with the security capabilities of your current caching appliance, you don't have to settle. Blue Coat and Finjan, for example, can complement each other via the Internet Content Adaptation Protocol or Web Cache Coordination Protocol, which off-load real-time behavioral scanning tasks from the caching server to the Finjan security gateway. In large environments, it might make sense to take advantage of the strengths of each by using them in parallel.

The Finjan SP-6100 lists for $18,000 and includes the Finjan Web Security Suite and Silver support. Base pricing rises depending on user count, optional add-ons, and subscriptions to third-party virus engines and URL filters.

Randy George is an industry analyst covering security and infrastructure topics.