Web application firewall maker NetContinuum Inc. said Monday that a new version of its NC-1000 Web Security Gateway adds network firewall features to the product's existing security features.
NC-1000 version 4.0 lets customers use a single device to stop network attacks using common protocols such as FTP (file transfer protocol) and DNS (domain name system), in addition to those targeting Web applications communicating over server port 80, NetContinuum said.
The new version of the NC-1000 can be deployed at the network perimeter, between the Internet and a company's Web applications. Incoming network and application-specific traffic pass through the NC-1000, which will apply traditional stateful inspection and so-called "deep inspection" features to monitor network connections and dig into data packets, spotting hidden attacks or malicious code, NetContinuum said.
Previously, the NC-1000 only functioned as an application firewall and was typically deployed behind a second network firewall located at the network perimeter. By consolidating those two functions onto one device, the NC-1000 will reduce the cost and administrative overhead needed to secure Web applications, said Wes Wasson, vice president of marketing at NetContinuum.
However, the new device is not intended to replace an organization's enterprise firewall, which protects its LAN, he said.
Traffic to and from a company's Web applications will pass through the NC-1000, which compares that traffic to a dynamic profile of legitimate behavior for those applications, blocking improper requests. Administrators can create a "virtualized firewall" for each application the NC-1000 protects, with a unique set of policies for that, specifying which ports and network protocols can be used, Wasson said.
In addition, administrators can set up Web access control lists, or WACLs, which are similar to the access control lists (ACLs) used by traditional network firewalls, which permit traffic from an approved set of connection sources, NetContinuum said.
WACLs allow organizations to accept or reject traffic by comparing information obtained from a deep inspection of the packet, including data on URLs (uniform resource locators), message content or form field values, against a list of approved content for that application, the company said.
The addition of integrated network firewall features may appeal to organizations that have deployed Web applications but are wary of using firewalls because of fears that they will slow traffic to and from their network, according to Eric Ogren of the Yankee Group.
The NC-1000's application specific integrated circuit (ASIC) may allow some of those organizations to add network and application security without compromising performance. That would appeal to organizations such as large media companies that want to use the Web to deliver streamed media, which is sensitive to slow-downs, Ogren said.
NetContinuum has also redesigned the management interface of the NC-1000 so that it more closely resembles interfaces for network firewalls. The idea is to appeal to sophisticated firewall managers and make application firewall management more like from network firewall management, Wasson said.
Companies selling Web application firewalls, such as NetContinuum, KaVaDo Inc., Teros Inc. and Sanctum Inc., stand to benefit as more companies turn to the Web to sell their wares and offer services such as banking and retirement planning to their customers, Ogren said.
The NC-1000 Version 4.0 will be available as a free software upgrade to existing NC-1000 customers. For new customers, the NC-1000 will be available in January and sell for US$28,000, NetContinuum said.