AppShield's URL-restriction rules were the easiest to configure among the products we tested. The alert log can feed rules into the rule manager based on what caused the alert, making it easy to troubleshoot erroneous violations. However, the rule manager is a bit clunky in supporting complex Web applications. We had to enter six separate rules (for the six WebDAV methods OWA uses) because the rule manager wouldn't let us put multiple HTTP methods on a single rule.
Our biggest complaint with AppShield is its inability to change/override some global configuration values on a per-URL basis in the rules manager. Global configuration values apply to all URLs on all protected Web sites. Loosening security restrictions to support one application (in our case, Microsoft FrontPage) caused all our applications to get the same reduced protection.
AppShield does have a few clever configuration options. You can declare certain file extensions as "always safe" and exempt from URL restrictions, useful for graphics and other static content. You can also specify different length restrictions for different HTTP headers. AppShield can even log full incoming IP packets in addition to the normal logging of HTTP-level data.
The only shortcoming we found during our attacks against AppShield was that the default character filter didn't properly stop SQL tampering. We fixed the filter by restricting the single quote character, but the effects are loud and clear: If an administrator isn't Web-attack savvy, the recommended defaults could lead to a false sense of security. You need to know when the recommendations and defaults are wrong or lacking; otherwise, an attacker can pass by unhindered.
AppShield 4.0. Sanctum, (877) 888-3970, (408) 352-2000. www.sanctuminc.com