Proxies Add a Protective Shield
We invited Array Networks, CipherTrust, Kavado, MultiNet Security, NetContinuum, Sanctum, Spearhead, Teros (formerly Stratum8), Ubizen, WebScurity and Whale Communications. Array Networks and Whale Communications declined to let us test their offerings. CipherTrust said it felt its product was not a good fit for this review and NetContinuum said it didn't have any units to spare. Spearhead withdrew its NetGap appliance because of a pending architecture enhancement--no sense testing the old stuff. Ubizen never responded to our invitation.
Two other vendors, Gilian and NetScaler, are not included here because Gilian didn't start offering application security modules until our tests were finished, and we were not aware of NetScaler's offerings in time for this article. In addition, there are many host-based Web security products, including eEye SecureIIS and Microsoft UrlScan, that we didn't test because we focused only on proxy-based Web application firewalls.
We gathered Kavado's InterDo, MultiNet's iSecureWeb, Sanctum's AppShield, Teros' APS and WebScurity's webApp.Secure in our Chicago Neohapsis partner labs and tasked them with protecting two horribly insecure test Web sites (for details see "How We Tested Web Security Proxies").
Successful attack prevention was not our only comparison criteria; product configuration flexibility is crucial as well. In theory, these products are similar to regular network firewalls: Open too little and you impact traffic; open too much and you expose your network to security risks. In reality, however, Web security proxies are much more complex than network firewalls, and their configuration can be tricky. The proxy must understand the inner workings of your Web applications. If your security configuration is not symbiotic with your Web applications, you risk leaving vulnerabilities exposed. Therefore, the easier it is to adapt the product to your site, the stronger your security will be.
Plan Before You Deploy