With Defiance TMS (Threat Management System), Kavado has expanded its Web application firewall platform for larger enterprises to manage and maintain multiple firewalls and protect multiple Web applications from a single console. We found initial deployment of the Defiance TMS software components more complicated than deployment of SecureSphere, but Defiances fine integration of logging and policy creation helped us lock down our multi-application testbed and minimize false positives thereafter.Defiance TMS consists of four primary software components that provide active blocking, passive monitoring, policy control and centralized reporting. We tested Defiance TMS using one Defiance Gateway for in-line defenses; the Defiance Management Server, which is the central repository of security data, alerts and logs; and the Java-based Defiance Security Console application, which provides centralized administration, monitoring and policy control for multiple Defiance-based machines across the enterprise. We did not test the Defiance Monitor, which provides out-of-band detection via a switch monitor port. Pricing for Defiance TMS, which was released in March, starts at $46,317. The base package includes two Defiance Gateways, one Defiance Management Server and one Defiance Security Console. The Defiance Monitor passive IDS (intrusion detection system) is sold separately for $11,500, and additional Defiance Gateways are available for $17,500 each. We installed the Defiance Gateway on a Dell Inc. PowerEdge 750 server with 1GB of memory running Microsofts Windows Enterprise Server 2003. Administrators must make sure to harden the underlying operating system before deploying Defiance in production, or the device will be susceptible to attack. (Kavado officials expect to soon ship a soft appliance version of Defiance Gateway that runs on IBM hardware.) The Defiance Gateway relies on a reverse application proxy to protect Web applications. With the reverse proxy, Defiance terminates the connection with the client and inspects traffic for suspicious content before passing it to the Web servers. We had to configure multiple external IP addresses on the Defiance Gatewayone for each application we protected. From the Security Console, we then created listeners for Port 80 and Port 443 traffic for each external IP address and created the necessary rules to pass traffic to the correct host on the internal network. We had to make a few DNS and IP addressing changes with the Kavado system, but this process will ease the Web deployment of applications that were originally intended only for internal use because they never have to be fully exposed to the Internet. As with SecureSphere, we could configure Defiance to decrypt Secure HTTP traffic to scan and assess encrypted communications. However, we found Defiance superior in this respect. The Defiance Gateway terminates traffic, so we could install a new certificate on the Defiance Gateway and choose whether we wanted to re-encrypt traffic as it is proxied to the back-end Web servers. With SecureSphere, on the other hand, we had to import Web servers private keys to decrypt the traffic. Click here to read the review of SecureSphere. Like SecureSphere, Defiance uses a learning mode to determine legitimate URLs in each Web application and to estimate the proper buffer lengths for user responses. Unlike SecureSphere, Defiance will not continue learning once the device is switched to protect mode. For improved visibility into Web applications, Kavado offers a separate applications scanner, ScanDo, that can be used to import profile changes into Defiance. Kavado officials said that, out of the box, Defiance TMS will protect against as much as 80 percent of the threats that an organization is likely to face. In tests, we found these base-line defenses obtrusiveespecially to our Outlook Web Access application. Defiance did provide assistance in fine-tuning defenses to address this problem. We particularly liked the Refine Button, which allowed us to adjust policies directly from each log entry. The Defiance Security Console allowed us to assign different administrative controls or viewing privileges to multiple administrators. However, we did not appreciate the additional costs associated with multiple administrators: Each additional Security Console costs $1,995. Next page: Evaluation Shortlist: Related Products.
For more on eWEEK Labs testbed, click here.