ThreatSentry is a Web Application Firewall and Intrusion Prevention solution that helps system administrators improve web application security and comply with regulatory demands such as Section 6.6 of the Payment Card Industry Data Security Standard. ThreatSentry 4 supports Windows Server 2008 R2 and IIS 7 on 32 and 64 bit systems. An ISAPI Extension hosted in MMC, ThreatSentry's knowledgebase of pre-configured filters is designed to identify and block a broad range of web application threats including Structured Query Language (SQL) Injection, DoS, Cross Site Request Forgery (CSRF/XSRF), Cross-Site Scripting (XSS) and other attack techniques. ThreatSentry's conventional defense capabilities are augmented by a behavior-based Intrusion prevention that profiles typical request activity and detects unusual events and patterns indicative of zero-day and targeted attacks. Default configuration settings are designed to deliver optimal out-of-box performance and administrative ease.
What's new in this version:
Version 4.1.8 adds in-product Help tips for key parameter settings.
Excellent protection for my web servers. Privacyware technical support walked me through the entire app on webinar during 30-day trial. Here are the features that I like the best, but if you have IIS servers, ThreatSentry should be evaluated. I've been running since January. Previous reviewer hit the nail on the head.
- two layers of protection in one application (IIS application firewall and IIS-specific behavior-based IPS)
- very granular control over blocked IPs, alert management, IIS attack signatures, and page request strings, etc.
- complete notification layer
- no visible performance hit
- provides exceptional visibility to unwanted/malicious traffic
- comparatively low price
ThreatSentry performs beyond expectation and is well worth the price - no cons.
- Protects from crosssite scripting and SQL injection
- Extremely easy to use the product that has a very sophisticated behavior engine technology.
- Works right out of box for majority of users.
- There is nothing to configure unless there is a specific need to cover special cases.
- For power users and depending on the web site technology being used there are numerous configuration options that cover a great number of different scenarios. I run this product on training and now mostly relay on behavior engine - it works great.
- There is an adequate notification layer which might be beneficial for "busy-no-private-life" administrators
- Has capability to block events based on time pattern which can be very effective against denial of service (DOS) attacks.
- Demands surprisingly less feedback from administrator. This is when there is a need to re-classify event
- My favorite feature- support for MS exchange server on the web. As a result almost no false positives when protecting MS exchange on the web.
Vendor describes ThreatSentry as a host ips, but it's really an application firewall/host ips combo. Front line is all rules-based; i.e signatures, black-listed IPs, malicious requests, etc. If a request gets through that, it has to face the IPS layer which compares the request against the baseline TS establishes when you first install the app. If the request is exceptionally unusual, TS blocks it.
ThreatSentry is a very affordable product that would be a good value at 10x the price. I recommend it strongly for anyone interested in protecting their Windows web servers with a layered approach.
Pros include: 1) effective multi-layered defense, 2) ease of use, 3) lots of features, 4) dirt cheap.