NetGuard Guardian NCC - A stateful inspection filter for network security

To combat the increasing number of threats to network security, an advanced firewall is necessary. This article talks about the security, advantages, drawbacks and price of one such firewall called NetGuard Guardian NCC. Tips to use it are also provided in the article.

NetGuard Guardian NCC is one of the most popular stateful inspection filters among network administrators. Other than for the purpose of internal security, it is widely used by companies in developing online security solutions like password managers and security apps.
The firewall works on client/server management philosophy. The firewall can be managed remotely from any client application which authenticates with the firewall. The server is called Firewall Agent and the client application is referred to as NCC Manager.

How is Guardian NCC a highly secure firewall

The security provided by of Guardian's Strategy Wizard is almost impossible to breach. Some of its security features are discussed below.

Anti-spoofing control

Spoofing is controlled by two mechanisms. First, the IP addresses from internal adapters are rejected on the external adapters connected to internet. Second, source routed packets are dropped.

ARP support

To make the firewall invisible, it can be configured to ARP. The configuration makes public servers in user's DMZ visible to internet without creating any routing table and can be easily managed through GUI interface. Once it is done, go to the services control panel and start the agent service to clear ARP tables. Also, power cycle the router located between internet and firewall.

SYN flood protection

SYN floods consume resources on server. The MAC layer inspector provided detects and filters these floods.

Policy rules for packet-filtering

Packet filters are not directly configured. First a combination of IP addresses and network masks are filtered by creating objects. These objects represent the addresses and networks. Then, policy rules are created to allow a passage of protocols to these addresses. Thus, unless a rule in the policy permits the passage, all protocols remain blocked.

User authentication

User information is passed only when the client is authenticated by the firewall. The user authentication feature of Guardian does not create an encrypted tunnel. If encryption is needed, PPTP will have to be used separately. For management security, a 15-character password is created which is exceptionally strong.

Protection from traditional attacks

Guardian's media access control layer driver located between the adapter drive and the network transport protects the computer from traditional attacks against Windows NT's TCP/IP implementation.


The interface of Guardian NCC is very easy to use. Its paradigm is based on strategies which can be constructed using the Strategy Wizard. The strategies can even be modified later. These strategies decide the operations of the firewall while ensuring maximum safety.

The interface monitors multiple agents. This means that users can have multiple strategies as each agent is loaded with one strategy.
The tree browser on the left of the interface is used to browse network objects such as internal & external address pools in the system. These objects are created automatically by Wizard and are visible to all strategies.


Easy Network Address Translation (NAT)

The superior NAT provided by Guardian is easy to establish. Unlike most other translators, it can perform IP pool sharing and static port based service assignments for internal clients on single public IP address. Any small installation having a single dial up connection for internet can also perform NAT because demand-dialed RAS connections are also protected by Guardian.

Free Virtual Private network (VPN)

Unlike most other firewalls, Guardian provides a free VPN. However, this network functions between Guardian firewall agents only and individual client computers can't be accessed remotely.

Bandwidth control

The Guidepost Bandwidth Control feature allows the user to assign some percentage of interface's total bandwidth to service functions.

Easy to understand and configure

Guardian NCC is a policy based firewall for Windows NT and is configured on pass/block rule sets. The advantage of this is that unlike protocol numbers and IP addresses, pass/block rules can be easily read and understood by users. There are many strong firewalls in market but Guardian NCC is probably the easiest of them to establish and configure.


It does not need a router as it performs routing function by itself and since it runs on Windows NT workstation or server, the cost of underlying operating system (around $700) can be saved by the user.


High color depth requirement

Guardian's CD-ROM auto run utility runs only with a minimum color depth of 8 bits. Thus, you will first have to install a video adapter drive which has risked firewall stability in some cases.

An alternative of this is that you browse on the CD and find individual setup programs for Firewall Agent and NCC Manager but the process is time consuming.

Tips for usage

  • Users should note that most firewalls are connected to internet by a single adapter. Thus, Firewall Agent should be installed on any specific adapters. Though, there is an option by which you can install it on all Network Driver Interface Specification (NDIS) adapters, it is not very useful.

  • You can install Guardian NCC on Windows NT Service Pack 0 where no service packs are installed but if you want to use encrypted tunnel functionality of the firewall, you need to Guardian NCC on a Service Pack 3 or above. After installing the Agent & Manager, restart the firewall host.

  • Pricing

    You can visit the official website of NetGuard to download a 30-day free version. If you like the product, you can purchase it for around $1900. If you are based in U.S., you can also purchase the firewall from its U.S. distributor, LanOptics. All technical support will be provided by email only.

    Read BorderManager - firewall for Novell Netware servers


    No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: