Network Computingwww.networkcomputing.com

The traditional approach to authentication has failed us. Passwords and user names frequently pass across the network in the clear or can be easily hacked at endpoints. The increasing number of services requiring passwords has left users baffled, resulting in passwords that are easy to guess and sloppily managed. Strategies using hardware tokens and smart cards are cumbersome for users, expensive to implement, and don't provide unquestionable nonrepudiation. For many, biometrics are the answer to the dilemma.

But when it comes to advanced biometric authentication, you can't afford to rely on toys. In our tests of fingerprint recognition devices ("Six Biometric Devices Point the Finger at Security, "www.nwc.com/910/910r1.html), we discovered many of these systems can be compromised or have limited software support. The notable exception is Sony's Fingerprint Identification Unit (FIU), distributed by I/O Software in the United States. It's the most secure, compact and convenient scanner we reviewed, and is the only complete system we would recommend deploying today.

Unlike many competitive products, the Sony FIU quickly processes prints on an internal CPU, and then encrypts fingerprint data before it travels on the wire. It is supported in a wide range of applications, from PC boot protection to Windows NT, Windows95/98, NetWare and Web authentication to desktop encryption. Third-party applications can access the FIU through the emerging industry standard Biometric API (BAPI) or a Microsoft CAPI interface. The FIU can also be used in conjunction with a smart card reader to provide highly secure data storage.

--David Willis

The VPN market is growing at a phenomenal pace, and new vendors and products are populating the landscape like weeds. Nortel EAS 4000 offers a well-rounded, robust VPN solution, and with new developments in version 2.0, Nortel still leads the pack. Supporting L2F, L2TP, PPTP and IPSec for VPN construction, RADIUS, NDS, NT Domains, LDAP, Entrust 4.0, and tokens for authentication, strong encryption, accounting, filtering and bandwidth management, the EAS 4000 is an all-in-one solution.

Even with all the configuration options, the EAS 4000 is a snap to manage. Early in the development stage, Nortel invested much thought in making a useful, easy-to-use management paradigm. User management, the bane of remote access services because of its complexity, is simplified through robust hierarchal group profiles. Group profiles are built from the root down, with subgroups inheriting all of the configuration from previous groups. Thus, the EAS 4000 can implement a complex environment quickly. All configuration options are centrally managed, so administrators have complete control over remote users. Both remote user and LAN-to-LAN configurations are supported.

On the client side, users make connections with the Extranet Connection Manager client. The client can make a Internet connection with Windows Dial-up Networking if necessary and make a subsequent VPN to the EAS 4000, downloading the current configuration information. One click for the user and the VPN is built. More important, version 2.0 supports split tunneling centrally managed by the administrator.

Both the TimeStep Permit Enterprise and the VPNet VPNWare System offer versatile ICSA IPSec-compliant VPN solutions for LAN-to-LAN and remote-access applications.

--Mike Fratto

A good firewall will allow precisely the traffic that you specify in and out of your network. A great firewall will do it really fast. Check Point Software Technologies' Check Point FireWall-1, version 4.0, is a great firewall. Not only does FireWall-1 control access to and from your network through the application layer, it is all held together by an unbeatable management interface that helps you implement and document your security policy in a pain-free environment. It also lets you give different firewall administrators varying levels of read- and write-access to the security policy.

Check Point's patented Inspect language examines and tracks connections from all the latest Internet protocols, including those that support H.323 applications. As a result, conventional addressing or NAT (Network Address Translation) can be used. In the unlikely event that FireWall-1 does not support a particular TCP- or UDP-based application, you can define your own in the GUI, or for more complex protocols write your own Inspect language code.

Check Point also allows implemention of an ICSA-certified, IPSec-based VPN solution using the same powerful GUI. A hardware accelerator card is now available to provide encryption at T3 line rates without affecting the CPU.

FireWall-1 can be implemented on Solaris, AIX, HP-UX and NT OSes, and on the powerful Nokia firewall appliance. In addition, Check Point's unprecedented OPSEC alliance brings together the resources of hundreds of partners to give FireWall-1 users lots of options for products that enhance even further, FireWall-1's great features.

--Peter Morrissey

In the war against the villains of enterprise security, Intrusion detection system (IDS) technology is one tool that can help balance the scales of power. Internet Security Systems' (ISS) RealSecure 3.0 excels in ease of use, thoroughness, detailed information provision, and overall usefulness. RealSecure 3.0 remains a few notches above the competition.

Using an IDS, administrators can take a pro-active stance on real-time security threats. IDS technology can help flag, document and, in some cases even shut down, an attack in progress. RealSecure demonstrates these features by offering administrators a polished implementation of the technology. Installation and configuration are easily accomplished with RealSecure's self-contained management console. The product is extremely scalable, and allows for multiple sensors and consoles to be distributed across the enterprise. The presentation of data is clear and concise, and can be customized depending on the administrator's needs. The attack signature database, thanks to ISS' internal research division, is one of the most comprehensive ones found in the industry. Finally, ISS has not compromised robustness in favor of ease of use; the only product we've seen that can holds such raw inspection power is Cisco Systems' NetRanger.

Although RealSecure is not as flexible as Network Flight Recorder's NFR Intrusion Detection Appliance, and it doesn't possess the customization tools provided by AXENT Technologies' ID-Trak, the sum of its polished features and self-contained design make it the most usable ID solution out of the box.

--Greg Shipley

The RADIUS protocol is designed to streamline dial-in user authentication by linking network access servers with existing back-end authentication systems like Windows NT Domains, Novell NDS trees or Unix NIS maps. Funk Software's Steel-Belted Radius provides effective RADIUS services by integrating authentication with multiple authentication back ends, including major NOS directories (Novell NDS, Microsoft NT Domains), as well as other existing authentication services, including Kerberos, Unix /etc/passwd, and hard token authentication systems. But the goal of a RADIUS installation should go beyond simple user authentication to policy management. With its back-end SQL connectivity, Steel-Belted Radius offers flexible authentication and logging options for large corporations and service providers.

In addition, RADIUS servers should include extensive dictionaries of vendor-specific configuration attributes, and should apply policies (such as maximum connect times or IP addresses) to entire groups of users. Advanced RADIUS servers can manage IP addresses assigned to dial-up sessions either by user or through a pool of addresses at the RADIUS server (which off-loads address management from each particular access server to a central RADIUS server). Funk includes configuration profiles for nearly every access and VPN product on the market, as well as integrated IP management.

RADIUS server offerings can range from simple user authentication systems, to advanced policy management engines with multiple authentication backends. With its support for multiple back ends--including ODBC (for authentication and accouting), extensive proxy RADIUS support and simple configurations for various remote access servers, firewalls and VPNs, Funk Software's Steel-Belted Radius gets the nod.

--Dan Backman

Securing a single operating system is difficult enough, but ensuring that your company's security policy is being followed across multiple platforms is a truly tall order. It's not enough to simply distribute guidelines on paper; security managers must be able to verify that all administrators are following the policies. If the policy overseer can prevent a breach before it even occurs, that's even better--and that's why we liked Tivoli Systems' Tivoli Enterprise Security 3.6.

Tivoli's User Management and Security Administration components start with a clear adoption methodology, which allows organizations to quickly adapt that methodology to their existing systems and builds upon an organization's defined personnel roles. More than just a loose collection of related tools, these products fit into the Tivoli Framework and provide board platform support and a high degree of flexibility.

The Tivoli security strategy is not to interfere with base operating system security, except when there is no other available option. The Tivoli Access Control Facility (TACF) replaces the access control mechanisms found in the native Unix platform, protecting the root account from abuse and partitioning its responsibilities for better delegation.

For organizations unwilling to adopt such a comprehensive framework, AXENT Technologies' Enterprise Security Manager provides a simple yet comprehensive method of auditing compliance across multiple platforms. ESM also provides detailed audit control and graphical reports, and offers more control over checks and corrections than competitive systems.

--David Willis

The security product industry has exploded in the past two years, and so has the task of keeping current. Administrators face an array of platforms, complicated products, and environments so integrated that even Microsoft gets confused. Trying to keep everything working is a challenge; trying to keep it secure is often an impossible mission.

Internet Security Systems' Internet Scanner comes to the rescue by allowing administrators to proactively search their networks for remotely exploitable holes. Internet Scanner uses a list of internal checks to probe hosts for known problems, and flag potential security holes before intruders discover them. Although NAI's CyberCop comes in a close second, Internet Scanner prevails because of its extensive list of security checks and its detailed reporting mechanisms. Combined with an intuitive interface and an efficient back-end scanning engine to support it, Internet Scanner is a polished security tool. While it still suffers from a lack of timely updates, it does provide an invaluable resource to anyone tasked with securing hosts from internal or external attack.

--Greg Shipley