Network Computingwww.networkcomputing.com

VPNs and PKI stand apart in that they don't share the purpose common to the other four technologies. The goal of firewalls, antivirus software, vulnerability monitoring and intrusion detection is to protect internal systems and data. It's true that VPNs and PKI can contribute to that end, but the main reason for VPNs is to enable secure communication of data across untrusted networks. PKI's primary significance is in establishing trust between parties to an electronic transaction.

VPN and PKI are both critical enablers of wholesale changes to the nature of business itself. VPN makes possible the secure exchange of information across the Internet. Most VPN products support IPSec (IP Security), an industry standard, and while interoperability is still in the early stages, it's maturing at a steady pace. Originally, VPN technology was envisioned as a way to interconnect sites across the Internet, but the technology was rapidly adopted as a "remote access" alternative. A telecommuter's PC or mobile worker's laptop runs software that establishes an encrypted path back to a corporate location. Today, that software is typically supplied by a VPN vendor, but with the release of Windows 2000, IPSec will be built into the OS. Mike Fratto's assessment of VPNs (page 60) reveals that the technology is maturing rapidly, is strategically important and is ready for prime time: It's a top implementation priority.

If only the same could be said for PKI, which enables the "proof of identity" responsibility to be passed to a third-party organization (a "trusted third party") so that secure e-commerce can be transacted. It's vital to accept that PKI is strategically important not only for suppliers of e-commerce services, but for corporate users of those services. You'll need internal PKI capabilities that can mesh with those of an external trusted third party. However, as Robert Moskowitz points out in his assessment of PKI (page 64), the technology is in a state of disarray. The infrastructure is not yet firmly in place and neither is manageability. For now, though PKI might well be the most strategically important technology, it's also the least mature. Ignore it at your peril and keep a close watch on developments.

Firewalls have become nearly ubiquitous. They are the doors to the corporate network--and just as in home security, doors are essential. The question is not "Do you need a firewall?" but rather "What else do you need besides a firewall?" And as Peter Morrissey writes in his analysis (page 70), firewall vendors are quickly moving to combine firewalls with all manner and types of other security technologies. But for now, you may be better off buying a vanilla firewall instead of a fancier flavor.

In theory, intrusion-detection systems will tell you when your network or specific systems are being "hacked" so that you can do something about it. But for now, the hype being generated in this area is difficult to separate from the reality. Greg Shipley concludes that IDS technology is most well-suited for high-profile networks (page 72). If your site is in the early stages of determining policy and procedures, he says, an intrusion-detection system is not the best way to spend your IT dollars.

As with intrusion detection, there are two major approaches to vulnerability-assessment, or scanner, software. One is to use a network-based device that scans for holes via the network; the other is to install agents on each monitored system and have those agents report holes back to a central management system. Whereas a firewall just protects internal systems from external threats, vulnerability monitoring can identify security holes in all monitored internal systems. Shipley finds that scanner software is relatively mature and can be invaluable (page 76). Put it near the top of your "must have" list if you're doing widespread system auditing. But don't make it your primary defense.

Over the past year, antivirus software has been in the news a lot--generally to combat viruses such as Melissa and ExplorerZip. In general, this category of security software works very well, but new threats loom and there's a gap in the capabilities of these software packages, even on the server side, according to Philip Carden (page 78). As firewalls grow more common, hackers are increasingly turning to Trojan Horse viruses to steal passwords and even take control of PCs. Being able to control users' activation of harmful programs is still a pipe dream. Until that capability exists, the hackers are one step ahead.