RSA Security's RSA ACE/Server and RSA SecurID Authentication beat its competitors based on a strong feature set, maturity, and a breadth of vendors that offer support for SecurID. RSA ACE/Server is a highly configurable authentication system allowing tight integration into your network and security scheme. Users can be grouped into configurable profiles with different rule sets governing the access control for each. The client software, ACE/Agent, integrates nicely with Windows, allowing access control for the local desktop as well as network and Web resources. Offering a mix of key fob, credit card, software, Java applet, and software for the Palm Pilot, the ACE/Server and ACE/Agent runs just about anywhere.

-- Mike Fratto

Biometric Authentication System

Winner

BioNetrix Authentication Suite, BioNetrix Systems Corp., (800) 397-7561, (703) 734-9200 www.bionetrix.com

Finalists

BioLogon 2.0 Server for Windows, Identix, (888) 500-7018, (408) 731-2000 www.identix.com/itsecurity/ SAF2000 Multi-Biometric Enterprise Security Suite, Saflink Corp., (800) 762-9595, (813) 636-0099 www.saflink.com

Award: Biometric Authentication System

Although the biometrics industry has been around for ages, most often confined to government and other high-security settings, it hasn't caught on as a common means of authentication. Recently, however, we've seen the industry start to stretch its wings. New solutions for incorporating a variety of biometric authentication devices into your network are emerging.

BioNetrix Systems Corp.'s BioNetrix Authentication Suite is the most robust biometric authentication system in this fledgling market. With this product, it's possible to authenticate with fingerprints, face and voice recognition, and signature verification and iris scanning. The vendor is also looking beyond biometrics, working to embrace any and all authentication technologies. As such, the BioNetrix suite goes farther than any other product in easing user and policy management, while still offering a relatively high level of security for user authentication.

The BioNetrix suite's authentication policies enable systems administrators to develop the most appropriate authentication schemes for their company. For example, an administrator could let groups of machines in supervised areas have less stringent authentication requirements than those in unsupervised areas. And it's possible to create very high levels of security by combining the different authentication methods.

--Mike Fratto

Firewall System

Winner

VPN-1 Gateway, Check Point Software Technologies, (800) 429-4391, (650) 628-2000 www.checkpoint.com

Finalists

Raptor Firewall 6.5, Axent Technologies, (301) 258-5043 www.axent.com Cisco Secure PIX Firewall 520, Cisco Systems, (800) 553-NETS, (408) 526-4000 www.cisco.com

Award: Firewall System

It's no surprise that Check Point Software Technologies takes the Well-Connected Award again this year. Its VPN-1 Gateway, a bundling of FireWall-1 and VPN-1, provides a strong firewall with excellent management and reporting functionality. Combine that with the vendor's successful OPSEC (Open Platform for Security) program, and Check Point stands out among firewall vendors. In response to the level of attacks we're seeing today, Check Point's FireWall-1 offers proxy-like enhancements such as syntax checking for HTTP and other specific protocols. Add in tight integration with third-party products in the virus-scanning, IDS, authentication and content-filtering space, all managed through the GUI, and this product still sets the bar.

--Mike Fratto

Intrusion Detection System

Winner

Dragon Sensor, Network Security Wizards, (Acquired by Enterasys Networks), (603) 332-9400 www.enterasys.com/ids/

Finalists

NetProwler, Axent Technologies, (301) 258-5043 www.axent.com RealSecure 3.2, Internet Security Systems, (800) 776-2362, (678) 443-6000 www.iss.net

Award: Intrusion Detection System

With intrusion detection (ID) technology proving to be one of the hottest new areas in information security, many organizations are in the process of either deploying the technology or ramping up their investigative efforts. And in choosing an ID system, organizations need to decide whether they want to deploy a polished product that's easy to manage yet has some fundamental flaws, or a robust product that's technically superior but introduces some administrative headaches.

This year, our Well-Connected Award goes to Network Security Wizards' Dragon Sensor, not for its polish or its groundbreaking technology, but for the simple fact that it gets the job done. While the product is still raw--those not comfortable in the Unix world will struggle with it--it works, and is consistently the most difficult of the network-based ID systems to sneak past.

-- Mike Fratto

Vulnerability Assessment Tool

Winner

ISS Internet Scanner 6.0, Internet Security Systems, (800) 776-2362, (678) 443-6000 www.iss.net

Finalists

NetRecon, Axent Technologies, (301) 258-5043 www.axent.com CyberCop 5.2 (now shipping 5.5), PGP Securities, a division of Network Associates, (800) 338-8754 www.pgp.com

Award: Vulnerability Assessment Tool

For the second year in a row, Internet Security Systems earns our Well-Connected Award for providing the industry with the best remote vulnerability-assessment scanning tool. By leveraging strong reporting functionality with a thorough back-end scanning engine, ISS Internet Scanner 6.0 remains above the competition. The product offers organizations the ability to obtain host and network vulnerability "snapshots," allowing them to assess components of their security posture from an external perspective.

While ISS has been fairly consistent in releasing updates to its vulnerability database, users of ISS Internet Scanner should note that at the current pace of those updates, they'll still be months behind the hacking community. This problem is not unique to ISS, however, and while the lag time in updates needs to be reduced, it will persist.

--Mike Fratto

Network Antivirus System

Winner

InoculateIT, Computer Associates, (800) 225-5224, (631) 342-5224 www.ca.com

Finalists

Norton AntiVirus Enterprise Solution, Symantec Corp., (800) 441-7234, (541) 334-6054 www.symantec.com Trend Micro ServerProtect, Trend Micro, (800) 228-5651, (408) 257-1500 www.antivirus.com

Award: Network Anti-Virus System

Computer Associates' InoculateIT offers outstanding management, configuration and scanning facilities in both its Windows NT and NetWare virus scanners. It isn't the fastest scanner on the block--in our tests, it significantly raised CPU utilization--but the bottom line is whether speed is really more important to you than security. If InoculateIT does affect server performance, the scanning can be turned down temporarily until the performance issue is addressed.

Both the Windows NT and NetWare versions of InoculateIT are full-featured scanners with the ability to scan numerous compressed file formats. Both versions can even scan files that have been compressed twice, as well as Macintosh files. Automated events are kicked off when a virus is detected. These alerts include e-mail or pager notification, and automatic cleaning and infected file archiving in a quarantine area. This allows administrators to examine infected files in more detail, and to attempt a manual recovery in the event that virus cleaning corrupts files.

CA has lots of experience in mundane network tasks such as job scheduling, resource management and enterprise management, and it shows. InoculateIT's management system allows servers to be grouped into domains. These, in turn, can be configured and monitored as a unit, greatly simplifying large-scale management. Similarly, virus-signature updates can be downloaded to one server and distributed to remote servers automatically. InoculateIT is also tightly integrated with CA's Unicenter TNG.

--Mike Fratto

Enterprise VPN Solution

Winner

Altiga Networks Concentrator (now Cisco 3060 VPN Concentrator), Cisco Systems, (800) 553-6387, (408) 526-4000 www.cisco.com

Finalists

RiverWorks EVPN, Indus River Networks, (888) 444-VPNS, (978) 266-8100 www.indusriver.com VSU-1100, VPNet Technologies, (888) VPNET-88, (408) 404-4100 www.vpn.com

Award: Enterprise VPN Solution

It was a big year for newcomer Altiga Networks in this competitive field. From the outset, with the launch of the Altiga Networks Concentrator (renamed the Cisco 3060 VPN Concentrator following Altiga's acquisition by Cisco Systems in March), Altiga wowed the industry--and the Networks Concentrator even managed to wow us. It boasts strong management, well-designed hardware, and integration with commonly used network services such as DHCP, LDAP and Radius. It also supports all the VPN protocols--L2TP, PPTP and IPSec--and is interoperable with Windows 2000.

Quick at passing VPN traffic, Altiga's concentrator kept up with the other products in our tests, passing IPSec traffic at a sprightly 79 Mbps. However, the unit is designed for remote-user VPNs, and individual client performance is critical; remote users don't care what the device capacity is if they get poor performance. The Altiga device was a standout on the client side as well. When we connected 1,000 PPTP clients and passed data at 33.6 Mbps, each client performed at 99 percent of capacity.

Anyone who has managed remote access will agree that any chance to leverage existing services is a good thing. Not only does Altiga's concentrator allow authentication against common databases via Radius, Windows NT Domains or LDAP, but it enables remote-user configuration via Radius using common configuration attributes along with Altiga-specific attributes. Support for Windows 2000, notably using L2TP within IPSec, makes this a natural fit for enterprises that ride the cutting edge.

Management is simply outstanding. Well-thought-out configuration wizards get the Altiga device up and running fast, while specific parameters can be tweaked so you can tailor the unit to your needs. Access control and configuration is managed via profiles in a hierarchy-based system. Tiered management is available as well.

--Mike Fratto