Network Computingwww.networkcomputing.com

Most vendors who want to build security suites follow the partnership or acquisition route to fill in missing components. Each of these approaches poses similar drawbacks for vendors, because disparate products have to be integrated, often after the products have been in the field, and can't be easily built into a cohesive whole. On the other hand, a single-vendor solution lets you rely on just one source for all your support needs, and you have to deal with finger pointing only within departments (perhaps just as bad).

Under the partnership plan, like Check Point Software Technologies' OPSEC (Open Platform for Security) program, third-party applications are certified and labeled as interoperable. Depending on the third-party vendor, you may have to purchase a special build of the certified application. For example, specific versions of applications are OPSEC-certified with certain builds of FireWall-1 on a particular OS and patch level.

Integrated security suites can also include other products that enable enhanced user management, single sign-on and directory integration, and offer a host of other products and solutions designed to enforce security. For our tests, we asked vendors to submit suites of products that protect the Internet perimeter. We wanted to limit the Web sites users could access. We also wanted to scan all executables for viruses, including mobile code passed via e-mail, HTTP or FTP. We wanted some form of intrusion detection, too. Finally, we wanted centralized logging and alert management so we could proactively monitor the security state of our network.

We invited Axent Technologies, Check Point, Cisco Systems, Computer Associates International and Network Associates to submit products to address our needs. Cisco declined, claiming resource issues; Axent declined because it didn't have the application integration to support our needs. In the matchup among solutions from Check Point, CA and Network Associates, Check Point's OPSEC receives our Editor's Choice award because of its policy management, reporting and logging, tight overall integration, and breadth of product lines.

CA's solution comes in a close second with excellent integration largely due to its Unicenter TNG. CA delivers a competitive breadth of product line, ranging from the desktop with Inoculate IT to mainframe integration with TopSecret, as well as quality logging and reporting tools. Network Associates, which offers an interesting architecture, brings up the rear with pitiful logging and reporting features and few integrated products.

The difference with a program like OPSEC is that any vendor needing to integrate with FireWall-1 can download the APIs, build out the integration and get certified by OPSEC. Check Point controls the requirements and does the testing. As a result, you are more likely to acquire products from multiple vendors with the feature sets you need, rather than having to wait for a vendor to build the integration out.

Of course, you do have to be careful about which versions of software you have installed or are installing, because the OPSEC-certified products are certified by version level for both the application and the OS. That also means you may not be able to follow the upgrade path quickly, because new versions may not be certified.

Enforcing Policies

One of the goals of an integrated security suite is to centrally manage and enforce security policies. A policy is enforced at a point, such as a firewall, that makes decisions about the disposition of traffic. Other examples of enforcement points are a network virus scanner that disposes infected files and an HTTP proxy server that limits access to a Web site to a subset of all sites.

The problem with having multiple enforcement points is that each one has to be configured individually, and implementing or modifying a security policy means having to configure multiple servers. Troubleshooting becomes more difficult, because multiple consoles are in use and correlating logging across enforcement points is complex. As the number of servers installed increases, so does your workload.

In fact, one of the major drawbacks of managing security is that as the number of products deployed increases, the overhead of trying to manage and monitor these devices also increases dramatically. How often do you look at the logs for your firewall, virus scanner, intrusion-detection system, and other security hardware and software? If you're like most overworked IT admins, the answer is "not often." Nearly all security packages can send alerts on events via e-mail, network broadcast or pager, but those alerts have to be configured in each product, and there is no way to create alerts based on complex sets of events.