Award: Desktop Firewall
Winner: InfoExpress: CyberArmor Suite Enterprise Personal Firewall 1.1
Personal firewalls must provide both easy management and solid security. InfoExpress was the only personal firewall we tested that seemed truly ready for deployment on remote user machines. While other products relied on network settings, CyberArmor tracked individual users through a unique ID. This allowed a machine to send back status information whether it was on the Internet, LAN or VPN (virtual private network).
CyberArmor also was the only product that could adapt its policy file to the network environment. It can make distinctions between being on a VPN, an AOL dial-up account or a competitor's network. Administrators may want to have some ports open only when securely connected to the corporate network or to allow NetBIOS only on the LAN. CyberArmor protects the host machine in many ways. It supports inbound and outbound port filtering as well as application control. By using Perl-style regular expressions, programs can be blocked by name, file path or even by certain command-line arguments. It even supports blocking executables in e-mail programs, so .vbs files could be denied within Microsoft Outlook Express but allowed to run in Qualcomm Eudora.
Management capabilities include the ability to have redundant log and policy servers. Client nodes will choose one at random -- a primitive form of load balancing. Log file uploads and policy updates also can be configured to occur on "safe" connections such as VPN. And you can specify which violations will trigger alarms.
 |
|
|
Winner:
Authority 5.1, Entrust Technologies, (888) 690-2424, (408) 222-7800
www.entrust.com
Finalists:
UniCERT 3.5, Baltimore Technologies, (877) 228-9754, (781) 455-3333
www.baltimore.com
Xcert Sentry CA 4.5, now known as RSA Keon Sentry, RSA Security, (877) RSA 4900, (781) 301-5000
www.rsasecurity.com
|
|
|
|
Award: PKI System
Winner: Entrust Technologies: Authority 5.1
Management features and modular services are the hallmark of a great PKI (public key infrastructure) system, and Entrust has them in spades. PKI scalability isn't just about certificate processing; it's about management scalability. All CAs (Certificate Authorities) today offer a modular architecture, so the certificate-processing load can be distributed for performance and security reasons. Managing thousands or hundreds of thousands of objects, however, is another matter. Entrust 5.1 employs the TCL scripting language, so administrators can import, add, delete, move and modify large certificates and users in bulk -- all without disrupting the CA's operation.
Entrust 5.1 also provides highly scalable management tools for architecting and managing the CA. By default, Entrust defines a number of roles aimed at common administration tasks. The real power, however, comes when you need to tailor new roles to your organization. Creating a new role is as simple as adding tasks to a template. Prior to instantiating the new role, however, Entrust performs a dependency check on the new role to ensure that all access privileges are properly assigned. Further customization is done through a text file that simultaneously defines the attributes held in a certificate. It's used to create the additional input forms in the user interface.
Building a CA without an application is like building a bridge to nowhere. Entrust keeps building relationships and certifying applications with such vendors as PeopleSoft, SAP and Check Point Software Technologies. These features earn Entrust our Well-Connected Award.
Award: Enterprise Firewall System
Winner: Nokia: Nokia IP 650
Combine award-winning Firewall-1 from Check Point Software Technologies with a solid network appliance and you get the Nokia IP 650. Easy to install and, more important, easy to restore after a failure, the IP 650 is Nokia's high-end firewall appliance. This device ships with Nokia's prepatched and preinstalled IPSO operating system. All you have to do is install the Firewall-1 License and cable it up to the network. The rest of the server management is handled through Network Voyage GUI.
Since IPSO is a Unix-derived OS, the IP 650 has some outstanding integration features, such as support for high availability via VRRP (Virtual Router Redundancy Protocol) as well as more mundane routing protocols including RIP (Routing Information Protocol), OSPF, BGP and IGRP (Interior Gateway Routing Protocol). These protocols allow the IP 650 to integrate seamlessly into almost any architecture. The 2U IP 650 takes up little rack space and supports dual power supplies, hot-swappable hard drives and a range of interface cards from V.35 interconnects to token ring, ATM, and Ethernet/Fast Ethernet.
With Check Point's large deployment base, adding security to remote sites and integrating with existing Firewall-1 installations should be a breeze. The IP 650 simply becomes another enforcement point. Nokia doesn't simply ship the latest Firewall-1 code; the company's engineers first test and tune it, so you will always be somewhat behind the current release. That diligence, however, has shielded customers from issues that sometimes arise in newly released versions.
Award: Enterprise Security Framework
Winner: Check Point Software Technologies: OPSEC
Everyone wants manageable security. But with today's varying threats, putting up a firewall or a virus scanner is not enough. The volume of information and the complexity of applying a security policy efficiently is enough to swamp any administrator. Security frameworks aim to pull together pieces of the security puzzle into a cohesive, manageable whole. Check Point Software Technologies' OPSEC (Open Platform for Security) does just that.
With more than 200 certified partners, the OPSEC program integrates a wide variety of third-party applications into a cohesive system. OPSEC isn't perfect, but it goes a long way toward providing a complete security framework. Other vendors, such as Computer Associates International, Network Associates and IBM Corp., have security frameworks, but that often means a limited choice of applications.
Application integration is implemented through published APIs available on the OPSEC Web site. The APIs are built to specific integration points, such as content scanning, sending or receiving events, and management applications. While the APIs are free, becoming OPSEC-certified requires vendors to submit products to Check Point, which examines the product top to bottom -- including documentation. You can rest assured that the certified products will integrate with the Check Point product line.
Award: Vulnerability Assessment Tool
Winner: The Nessus Project: Nessus 1.0.5
After enduring accusations of bias toward open-source solutions, public challenges and vendor claims that testing was flawed in our January review of vulnerability assessment tools, we stand by our editors' choice. Nessus, the open-source vulnerability assessment scanner written by Renaud Deraison, wins this year's Well-Connected Award. Why? Because it works. It doesn't crash; it doesn't have an unusable interface; it doesn't hide vulnerability checks under the denial of service section; and it's being worked on actively by the security community at large.
Nessus is not without its faults though, and products from Symantec/Axent, ISS and NAI all have varying degrees of strength. The vulnerability assessment product space as a whole, however, still has much maturing to do. Based on our testing, Nessus consistently identified some of the most critical vulnerabilities in existence today. If Nessus' reporting, scope of vulnerability checks and efficiency are improved, it might be the end-all scanner. For now, it's better than most.
Award: SSL Accelerator
Winner: iVEA Technologies, A Rainbow Technologies Company: CryptoSwift 600 eCommerce Accelerator
It's not surprising that as e-commerce has grown, the need to accelerate SSL (Secure Sockets Layer) traffic -- the industry-standard protocol for securing e-commerce transactions -- also has grown by leaps and bounds. While plenty of new players joined the market, iVEA Technologies (a Rainbow Technologies company) continues to provide leadership for this still-maturing space through the evolution of its CryptoSwift 600 eCommerce Accelerator.
By performing more RSA key negotiations per second every year, the CryptoSwift continues to raise the bar on acceptable SSL performance. CryptoSwift is the choice of the financial and banking industry, and it has become the SSL acceleration services provider for vendors introducing appliance-based SSL accelerators because of its high performance and ease of integration with disparate operating environments. Look under the hood of most SSL acceleration devices, and you'll find at least one of iVEA Technologies' accelerator cards snuggled securely inside.
For its leadership in the continuing evolution of SSL accelerator products and impact on the industry as a whole, this year's Well-Connected Award goes to IVEA's CryptoSwift 600 eCommerce Accelerator.
|
|
|
Winner:
Cisco Enterprise VPN Solution: Cisco VPN 3060 Concentrator, Cisco 7140 Router, Cisco 1750 Router, Cisco Systems, (800) 553-6387
www.cisco.com
Finalists:
Lucent Technologies VPN Firewall Brick 201 and Firewall Brick 80, Lucent Technologies, (908) 582-8500
www.lucent.com
VPNet Technologies VSU-100; VSU-1200, now shipping as VSU-7500, VPNet Technologies, (888) VPNET-88, (408) 404-1400
www.vpn.com
|
|
|
|
Award: Enterprise VPN Solution
Winner: Cisco Systems: Cisco Enterprise VPN Solution, including Cisco VPN 3060 Concentrator, Cisco 7140 Router and Cisco 1750 Router
Enterprise VPNs (virtual private networks) should be commodity items. VPNs are the pipes that connect remote offices and remote users to the corporate network and to other remote offices -- in other words, the plumbing. And like plumbing, you need the right hardware for the right job; otherwise, you're throwing good money down the drain. The breadth of VPN offerings from Cisco Systems has the features that will fit into almost any network, from physical connectivity to network routing and high availability. With the inclusion of native VPN capabilities in IOS, you can secure nearly all your intranetwork traffic without much pain in the upgrade path.
For high volume VPN traffic, you might start with a central-site, hub-and-spoke VPN. For such an arrangement, you'll want to stick with dedicated VPN hardware, which means the 7140. The 7140 is a standard router optimized for VPN via hardware acceleration. The smaller 1750 router serves the small office with WAN, ISDN, Ethernet/Fast Ethernet, voice and asynchronous cards, plus optional VPN acceleration cards. Both the 7140 and 1750 routers can be identically configured and integrated into CSPM (Cisco Secure Policy Manager) and CiscoWorks 2000. The Cisco 3060 supports remote users and comes with fully configured hardware. Cisco claims the 3060 can handle 5,000 concurrent users.
Winners & Finalists
REPORTS
ANALYTICS
Follow 
