Finalists:
• RealSecure Desktop Protector 3.5, Internet Security Systems, (888) 901-7477, (404) 236-2600. www.iss.net

• Zone Labs Integrity 2.0, Zone Labs, (877) 876-4960, (415) 341-8200. www.zonelabs.com

SecureComputing's PremierAccess is a robust and simple-to-configure authentication system, offering broad support for back-end authentication, including Microsoft Windows NT/2000 directory support, NDS, RADIUS, its own SafeWord token and RSA SecureID. Client support covers all Windows platforms as well as Apple Mac OS X, Linux and Sun Microsystems Solaris in an easy-to-manage package. By assigning scores to authentication methods and setting the minimum score required to gain access to a protected resource, organizations can quickly integrate multiple authentication methods, such as passwords, tokens, biometrics and digital certificates, into robust policies. PremierAccess doesn't require that all authentication schemes be deployed at every authentication point, as long as there are sufficient methods for users to acquire an acceptable score, making policy deployment scalable.

Finalists:
• Entrust TruePass 6.0, Entrust, (888) 690-2424, (972) 713-5800. www.entrust.com

• Novell Modular Authentication Service 2.0 Enterprise Edition (NMAS), now shipping 2.1, Novell, (888) 321-4272, (801) 861-4272. www.novell.com

Combined, Okena StormWatch 3.0 and StormFront 2.0 provide some of the best protection and configuration features we've seen in this emerging market. Okena StormWatch, now Cisco Security Agent since Cisco Systems' acquisition of Okena last month, tracks an application's access to system resources, such as file, registry, network and COM components, and lets applications perform only authorized actions. And, unlike some rivals, Security Agent can protect any application.

Building policies to define all allowed activities can be a nightmare because applications can access hundreds or even thousands of system objects during run-time. But with Security Agent, the process is greatly simplified: Security Agent Profiler tracks an application's activity and creates a template showing the system access, relieving administrators of most data-gathering work. Once the policy is installed and running, Security Agent allows only authorized activities and logs all unauthorized access attempts. Factor in administrative audit trails and an easy-to-use interface, and Security Agent and Security Agent Profiler turn a very complex process into a walk in the park.

Finalists:
• eTrust Access Control 5.1, Computer Associates, (800) 225-5224, (631) 342-6000. www.ca.com

• STAT Neutralizer 1.2, now shipping 2.0, Harris Corp., (888-725) STAT, (321) 727-9100. www.STATonline.com

Although having a firewall is a no-brainer for most organizations, the most commonly deployed type of firewall may not provide the best protection. Stateful packet filters are good at blocking network-level attacks, but application proxies, like the Sidewinder G2, offer much more protection and, in 100-Mbps environments, doesn't degrade network performance significantly. Sporting robust application proxies for common protocols such as HTTP, SMTP and DNS--and some less common protocols, like H.323 and SQL*Net--Sidewinder blocks both network-level attacks and common application protocol-layer attacks.

Finalists:
• Check Point FireWall-1 Next Generation Feature Pack 3, Check Point Software Technologies, (800) 429-4391, (650) 628-2000. www.checkpoint.com

• Symantec Enterprise Firewall 7.0 with VPN, Symantec Corp., (800) 745-6054, (408) 517-8000. www.symantec.com

Sanctum AppShield 4.0 displays many of the characteristics that make Web application protection software worth its salt, including adaptability in Web environments and support for OWA (Outlook Web Access) and Microsoft FrontPage. Although not the most feature-rich Web application proxy we've seen, AppShield nevertheless blocks most common attacks out of the box--an important consideration given the complexity of configuration--and a few rules changes seal up the rest. AppShield can reduce your processing load by allowing some content to be marked as "always safe" based on file extension. Once configured, AppShield references rule violations to the rule manager, making troubleshooting a snap. In addition, the entire IP packet--not just HTTP headers--can be logged, providing an extremely useful tool for troubleshooting and analysis.

Finalists:
• InterDo 2.5, KaVaDo, (800) 239-3203, (212) 302-2400. www.kavado.com

• Teros-100 APS 1.7.1, now shipping 2.0, Teros, (408) 850-0800. www.teros.com

Once products or processes become commoditized, outsourcing can reduce both capital and management costs. VPN services are a prime example, and Fiberlink offers a flexible and cost-effective solution based on commercial off-the-shelf products, such as the Cisco VPN 3005 Concentrator. Fiberlink manages the configuration and policy changes required, while user authentication is back-ended to internal RADIUS or Microsoft Windows NT domains.

Fiberlink's top-tier service offering comes complete with Cisco SmartNet 24x7 service. Failed equipment is replaced within four hours, so downtime is limited. Although Fiberlink has only one NOC, it is fed by two points on an AT&T Sonet ring, and there is a third, to a Verizon Sonet connection. Moreover, in the event of a catastrophic network failure between the VPN gateways and the NOC, the Cisco VPN 3005 Concentrator will still operate normally.

Finalists:
• AT&T Managed VPN Tunneling Services, AT&T Corp., (800) ATT-3199. www.business.att.com

• Aventail.Net Managed Services, Aventail Corp., (877) AVENTAIL, (206) 215-1111. www.aventail.com

Everything is going GUI, so why should hardened Linux distributions be any different? Now security doesn't have to involve arcane CLI (command-line interface) incantations and xber-knowledge of shell commands, because Guardian Digital's EnGarde Secure Linux offers the best of both management worlds--a Web-based GUI for most common configurations and patching, and a command line for fine-tuning and special needs.

With support for such common services as FTP, HTTP, POP3 and SMB, EnGarde will fit right into most networks. In addition, patching is greatly simplified through the Guardian Digital Secure Network, which notifies administrators of new patches (typically issued very quickly after a new vulnerability affecting EnGarde is found), then downloads and installs them.

Finalists:
• Secure OS Software for Linux (discontinued in United States; available as HP Compartment Guard for Linux in Japan), Hewlett-Packard Co., (800) 633-3600. www.hp.com

• Immunix 7.0 OS, WireX, (866) GO-IMMUNIX, (503) 222-9660. www.wirex.com

IntruVert blasted onto the IDS scene in early 2002 with a purpose-built NIDS appliance that was a departure from traditional approaches. IntruVert learned from its predecessors' mistakes and developed second-generation IDS technology by using custom hardware, integrating signatures and anomaly models, and addressing many of the behind-the-scenes management headaches often faced by enterprises. The price tag is hefty and the jury is still out on whether the inline NIP space will hold water, but IntruShield, which does have inline NIP capabilities, beats the pants off of many traditional IDS solutions even in passive NIDS mode.

Finalist:
• Cisco IDS System 4250, Cisco Systems, (800) 553-6387. www.cisco.com

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.

Post a comment or question on this story.