Ever-Present Security Concerns Spur Market Growth

Application firewalls can raise the network protection bar, too, though you'll pay a price in performance because of the extra processing required to delve deeper into the application protocol. We have found, however, that many application proxies can break the 100-Mbps barrier, making them suitable for internal firewalls in addition to their conventional placement at the perimeter, with minimal degradation.

• Endpoint protection: Much attention has been focused on pushing protection not just to the edge but inward, toward internal resources, and rightly so (see "Secure to the Core," at www.nwc.com/1401/ 1401f1.html). Guarding typical ingress and egress points is not enough. You need to deploy protection where the vulnerabilities reside--on the host. HIP (host intrusion prevention) is one way to ensure that applications access only those host resources that are required; they do this by capturing requests or modifying system calls for resources, such as files and network access. Because many attacks force an application to access unnecessary services, HIP products are well-situated to block attacks against the operating system--if the requesting application is denied access to resources at the kernel, attacks against the operating system are stopped in their tracks.

Finally, application-level attacks, such as those targeting Web applications, can be stymied by protocol-specific products, and desktop firewalls add a layer of protection by inspecting all the data that enters or leaves the machine and regulating network access for PCs and applications. Mobile users are particularly prime candidates for this type of protection; while desktop firewalls are not foolproof, they do block inbound network access and can regulate which applications have outbound access, further challenging potential attackers.Desktop Firewall |

Authentication Systems | Host Intrusion Prevention System | Application Firewalls | Web Site Application Security System | Managed VPN Service | Haredened Linux |

Intrustion Detection System

Desktop Firewall

Winner: Sygate Secure Enterprise 3.0, Sygate Technologies, (866) 308-8899, (510) 742-2600. www.sygate.com/default.htmSygate Secure Enterprise suite offers the best blend of protection, management and integration with existing security systems. It can block traditional TCP/UDP ports and control and verify the integrity of applications and components, such as DLLs. The software lets you create multiple security profiles based on a user's location. Many enterprises will appreciate being able to create different settings for VPN connections from those for machines just sitting on the Internet. Add the ability to create multiple administrators plus support for user groupings and inherited hierarchical security policies, and this product stands out from the pack.

Finalists:
• RealSecure Desktop Protector 3.5, Internet Security Systems, (888) 901-7477, (404) 236-2600. www.iss.net

• Zone Labs Integrity 2.0, Zone Labs, (877) 876-4960, (415) 341-8200. www.zonelabs.com

Authentication Systems

Winner: SafeWord PremierAccess 3.1, Secure Computing Corp., (800) 692-5625, (408) 979-6100. www.securecomputing.comSecureComputing's PremierAccess is a robust and simple-to-configure authentication system, offering broad support for back-end authentication, including Microsoft Windows NT/2000 directory support, NDS, RADIUS, its own SafeWord token and RSA SecureID. Client support covers all Windows platforms as well as Apple Mac OS X, Linux and Sun Microsystems Solaris in an easy-to-manage package. By assigning scores to authentication methods and setting the minimum score required to gain access to a protected resource, organizations can quickly integrate multiple authentication methods, such as passwords, tokens, biometrics and digital certificates, into robust policies. PremierAccess doesn't require that all authentication schemes be deployed at every authentication point, as long as there are sufficient methods for users to acquire an acceptable score, making policy deployment scalable.

Finalists:
• Entrust TruePass 6.0, Entrust, (888) 690-2424, (972) 713-5800. www.entrust.com

• Novell Modular Authentication Service 2.0 Enterprise Edition (NMAS), now shipping 2.1, Novell, (888) 321-4272, (801) 861-4272. www.novell.com

Host Intrusion Prevention System

Winner: Cisco Security Agent, formerly Okena StormWatch 3.0; Cisco Security Agent Profiler, formerly Okena StormFront 2.0, Cisco Systems, (800) 553-6387, (781) 209-3200. www.cisco.comCombined, Okena StormWatch 3.0 and StormFront 2.0 provide some of the best protection and configuration features we've seen in this emerging market. Okena StormWatch, now Cisco Security Agent since Cisco Systems' acquisition of Okena last month, tracks an application's access to system resources, such as file, registry, network and COM components, and lets applications perform only authorized actions. And, unlike some rivals, Security Agent can protect any application.

Building policies to define all allowed activities can be a nightmare because applications can access hundreds or even thousands of system objects during run-time. But with Security Agent, the process is greatly simplified: Security Agent Profiler tracks an application's activity and creates a template showing the system access, relieving administrators of most data-gathering work. Once the policy is installed and running, Security Agent allows only authorized activities and logs all unauthorized access attempts. Factor in administrative audit trails and an easy-to-use interface, and Security Agent and Security Agent Profiler turn a very complex process into a walk in the park.

Finalists:

• eTrust Access Control 5.1, Computer Associates, (800) 225-5224, (631) 342-6000. www.ca.com

• STAT Neutralizer 1.2, now shipping 2.0, Harris Corp., (888-725) STAT, (321) 727-9100. www.STATonline.com

Application Firewalls

Winner: SecureComputing Sidewinder G2, Secure Computing Corp., (800) 692-5625, (408) 979-6100. www.securecomputing.com

Although having a firewall is a no-brainer for most organizations, the most commonly deployed type of firewall may not provide the best protection. Stateful packet filters are good at blocking network-level attacks, but application proxies, like the Sidewinder G2, offer much more protection and, in 100-Mbps environments, doesn't degrade network performance significantly. Sporting robust application proxies for common protocols such as HTTP, SMTP and DNS--and some less common protocols, like H.323 and SQL*Net--Sidewinder blocks both network-level attacks and common application protocol-layer attacks.

Finalists:
• Check Point FireWall-1 Next Generation Feature Pack 3, Check Point Software Technologies, (800) 429-4391, (650) 628-2000. www.checkpoint.com

• Symantec Enterprise Firewall 7.0 with VPN, Symantec Corp., (800) 745-6054, (408) 517-8000. www.symantec.com

Web Site Application Security System

Winner: AppShield 4.0, Sanctum, (877) 888-3970, (408) 352-2000, www.sanctuminc.com

Sanctum AppShield 4.0 displays many of the characteristics that make Web application protection software worth its salt, including adaptability in Web environments and support for OWA (Outlook Web Access) and Microsoft FrontPage. Although not the most feature-rich Web application proxy we've seen, AppShield nevertheless blocks most common attacks out of the box--an important consideration given the complexity of configuration--and a few rules changes seal up the rest. AppShield can reduce your processing load by allowing some content to be marked as "always safe" based on file extension. Once configured, AppShield references rule violations to the rule manager, making troubleshooting a snap. In addition, the entire IP packet--not just HTTP headers--can be logged, providing an extremely useful tool for troubleshooting and analysis.

Finalists:
• InterDo 2.5, KaVaDo, (800) 239-3203, (212) 302-2400. www.kavado.com

• Teros-100 APS 1.7.1, now shipping 2.0, Teros, (408) 850-0800. www.teros.com

Managed VPN Service

Winner: Fiberlink Global Remote, Fiberlink Communications Corp., (800) LINK-NOW, (215) 793-6500. www.fiberlink.com

Once products or processes become commoditized, outsourcing can reduce both capital and management costs. VPN services are a prime example, and Fiberlink offers a flexible and cost-effective solution based on commercial off-the-shelf products, such as the Cisco VPN 3005 Concentrator. Fiberlink manages the configuration and policy changes required, while user authentication is back-ended to internal RADIUS or Microsoft Windows NT domains.

Fiberlink's top-tier service offering comes complete with Cisco SmartNet 24x7 service. Failed equipment is replaced within four hours, so downtime is limited. Although Fiberlink has only one NOC, it is fed by two points on an AT&T Sonet ring, and there is a third, to a Verizon Sonet connection. Moreover, in the event of a catastrophic network failure between the VPN gateways and the NOC, the Cisco VPN 3005 Concentrator will still operate normally.

Finalists:
• AT&T Managed VPN Tunneling Services, AT&T Corp., (800) ATT-3199. www.business.att.com

• Aventail.Net Managed Services, Aventail Corp., (877) AVENTAIL, (206) 215-1111.

www.aventail.com

Hardened Linux

Winner: EnGarde Secure Linux, Guardian Digital, (866) GD-LINUX, (201) 934-9230. www.guardiandigital.com

Everything is going GUI, so why should hardened Linux distributions be any different? Now security doesn't have to involve arcane CLI (command-line interface) incantations and ber-knowledge of shell commands, because Guardian Digital's EnGarde Secure Linux offers the best of both management worlds--a Web-based GUI for most common configurations and patching, and a command line for fine-tuning and special needs.

With support for such common services as FTP, HTTP, POP3 and SMB, EnGarde will fit right into most networks. In addition, patching is greatly simplified through the Guardian Digital Secure Network, which notifies administrators of new patches (typically issued very quickly after a new vulnerability affecting EnGarde is found), then downloads and installs them.

Finalists:
• Secure OS Software for Linux (discontinued in United States; available as HP Compartment Guard for Linux in Japan), Hewlett-Packard Co., (800) 633-3600. www.hp.com• Immunix 7.0 OS, WireX, (866) GO-IMMUNIX, (503) 222-9660. www.wirex.com

Intrusion Detection System

Winner: IntruShield 4000 and Security Management System, IntruVert Networks, (408) 434-8300. www.intruvert.com

IntruVert blasted onto the IDS scene in early 2002 with a purpose-built NIDS appliance that was a departure from traditional approaches. IntruVert learned from its predecessors' mistakes and developed second-generation IDS technology by using custom hardware, integrating signatures and anomaly models, and addressing many of the behind-the-scenes management headaches often faced by enterprises. The price tag is hefty and the jury is still out on whether the inline NIP space will hold water, but IntruShield, which does have inline NIP capabilities, beats the pants off of many traditional IDS solutions even in passive NIDS mode.

Finalist:
• Cisco IDS System 4250, Cisco Systems, (800) 553-6387. www.cisco.comMike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].

Post a comment or question on this story.

SecureLogix Enterprise Telephony Management System 3.0 Now shipping 4.0, SecureLogix Corp., (800) 817-4837. www.securelogix.com

Traditional thinking in network access focuses on data pipes, but as voice equipment becomes network attached, another, often neglected, point of access opens up. SecureLogix's ETM platform protects the PBX. This well-designed, well-targeted product can detect voice, modem, fax or STU-encrypted inbound and outbound calls dynamically and apply policies to each, giving you unprecedented control over how your telecommunication system is used. Limiting modem calls to a few authorized lines that support your dial-pool means you don't have to worry about users putting modems on desktop computers, thus removing wide-open back doors. The ETM platform installs transparently in front of the PBX, which allows your telecom administrators to control the PBX while security administrators enforce security policy, eliminating political tensions.Security Links at www.NWC.com ...

• 2003 Survivor's Guide to Security

• NWC Security Alert Consensus newsletter• NWC AlertCon Internet Threat Status

• Security white papers

• Security books

• Security stories on nwc.com

• Discuss winners and losers... Around the Internet

• CERT

• PacketStorm Security, packetstormsecurity.packetstorm.org/

• SANS Institute

• Security Focus