March 2002
Solutions
Products & services to secure your enterprise
DMZ/Shield v3.5
Recent experience has shown that firewalls and IDSes can't offer Web servers
enough protection against rapidly spreading worms, such as Code Red and Nimda.
While these defenses are still necessary for network-level protection, more
protection is needed on the application level.
Enter Ubizen, the Virginia-based MSSP, which recently released DMZ/Shield, an
application-level security solution that's designed to complement traditional
Web server defenses. "If you can't keep up with constant patching, you need an
application-level shield that will block attacks before they get into your
servers," says Ubizen product manager Gregg LaRoche.
DMZ/Shield is placed on a hardened OS that has been stripped of any
functionality that could be exploited for an attack. It sits in the DMZ and acts
like a reverse proxy to an organization's back-end Web server. Sensitive Web
server data is pulled out of the DMZ and put back in a network's trusted
zone.
DMZ/Shield intercepts all incoming HTTP requests, analyzes them and passes
only legitimate packets. To ensure that it doesn't block legitimate requests, it
performs a two-level check. The company calls the first level a sanity check,
which examines the specific look and feel of the request and compares it to how
an HTTP request should be formed. It blocks anything that doesn't look right.
Ubizen claims that the first-level check will block 70 percent of attacks.
The second level is a policy check, which compares HTTP requests against
predefined security policies. To create a policy file, an admin looks at an
application and determines everything that should be requested. If a request
deviates from the DMZ/Shield policy, it isn't allowed through. Obviously, the
more tightly a policy is defined, the stronger the security posture. LaRoche
notes that admins still need to stay on top of any changes made to their Web
sites, as they may impact policy.
Pricing varies, depending on the number of Web servers. The entry price for
one Web server is $5,000, with volume discounts available.
--Christine St. Pierre
Norton AntiVirus 2002 Professional Edition
Symantec
www.symantecstore.com
Price:
$69.95
Symantec is making it even easier to keep PCs and PDAs safe from malicious
code, and without interrupting users' productivity. Norton AntiVirus 2002
Professional Edition, compatible with the latest Palm and Windows OSes, detects
and removes viruses without user intervention, and automatically updates virus
definitions when the user connects to the Web. New features include script
blocking, which detects script-based threats (e.g., LoveLetter, Anna Kournikova
viruses) and, according to the company, blocks those types of threats even
before new virus definitions are available. It scans and cleans outgoing e-mail
messages to prevent sending infected files, and offers a "Scan and Deliver"
wizard that sends infected files to Symantec Security Response experts for
analysis.
Sygate Secure Enterprise v2.2
Sygate Technologies www.sygate.com
Price: Contact
vendor
Sygate Secure Enterprise (SSE) was designed to secure an organization's
internal and roving workforce with application-aware firewalling and intrusion
detection. Version 2.2 (with 3.0 due out soon) automates corporate security
policy enforcement by linking users, devices and applications to a trusted
network. Sygate Secure Enterprise automates the process of learning application,
user and network behavior, and then creates a policy based on that knowledge. It
enforces the policy when devices connect to the enterprise network through
access points, such as wireless devices, VPNs and RAS. Admins deploy, manage,
monitor and enforce security policies at the host level.
The architecture includes three main components: Sygate Management Server,
Sygate Enforcers (VPN, wireless, RAS) and Sygate Security Agents. The Management
Server manages user and computer group structures, defines and deploys policies,
monitors all security agents and exchanges information with other management
servers. Sygate Enforcers are network gateway devices that sit behind access
points to the enterprise network. And Sygate Security Agents are installed on
all network-enabled host devices to provide host-based security and communicate
information to Sygate Management Server and Enforcers. The Sygate Enforcers
block wireless access to the corporate network if the security agent engine is
inactive, missing, not updated or tampered with.
Privacy Suite
Privacy Council www.privacycouncil.com
Price:
Contact vendor
Privacy Council, a Texas-based company that assists companies with complex
privacy issues, recently unveiled a suite of products to help organizations meet
regulatory deadlines, such as those imposed by HIPAA and GLBA. Aimed at small-
to medium-sized companies, the suite is designed to help businesses become more
knowledgeable about privacy issues, comply with changing privacy laws and help
with policy documentation. The suite consists of four products: Privacy Survival
Kit offers reports and proprietary tools, and covers HIPAA, GLBA and Safe
Harbor; Privacy Scan examines a Web site to inventory cookies and compare cookie
behavior to the privacy policy; P3P Privacy Compliance Program scans for hidden
cookies and other problems, and reconciles to the company's policy; and the
Privacy Watch service, a group of privacy experts that guides companies through
a seven-step process of assessments, action items and ongoing monitoring.
DDI Frontline 2.0
Digital Defense www.digitaldefense.net
Price:
Starts at $500/month
Sometimes you need an outsider to tell you what's wrong with your systems.
And it's better to have a scheduled vulnerability assessment, rather than get a
call in the middle of the night telling you a hacker got in. As part of its
vulnerability assessment and penetration test offerings, Digital Defense offers
DDI Frontline, now in version 2.0--a network service that provides internal and
external views of a company's networks. Rather than just noting where a problem
exists, DDI Frontline lets admins know what the problem is, identifies security
weaknesses, determines the proper fix and then reevaluates the system's security
posture. DDI Frontline also provides customizable graphical reports--ideal for
nonsecurity executives--for a clear view of the organization's security.
Astaro Security Linux
Astaro
www.astaro.com
Price:
Contact vendor
Astaro Security Linux was "targeted so that a relatively straightforward box
can be a well-performing security solution."
Astaro had a few requirements when it set out to develop a firewall and VPN
product: it had to be an all-in-one, software-only solution; it had to integrate
various key components of an organization's security solution (e.g., firewall,
VPN, virus detection); it had to be simple to install; and, most
importantly, it had to be easy to use. The result: Astaro Security Linux.
Astaro is marketing its product as a Swiss Army knife approach to security.
It not only offers firewall and VPN security, but stateful packet traffic
inspection filters, e-mail virus deletion, user authentication and content
filtering. According to Steven Schlesinger, the company's U.S.-based managing
director, Astaro Security Linux was "targeted so that a relatively
straightforward box can be a well-performing security solution. You don't need
to buy a $5,000 box to run Astaro." In fact, some users even use an old Intel
box with as low as a 300 to 400 Mhz Pentium processor.
And even though it has the word Linux in its name, don't let that confuse
you. While the solution is running on a hardened version of Linux, Astaro (the
company) has taken the standard Linux OS and hardened it by pulling out
unnecessary pieces that could affect security--so it's not important that it's
running on Linux. Schlesinger notes that Astaro Security Linux protects any
network, no matter what the internal network is (e.g., Microsoft, NetWare,
etc.). And the security admins working with it don't need to have Linux
expertise.
Astaro Security Linux offers standard firewalling, including stateful packet
inspection and NAT. It can support up to 25 Ethernet interfaces. For large
organizations, the firewall can be segregated by department, and different rules
can be created for individual groups.
Mainly directed at medium- to large-sized enterprises with 100 to 1,500
users, the product's VPN offering is attractive with support for
branch-to-branch IPSec-secured VPN tunneling, as well as road warrior-to-branch
connections using Microsoft's PPTP client. For the VPN, Astaro Security Linux
utilizes Diffie-Hellman and TripleDES.
With version 3.0 released this month, Astaro kept the same basics, but added
a few key elements, including bandwidth management, high availability and load
balancing. With bandwidth management (or quality of service), Astaro Security
Linux can prioritize traffic, either by protocol or IP address. Admins can
decide if the company's HTTP traffic is more important than, say, SMTP traffic.
The HA feature creates a hot standby with a master-slave configuration--if the
master goes down, the slave unit takes over with minimal downtime (three to five
seconds, the company reports). And the load-balancing aspect is ideal for those
organizations with multiple Web servers. Admins are able to load balance in a
round-robin fashion, configuring which servers traffic gets routed to.
Astaro Security Linux offers addition features as well, such as banner ad
blocking, inbound and outbound e-mail virus protection, remote management and
monitoring and automatic virus updates--all too lengthy to describe in this
review. The software is offered free as a 30-day trial period; licensing prices
vary. A test drive of a solution that bundles many of your security components
into one may be worth your time.
--Christine St. Pierre
GetAccess v4.6
Updated authorization software.
Entrust
www.entrust.com
Price:
$8/user for 25,000 users
Most of us have way too many passwords to remember--for work and for play.
While a single sign-on (SSO) solution sounds ideal for many organizations,
implementing one can be tricky. You want to make sure that employees have access
only to the applications and servers that they absolutely need.
Entrust, a developer of Internet security and PKI software, recently released
GetAccess v4.6, an access control solution that provides identification and Web
SSO. This latest version incorporates several improvements, including support
for wireless devices, enhanced customization capabilities, delegated
administration and performance improvement (more than 400 percent since the last
release, according to the company).
To use the product, a full GetAccess server infrastructure is deployed on an
organization's Web server using a runtime plug-in. When a user attempts to log
on to his PC, he's prompted to use a previously designated authentication
option. (Out of the box, GetAccess supports seven authentication mechanisms,
including passwords, smart cards, tokens and certificates.) The GetAccess
infrastructure will authenticate the user and issue him a set of secure
credentials, which he can use to transparently access various back-end
applications.
With GetAccess 4.6, Entrust has attempted to ease the administration of user
entitlements.
For instance, an admin can designate, say, the finance department manager to
act as a super-user, which allows that manager to alter authorization privileges
for users in the finance group. While some companies may not need to have
different superusers--since one admin can control access for the entire
company--larger organizations will find this feature useful, particularly
companies with lots of remote users. If offices are spread throughout the
country or overseas, GetAccess gives them an option to have one local manager
handling user rights. However, smaller organizations that don't require such
functionality should delegate super-users with care, assuring that too much
administrative control isn't decentralized.
The newest version offers expanded platform support, including all major Web
servers and applications. Version 4.6 also offers proxy server support. This
architecture option allows GetAccess to be placed in front of an organization's
Web infrastructure, even if they're using lesser-known Web servers, making it
independent of the back-end systems. For customers that fall outside of the
covered platforms, the proxy server sits in front of Web servers and completes
the sign-on and entitlements.
Base pricing for 25,000 users runs $8 per user, and includes the GetAccess
Server.
--Christine St. Pierre
Recent Releases
ACCESS CONTROL
Key-Secur and Robo-Secur
Absolutech Engineering Corp.
www.absolutech.com
Price: Contact
vendor
An access control system that uses biometrics, wireless and networking
capabilities to secure and monitor objects.
Wipro Websecure 3.0
Wipro Technologies
www.wipro.com
Price: Contact vendor
An
application security product that manages users across multiple applications
without them having to continually log in.
ANTIVIRUS
Vexira Antivirus for Windows
Central Command
www.centralcommand.com
Price: Starts
at $49.95
An antivirus application that scans and detects viruses on desktops
without noticeable system degradation.
Kaspersky Anti-Virus 4.0
Kaspersky Labs
www.kaspersky.com
Price: Free for
registered users
Software offers a next-generation AV-kernel based on the
product structure and interaction with an OS, increasing defense
reliability.
Panda Antivirus for Exchange 2000
Panda Software
www.pandasoftware.com
Price: Contact
vendor
Updated version is fully compatible with Microsoft's new
Virus Scanning API v2.0 for Exchange 2000.
APPLIANCES
BlackICE Agent for Workstations
Internet Security Systems
www.iss.net
Price: $2,075 for 25 desktop
agents
Workstation agent offers a VPN solution and performs real-time
intrusion protection by analyzing network activity on servers, desktops and
network segments.
Sidewinder Appliance
Secure Computing
www.securecomputing.com
Price:
$5,900-$23,900
Firewall and VPN appliance offers easy installation and
doesn't require security patches for every new type of attack.
ASSESSMENT
AppDetective for Oracle v2.0
Application Security
www.appsecinc.com
Price: Contact
vendor
Application security scanner performs network-based penetration tests
and vulnerability assessments.
INTRUSION DETECTION/PREVENTION
SecoShield
Secos
www.secos.com
Price: Contact
vendor
Network-based intrusion detection and response system that gathers and
analyzes real-time packet information.
StormWatch 2.1
OKENA
www.okena.com
Price: $3,500 for management
console
Newest version of intrusion prevention software includes an enhanced
GUI that enables easy server lockdown and better IIS Web server protection.
PERIMETER/NETWORK SECURITY
Phantom Total Security
Gianus Technologies
www.gianus.com
Price: Starts at
$190
Nonencryption software makes documents, files,
e-mails and Internet records invisible to hackers, unauthorized users and
viruses, by combining a normal OS with a second, invisible one.
Secure.Data for Sybase ASE
Protegrity
www.protegrity.com
Price: Contact
vendor
Turnkey data
privacy solution incorporates cryptographic and authorization services to secure
database applications.
SecureStack v2.0
SecureWave
www.securewave.com
Price: Contact
vendor
Protects Windows NT 4.0/2000 servers from buffer-overflow attacks.
POLICY MANAGEMENT
Security Update Manager
Configuresoft
www.configuresoft.com
Price: Starts
at $25/server; $5/workstation
New module for Enterprise Configuration
Manager automates management of security patches in Windows-based networks.
WIRELESS
EncryptAir
Ceragon Networks
www.ceragon.com
Price: Contact
vendor
DES-based solution encrypts data at channel rates of 155 Mbps and
allows secure connectivity over IP and ATM network protocols.
OTHER
Caveo Anti-Theft
Caveo Technology
www.caveo.com
Price: $99
Laptop-theft
deterrent, in the form of a PC card, detects motion and issues audible warning
signals if a laptop is moved.
eTrust Directory
Computer Associates
www.ca.com
Price: Contact vendor
Supports
X.500 and LDAP standards, continuous real-time content creation and online
service delivery.
