Geoff Marshall

Entrust GetAccess is a web access control solution that provides web portal security and identity management. It supports a variety of authentication methods including passwords, certificates, tokens and biometrics. It provides flexibility for the rules enforced for user passwords as well as maintaining password histories.

eToken Enterprise provides a more cost-effective solution than SSOs to the problem of users having a different login credentials to Windows networks and the web based resources they use.

eTrust Single Sign-On is for the enterprise market and has three components – Policy Server, workstation client, and Policy Manager.

SecureLogin provides SSO across all the applications that a corporation might be running – mainframe, web-based, Windows 32-bit and UNIX. It also works with terminal emulators and in Citrix environments, and integrates with two-factor authentication systems based on smartcards, tokens or biometrics.

Because it can circumvent many existing content-management solutions, instant messaging (IM) is causing security concerns among IT managers, which often leads them to ban its use altogether.
However, IM can have business benefits if used responsibly, because it offers instantaneous communication and immediately indicates whether colleagues are online. What is needed is a way of allowing the use of IM, while controlling it and enforcing rules on employees.

Qualys has provided an automated remote vulnerability testing service for some time. However, a remotely operated service like that is limited in what it can do when it is trying to access your computers through a properly configured firewall. That is not to say it doesn't do a good job of showing up external vulnerabilities, but it can't give a complete vulnerability picture, as it lacks the 'enemy within' perspective. Incidentally, internal risks are not limited to dishonest or malicious employees - it could apply to an innocent user accidentally running a trojan attached to an email, because he is running it inside the firewall perimeter.
What is needed to complete a security audit is a vulnerability assessment carried out from inside the organisation on the corporate intranet to see what vulnerabilities are exposed to internal users who may be a threat. And that's exactly what QualysGuard Enterprise does with its Intranet Scanner option.

Adhaero Doc is not a general-purpose encryption product, but it uses encryption technology to secure Microsoft Office files throughout their lifecycle. It also integrates with Microsoft Outlook to provide the same protection to emails. It is best described as a digital rights management product.

Dekart Security Suite comprises four separate applications that support all 32-bit versions of Windows and share the same two-factor authentication feature, which uses a PIN code and a USB token or smart card. You can use most third-party tokens and smart cards. Additionally, most types of Bio API and HA API compatible biometric verification devices are supported.

DESlock+ is designed to encrypt files, folders, email messages and email attachments. It uses a choice of 112-bit 3DES, 128-bit Blowfish or 128-bit AES encryption algorithms and works with Windows 98/ME/2000/XP.

Encryption Plus Hard Disk encrypts entire hard disks or selected partitions. Encryption of the OS files is optional. It also offers pre-boot authentication whether or not the operating system files are encrypted.

FileAssurity Open PGP is designed to be a low-cost alternative to PGP, while retaining full compatibility with PGP. With it, you can generate, import and export X.509 and PGP keys and it also supports encryption/decryption and digital signing/verifying of standard PGP files. Files or folders may be encrypted for storage or transmission by email. Bulk data encryption is carried out using 256-bit AES, with public-key-based Diffie-Hellman being used for session key exchange. RSA and DSS are used for digital signatures. Another feature is secure deletion according to U.S. government DOD 5220.22M. All 32-bit Windows platforms are supported.

RSA SureFile combines RSA's encryption technology alongside PKWARE's PKZIP to create an encryption product that also compresses files and folders to save space and bandwidth. Because encrypted files are generally fairly random looking, they are incompressible by hardware that may be part of a bandwidth-saving infrastructure. So, it is better to compress files before encryption, or optimize both processes within one product as RSA Security has done.

SecureDoc is a disk encryption product that codes the entire hard disk, including operating system files and boot sector. Therefore it provides authentication of the user before the computer even boots up. It can also be used to encrypt all types of removable drives and media, including Flash cards. Although it can be installed in a password-only single-user environment, it provides an upgrade path to full enterprise-wide PKI and two- and three-factor authentication, integrating with third-party tokens.

Cyber-Ark's Inter-Business Vault is designed to protect confidential files in an extranet environment, where secure file sharing with remote offices and business partners is demanded. This requires a combination of secure file storage, encryption for files in transit, authentication and access control. There are many products that tackle these problems individually. For example, a virtual private network (VPN) encrypts files in transit, and access controls are built into modern operating systems. However, OS access controls can often be bypassed simply because unhardened operating systems are themselves so easy to compromise. Inter-Business Vault aims to address all of these problems by integrating a VPN, authenticated access controls and encrypted file storage in a very secure solution.

GFI LANguard System Integrity Monitor (SIM) detects whether files have been changed on a Windows 2000/XP system. It identifies exactly which files have been changed, making it easy to restore the system to its original state, although it does not provide any utility for automatic recovery - you have to have secured original copies of these files elsewhere.

The G-Server is the only hardware in this Group Test - all the other products consist of software. It is designed to be installed inline between the DMZ port on your firewall and a public web server. It is completely transparent and requires no changes to any network settings on other network equipment. It has no IP address visible to the outside world, so is undetectable by hackers. Even the MAC addresses of its NICs reflect those of the real web server to make the G-Server even more transparent. Two G-Servers may be configured for high availability.

Entercept is an intrusion prevention system (IPS). In common with traditional host-based intrusion detection systems (HIDS), Entercept resides on the host itself, but it works at a much lower level than a normal HIDS system.

TOS stands for 'trusted operating system.' It can also be used to protect servers that are providing DNS, as well as file servers, database servers, proxy servers and mail servers. TOS can protect any static files, including whole directories, drives, Windows registries and, of course, web pages.

A complete Tripwire system consists of two components: Tripwire for Servers, which is an agent that must be installed on all servers that are to be protected; and Tripwire Manager, which provides central management for any number of Tripwire for Servers agents. Communications between server agents and management workstation are secured using the secure sockets layer (SSL) protocol.

Applock/Web works for web servers based on Microsoft IIS running on Windows NT/2000. It locks down both operating system and web server application. It auto-discovers which files are associated with web server functions (this may include web content and web scripts) and locks them down. It works within the operating system at the kernel level.