Last year, the principal security requirement for most organizations was to combat the plethora of attacks from worms and viruses. This year, spam and government legislation have been at the forefront of the IT professional's mind.
We have received press release after press release about Sarbanes-Oxley, HIPAA, and the like. IT security, once the sole realm of the technologist, has now become inextricably linked with corporate governance. Security can no longer be thought of in isolation, but as a partner in risk management, reporting and policy management and executive accountability.
Another area of concern for IT professionals has been the growing onslaught of spam. This has been a problem for a long time, but this year spammers have gone into top gear and a deluge of unsolicited email has almost brought the world's inboxes to a standstill. There is even anecdotal evidence that during the hurricane season that affected Florida so badly this year, the level of spam went down every time a hurricane hit the state.
The amount of anti-spam products that came into our labs reflects the size of the problem. Almost every security player of note seems to have put out a product that deals with this menace. While there were some very good products and services out there, there were also some poor ones, too. We predict there will be a major shake up next year and, hopefully, a few of the less than successful products will sharpen up their act or retire from the scene completely.
Another trend we spotted was the rise of the multi-function appliance. We have seen IPsec VPNs being combined with tradition firewalls over the past couple of years, and we expect 2005 will see a greater number of devices coming onto the market that claim to perform a wide array of tasks.
In this year's tests, we have looked at hundreds of products covering different areas of interest to security professionals. From SSL accelerators to multi-function appliances, our reviewers have been hard at work thoroughly testing all the products that have come into our labs.
For this pick of the best of 2004, we have chosen products that we either rated five stars overall or awarded a Best Buy or Recommended rating.
René Millman, reviews editor
Probably vying for hot topic of the year, patch management has come from almost nowhere and been thrust into the spotlight – mainly because of the Windows operating system.
But being a hot topic has meant there has been a host of products jumping on the bandwagon and challenging the dominance of established leaders in this area of IT security.
At SC Magazine, we looked at a raft of products aimed at helping security professionals get patches tested and pushed out to desktop, servers, laptops and PDAs.
Keeping up to date with security fixes is labor-intensive, and the need for testing the effect of the patches before rolling them out makes life even harder. This effort is multiplied when considering other operating system versions.
Below are the products that performed the best in both our group tests and standalone reviews.
The remote management toolkit used to contain a dial-up connection and a terminal emulator program, but there are few networks around today that could be managed with such simple facilities.
Networks have grown in both capability and complexity, and there are now solutions with a wide range of capabilities. Today's support technician or administrator will expect to have a remote GUI into a Windows system, and a terminal emulation into a network appliance.
Security aspects for management have changed, too. In the beginning, security issues could be addressed by using a simple dial-back modem and password protection, but now we must have encrypted sessions, user authentication and permission lists.
Remote management tools can simplify network administration and support, but they also provide greater opportunities for unauthorized mayhem.
There was a good selection of products for this year's test and we feel this area has really come along over the past year and shown itself to be very mature.
Ideal Administration (Remote Management group test) 4.71
WhatsUp SQL Server Monitor (Remote Management group test)
Avocent DSR4010 (Remote Management group test)
Raritan Dominion KSX (Remote Management group test)
PC-Duo Enterprise (Remote Management group test)
NetSupport Manager (Remote Management group test)
Web servers are extremely efficient at serving up web pages and dynamic content, but they are not so good at setting up secure connections or SSL transactions. This is where SSL accelerators come into play.
While setting up and maintaining an SSL session imposes little extra load on the client systems, it is the server that creates and maintains many concurrent sessions, putting the processor under strain as well as increasing response times and reducing overall performance and latency.
One solution is to offload the extra work to another, specialized device that is designed to handle the burden imposed by the use of SSL ciphers and keys. This releases the processor for its normal workload, allowing it to return performance to more acceptable levels.
Our evaluations this year found that many were up to the job. Here are the best in test.
Two-factor authentication seeks to improve relative security by adding a second parameter to the credentials used to identify an individual in relation to a transaction.
The parameters involved could be a mixture of PIN, dynamic passwords, biometrics, certificates and tokens (such as smartcards, USB sticks and others).The technology building blocks are well established, and the consideration for many will be simplicity of implementation and operation, followed by considerations of cost, ongoing management and sustainability.
Here is a collection of representative products that provide a taste of current approaches to two-factor authentication. Even within this small sample of offerings, we can see some differences in application and scale, albeit based around similar concepts.
Novell Netware 6.5 (Two-factor authentication group test)
KeyCrypt (Two-factor authentication group test)
ActivCard Gold Desktop (Two-factor authentication group test)
DigitalPersona Pro for Active Directory (Two-factor authentication group test)
Passholder Pro (Two-factor authentication group test)
Entrust USB Token (Two-factor authentication group test)
SecuriKey Personal Edition (Two-factor authentication group test)
Anti-virus (AV) is child's play. Something matches a signature or not; you let it through or not. Assuming the technology works, it is a fairly basic binary process. But spam is a real pain. It is more varied, cunning and voluminous.
AV pundits will say spam may be more vague, but it is also lower risk. The odd junk email that sneaks through is mildly annoying, while a virus can cost you millions. This is true, but spam has implications: coordinated efforts between spammers and virus writers mean you can never be sure that the site luring users is not going to download malware, attempt identity theft or display offensive material that could land you in a lawsuit.
We are pretty good at detecting spam, but one person's spam is another's legitimate email. The task for a computer is not an easy one. And there are nearly as many ways of detecting it as there are products.
In this year's test, we had so many products submitted that we eventually had to split the test in two over successive months. While there seem to be a lot of "me-too" products, there are still some really good ones to be considered.
IronMail (Anti-spam group test) 4.0
Gordano Messaging Server (Anti-spam group test) 9
SurfControl Email Filter for SMTP (Anti-spam group test) 4.7
DynaComm i:mail (Anti-spam group test) 4.0
Symantec Brightmail Anti-Spam (Anti-spam group test) 5.5.2
BlackSpider MailControl (Anti-spam group test)
modusGate3 (Anti-spam group test)
Businesses know they cannot rely on security through obscurity – deploying a wireless network in its default state without protection and hoping it is not discovered.
The wide publicity generated by the media's exposure of WLANs' inherent security weaknesses and early administrator mistakes has served to educate WLAN users about the best ways to secure them.
All of the products tested this year can, if correctly and appropriately deployed, strengthen your company's security. Whether you are responsible for the data and access management of thousands of employees, or considering switching on wireless networking for only a few workstations in a small office, one or more of these products will suit your needs.
We analyzed a range of products, from probes and sensors through to high-end enterprise technology systems such as authentication and authorization servers.
Throughout this year, we have looked at a wide variety of different products which have all purported to secure an organization's email at the gateway.
It is here that unwanted and potentially dangerous content can be filtered out so as not to clog up the internal network.
In this test, we left out products focused on encryption. Instead, we decided to review general-purpose, wide-ranging, mail security products (some of which might incidentally include encryption).
Some of them are part of a complete content-management suite that can be integrated on one gateway machine to perform email, web (http, ftp) and instant messaging (IM) filtering.
Presented as a potential panacea for network protection, intrusion prevention systems (IPSs) have begun to create a market segment of their own.
We selected a range of products that cover the gamut, from expensive devices from well-known vendors to less expensive, less well-known products.
Perhaps surprisingly, some of the less expensive products performed as well as, and in some cases better than, the more expensive ones. We found that the major differences were in the ease of setup and configuration.
Here are the best from this year.
Instant messaging (IM) has been very popular for the home user and is increasingly used in the corporate environment. But the use of such technology brings some security headaches.
As well as a means of introducing viruses, worms and Trojans that could be missed by traditional firewalls, IM can also leave companies exposed to legal problems. Your employee could say something potentially libellous or pass over sensitive information about your company, whether maliciously or accidentally.
These are the products that made the grade in this year's tests.
Forensic tools have certainly come a long way in terms of their functionality and ease of use. Most of the products we have looked this year have improved, and others have kept up their high standards.
These tools are becoming more commonly used in the enterprise and no longer the preserve of the police and other law enforcement agencies. Organizations are becoming more active in uncovering wrongdoing and this is largely in part because of stricter regulation covering corporate governance.
The products in the group test will help in finding and collecting evidence, but you still need to follow accepted forensic guidelines otherwise this evidence could be questioned or rejected, causing what looked like a bullet-proof case to collapse.
This year, we have found more products than ever before. Here are the best from this year.
Firewalls and IPsec VPNs
We looked at a range of appliances this year, from the high end of the enterprise market to those for companies in the small to medium enterprise market, and at a number of software solutions.
With each product, we looked for ease of use, both in administering the firewall and in creating security policies, as well as how fast and how secure they were.
For the IPsec VPN test in November, we noticed that all of the products on review either come with firewalls or are an optional extra of a firewall. We focused on enterprise-level products.
Next year, we will revisit firewalls and IPsec VPNs, but we will look at products aimed at different sizes of organizations.
This will take into account the changing nature of the market and the products themselves.
Microsoft Internet Security & Acceleration Server 2000 (Firewalls group test)
Nokia IP380 (Firewalls group test)
BarbedWire Technologies DP Inspector (Firewalls group test)
Stonesoft StoneGate SG-3000 VPN/Firewall (Firewalls group test)
Check Point Express (Firewalls group test)
Celestix RAS3000 (IPsec VPNs group test)
Nokia IP2250 (IPsec VPNs group test)
Sun iForce VPN/Firewall (Firewalls group test)
The term auditing software probably means different things to different people according to their particular requirements.
To some information security professionals, it will simply mean scanning a workstation, or series of workstations, in order to determine which software is installed. They might have various reasons to do this, such as maintaining version control, providing capabilities by role or location or, as is more likely the case these days, ensuring license compliance.
To other users, a more sophisticated interpretation will be more appropriate, whereby they will be thinking in broader asset management terms.
Assets in this context might not be restricted to software or workstation hardware, but will typically include peripherals such as printers and network infrastructure components, as well as non IT-specific items such as telephones, desks and chairs, filing cabinets, and so forth.
Auditing is becoming increasingly important as corporate governance regulations come into force. Organizations need to prove that they are in control of what they have and demonstrate how they run things. Here are the products that made the best of 2004.
Penetration and vulnerability testing
Penetration and vulnerability testing is a complex area. You might think of it in terms of layers – from straightforward, vendor-specific tools such as Microsoft's Baseline Security Analyzer (which checks for the obvious misconfiguration of applications and missing security patches), to sets of sophisticated tools which are designed to be used by experts in order to probe and check an organization's network infrastructure and the applications on it.
Another way to think about penetration testing is as the in-depth testing of a specific software product in order to uncover vulnerabilities before general release.
Penetration testing and vulnerability testing are often confused. Penetration testing usually refers to a specific attempt to penetrate a network from outside in order to gain access to files and information. It is often undertaken by a specialist and a trusted third-party agency on behalf of an organization.
These are the products that have made their mark in 2004.
nCircle IP360 (Penetration and Vulnerability Testing group test)
WebInspect (Penetration and Vulnerability Testing group test)
Core Impact (Penetration and Vulnerability Testing group test)
Typhon 3 (Penetration and Vulnerability Testing group test)
If 2003 was the year of Blaster, then this year it was Sasser's turn. One German's teenager's antics have been responsible for nearly three-quarters of all the virus infections on the world's computers.
So it is still extremely important to keep viruses out of the network.
It is a given that most vendors know about the same viruses as each other. There is co-operation on this front, and it is welcome.
But what increasingly sets the vendors apart is the way in which they handle virus outbreaks and report how well they are doing in stopping the bad code getting through and doing damage.
In this year's tests, we were amazed at how well or how badly the products handled a large-scale outbreak. This is the kind of attack we are seeing nowadays, because viruses no longer come into the network by themselves, but bring thousands of their buddies along for company.
F-Secure Policy Manager 5.50
McAfee Active Virus Defense Suite (Anti-Virus management group test) 7.1
Hauri ViRobot Management Server (Anti-Virus management group test) 2.7
eTrust Antivirus (Anti-virus group test) 7.0
Kaspersky Anti-Virus (Anti-virus group test) 4.2
Few can doubt that IT security is taken more seriously today than ever before by the vast majority of businesses. But as these security threats become more numerous, the defenses and solutions that we have to deploy in a bid to keep pace with the dangers increase commensurately in complexity.
Thankfully, integrated security appliances are able to take some of the sting out of this complexity. Such devices can have a number of advantages over traditionally deployed, separate security solutions. They can contain most (if not all) of the IT security measures that a business – especially a smaller-sized firm – will require in one hardware appliance, hence vastly simplifying its configuration and management.
This test has focused on appliances aimed at the smaller enterprise and here are the products that merited a high rating.
Next year, we plan to extend testing of multi-function appliances to cover the enterprise in a separate group test from the one that covers small businesses.
While our group tests aim to cover as broad an area of IT security as possible, there are some products that defy categorization or which are difficult to directly compare against other products.
So we have attempted to cover all of them in depth in our standalone product reviews.
Three of the many products we have looked at over the past year really caught the eye of our team of reviewers – who are well respected throughout the industry.
So we have listed them below. All of them scored five stars in their overall rating and in our opinion are well worth considering.
Biometrics has stayed in the news this year as both the U.S. and U.K. consider biometric-enabled ID cards as a means of keeping tabs on its citizens.
The technology is not without its critics, both in terms of civil liberties and whether the technology works properly, but any organizations thinking about using a biometric tool should take time to understand how it works and its limitations.
This year's test found products that do work and which could do a good job for organizations.
In 1941, the British Navy captured an Enigma coding machine. Mathematicians then used the device to crack the German Navy code, constructing one of the world's first digital computers in the process, effectively heralding the start of modern data encryption.
Today, we tend to equate encryption with computer-generated files and, indeed, use the processing power of modern computers as part of the encryption solution.
We have grouped together the best products tested this year.
The biggest security weakness in computer networks is poor password selection. In many organizations, employees are required to remember between five and ten passwords, and have to change them as frequently as every 30 days.
Remembering passwords is a problem, and companies find that up to 20 percent of support calls are password-related.
This synchronization of passwords is often not possible, because different applications might have different and conflicting password construction rules.
This means that users have to manage an overwhelming number of username and password combinations. This leads to poor security as users choose obvious passwords to make them memorable. It also leads to users forgetting passwords, which is a time-consuming problem for everyone.
We looked at a range of products this year, here are the best.
The war between SSL and IPsec VPNs is a phoney one. Both have their place in the enterprise and both should be looked upon as having specific uses. IPsec, we have found, often comes complete with a firewall, and is predominantly for site-to-site communication through the internet. This compares with SSL VPNs, which mostly provide access for remote users to corporate applications using nothing more than the humble browser.
But these distinctions tend to blur, and either solution can be used in most cases. The SSL devices reviewed here provide more than just simple email collection, enabling remote access to a variety of web and network resources.
This year, SSL VPNs continued to grow and develop, as did their market. We intend to revisit this interesting area next year.