Features

At the small or home office end of the market we have the ZyWall 100 Internet Security Gateway. When we looked at the ZyWall 50 appliance in the VPN Group Test last year, we had a few concerns, such as build quality. This issue has clearly been addressed, since the ZyWall 100 is a robust yet compact device with a simple and attractive design.

CyberGuard has a long and impressive track record in the firewall market, providing solutions from the desktop to those suitable for the high end, such as data centers. The SL2000 is positioned at the high end and, while certainly not the cheapest firewall in this Group Test, is worth every penny.

Clavister is a fairly new name in the security market, but its high-end firewall appliances are impressive enough to ensure that will not be the case for long.

In this review we are not so concerned with remote access as such, but more with the security and ease of use for the teleworker; a growing breed of employee. But this still means a high level of control and security.

Putting a firewall in the home office should be a natural thing to do. After all, you are not only protecting your user but also the data that they will be working on, and probably holding, on their machine. This security is just as important as the security in the main office, as liability on data and business-critical information could otherwise be breached with ease. This is where a small but powerful appliance from a developer with experience in both the enterprise and SOHO markets is going to come in very handy.

Either as a closed environment or as a service, Endeavors Technology's Magi Enterprise is a peer-to-peer security solution ideal for end users who have little or no experience with installing security solutions, but who are charged with telecommuting on a regular basis. From the administrator's viewpoint, removing any end-user problems can make the whole job of securing the data flow far easier.

This solution is again reliant on enterprise management, but for the teleworker who requires a standalone solution BlackICE PC Protection is still available. RealSecure Desktop Protector (formally known as BlackICE Agent for Workstations) is the enterprise version.

This hardware solution is suitable for both the hardened teleworker or a small office environment. It brings with it not only a stateful inspection firewall, but also the protection of a VPN. For the user logging into an enterprise, MD5 authentication comes into play. This ensures encrypted communications and also foils any attempt to steal the SonicWALL password.

We have looked at solutions that are purely based within the teleworker's domain, but we are also taking the view that some organizations of the larger variety may wish to impose server-based network and system security solutions on their remote users.

In the past we have looked at pcAnywhere, which has been a consistent runner in past telecommuting group tests. This time around Symantec has supplied its Client Security.

Blade has made quite a name for itself over the last year or so with the development of its Blade IDS Informer application, which monitors the performance of your intrusion detection system and ensures that it is running to the best of its abilities. The company has now extended this with the release of Firewall Informer, which performs a similar function for your corporate firewall.

In the Gateway Security product, Symantec has come up with a range of gateway appliances, each of which combines firewall, anti-virus, virtual private network (VPN), content filtering and intrusion detection in one rack-mounted system that is 1U high.

Another USB token approach, this time from Feitian Technologies, a company based in Beijing, China. The ePass2000 product comes attractively packaged with the software, printed user's guide, a USB token (in this case the ePass2000 with 1024-bit key functionality), overview brochures and even a mouse mat. This may give an impression of an off-the-shelf consumer oriented product, but the ePass offering is actually quite comprehensive.

The Aladdin eToken is a small, lightweight, attractive USB device, about the size of a physical key, which can generate and store user credentials such as private keys, passwords and digital certificates within its own protected chip environment.

RSA is usually associated with token solutions, providing dynamic one-time password facilities plugged into back end authentication servers like RSA's ACE/ Server. But there are times when a token is not ideal: you have lease costs to consider, the server-side requirements are relatively high and inexperienced users can find one-time passwords tricky to handle.

The SafeWord PremierAccess product immediately impresses as a solution that has been well considered from the outset. Developed around the dynamic password concept, it may nevertheless support smartcards and other tokens, and even biometrics. These methodologies may be mixed and matched depending upon the needs of the enterprise.

Entercept falls into the category of an intrusion prevention system (IPS). In common with traditional host-based IDS, Entercept resides on the host itself, but it works at a much lower level than a normal HIDS system.

This solution provides a network-based IDS, real-time session monitoring and internet/email content blocking. eTrust Intrusion Detection can be installed in standalone mode, or it can be distributed on separate machines. The intrusion detection program installs as a service under Windows NT/2000. As usual, the monitoring interface is a NIC in promiscuous mode, and therefore the presence of the IDS is concealed from the attacker.

This solution is supplied as software, desktop or rack-mounted. Each network sensor is a separate appliance, handing high-availability, high-security 10/100 or gigabit monitored segments.Running on a hardened OS, based on Red Hat Linux, in a small installation it can be managed using a web-based interface, software or optionally as an appliance.

The Schlumberger DeXa.Badge is not so much a single product, more of a secure identity philosophy. Potential use of the associated chip cards could range from simple intranet/internet secure login, to a full blown certificate-based enterprise deployment for local and remote access, physical access control and other related applications.