The porous perimeter and the ominous "unknown threat" registered high IT managers" worry meters again this year, and security vendors replied with every manner of product. It seems as though we tested them all: firewalls incorporating application-level protection, signature-based intrusion detection systems, anomaly-based intrusion prevention systems, app security solutions, SSL and IPSec VPNs, do-it-all appliances, and a slew of antispam gateways.

We saw progress in almost every corner. Check Point Software Technologies Ltd., ServGate Technologies Inc., and SonicWall Inc. delivered firewalls that blended high performance with easier configuration and management at surprisingly low prices. Arbor Networks Inc., Lancope Inc., McAfee, and Sana Security Inc. showed that anomaly-based intrusion detection has come of age; Imperva Inc., KaVaDo Inc., and Sentryware did the same for application security. Check Point Integrity and Sygate Secure Enterprise secured the end point with network quarantining.

We were also wowed by nCircle Network Security Inc."s vulnerability management solution, Symantec Corp."s advanced warning system, and e-Security Inc."s method of tying it all together. As for canning spam, Brightmail Inc. proved best, although MailFrontier Inc. and Proofpoint Inc. also aced the test.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Antispam

Barracuda Spam Firewall

Barracuda Networks Inc.

Very Good, 8.5

Cost: Starts at $1,199, depending on model, plus a $399 annual update subscription

Bottom line: Spam Firewall is an accurate antispam appliance that"s chock-full of features for a relatively low price. It"s easy to install and to use, and with only a few weaknesses in documentation and reporting, this is a top antispam defense choice.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

BorderWare Mxtreme MX-200

BorderWare Technologies Inc.

Excellent, 8.6

Cost: As tested, $12,595

Bottom line: This capable antispam and anti-virus appliance adds secure e-mail server capabilities that ISPs and multidomain organizations will like. It"s more complex to set up than the Proofpoint P800, but it offers an excellent false-positive rate out of the box and spam filtering that should improve with tuning.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CipherTrust IronMail 4.0

CipherTrust Inc.

Excellent, 8.6

Cost: Initial cost, $27,000; annual costs, $4,860

Bottom line: The IronMail 4.0 appliance provides easy setup, delivers great performance, and offers very sophisticated security features such as intrusion detection, a reverse proxy for Exchange, content filtering, and anti-virus. Logging features are complete, and it"s easy to add users.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Corvigo MailGate MG1200 2.0

Corvigo Inc.

Excellent, 8.7

Cost: Initial costs start at $4,950 for 50 users; annual costs start at $1,237.50 for 50 users

Bottom line: Easy to install and use, this appliance is a superb performer. End-user features are great: Users can release messages they want, whitelist senders from the notification e-mail, and instruct the program to treat bulk e-mail differently from spam.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Digitalinfo Networks MailPoint 3000

Digitalinfo Networks

Very Good, 8.5

Cost: $1,599

Bottom line: The MailPoint 3000 appliance performed very well in filtering spam and had almost no false positives. It"s priced lower than many software-only packages and is simple to set up and configure. However, it lacks some of the enterprise-oriented features and granularity that companies might want.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

MailFrontier Enterprise Gateway 3.1

MailFrontier Inc.

Excellent, 9.0

Cost: Starts at $13.20 per user per year for anti-spam only; starts at an additional $8.50 per user per year for anti-virus

Bottom line: MailFrontier offers an easy install that"s likely to be comfortable for administrators of any experience level. After installation, it requires little ongoing maintenance. It provides granular user and group management, e-mail policy enforcement, and excellent performance.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

MessageLabs Anti-Spam Service

MessageLabs Ltd.

Very Good, 8.4

Cost: 50 users, starts at $798 per year

Bottom line: MessageLabs" service offloads antispam and antivirus processing from your network, reducing the traffic going across your Net connection. It offers easy setup and provides a simple way for end-users to check quarantined e-mail and release messages they want to keep.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Mirapoint Message Director MD450

Mirapoint Inc.

Very Good, 8.4

Cost: One-time hardware cost, $22,100; annual antispam license ranges from $3.50 per user for 500 users to $1.50 per user for 10,000 users

(antivirus protection costs extra); annual support fee, $3,315

Bottom line: Mirapoint"s antispam appliance boasts excellent performance, easy setup, and on-site support -- all included in its price, which is quite low compared with other such products on the market. Its high capacity can accommodate tens of thousands of users.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Proofpoint P800 Message Protection Appliance

Proofpoint Inc.

Excellent, 9.0

Cost: As tested, $9,780

Bottom line: Simple to install, this appliance offers great ease of use, a low price, and an impressive 94 percent catch rate, making it an all-around good deal. The false positive rate should improve as users add to the whitelist. Even with the additional cost for anti-virus, it"s worth the price.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Roaring Penguin CanIt-Pro 2.0b

Roaring Penguin Software Inc.

Excellent, 8.6

Cost: Starts at $6 per mailbox for the first year; subsequent support fees are 50 percent of the initial price; outright purchase price begins at $18 per mailbox.

Bottom line: CanIt-Pro offers an enterprise-oriented feature set that includes group-based filtering rules and user access to quarantined e-mail. With a minimum purchase of 125 mailboxes, it"s not intended for small organizations, but larger organizations will find the comprehensive feature set a good fit.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sophos PureMessage 4.6

Sophos PLC

Excellent, 8.6

Cost: Starts at $18.81 per year per user for anti-spam and anti-virus

Bottom line: Sophos provides an easy install for Linux shops, with excellent documentation. The offering provided the greatest control of settings, policies, groups, and users in our September test, but that all comes at some cost to complexity.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

SpamAssassin 2.63

SpamAssassin.org

Very Good, 7.1

Cost: Free

Bottom line: SpamAssassin is powerful, extensible, and free, but it"s not for beginners. It requires a substantial time investment to understand its features and to properly configure and update its modules. Adding features and modules and adjusting rules requires knowledge of Perl programming.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Symantec Brightmail Anti-Spam 6.0

Symantec Corp.

Excellent, 9.1

Cost: Starts at $18.90 per year per user for a two-year subscription, including anti-spam and anti-virus

Bottom line: Brightmail offers superb performance, a simple setup, and very low maintenance. With great end-user support and controls for delegating administration, there"s nothing here not to like.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Trend Micro InterScan Messaging Security Suite 2.8

Trend Micro Inc.

Very Good, 8.4

Cost: Starts at $15.18 per year per user for anti-spam only

Bottom line: Good policy management features and granular adjustment to anti-spam filters enable admins to tailor IMSS for specific users. It supported the most platforms of the four solutions in our September test and offers granular delegation of administrative rights.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Antispyware and antivirus

Computer Associates eTrust PestPatrol Corporate Edition 5.0

Computer Associates International Inc.

Very Good, 8.1

Cost: Priced by volume; 100 seats, $22.49 per seat

Bottom line: PestPatrol is a solid product that installs quickly and easily. Client deployment is simple, using either a "push" or command-line installer. The GUI is straightforward and easy to navigate, and detection rates are some of the best available. Reporting and logging are weak, however, and administrators cannot add custom signature definitions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Panda Software BusinesSecure 3.0

Panda Software SL

Very Good, 7.8

Cost: One-year license for 2,000 users, $24 per seat

Bottom line: BusinesSecure 3.0 uses Panda"s first-rate scan engine, and its user interface is incredibly easy to navigate, but the admin and management features need maturing. Prompt tech support and product pricing incentives make up for some of the management snarls.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Tenebril SpyCatcher 3.0 Enterprise

Tenebril

Cost: Priced by volume; 100 seats, $14 per seat

Bottom line: SpyCatcher client installation uses Microsoft .MSI files, which are easily distributed via shared folders, log-in scripts, or software distribution systems. It does a decent job of detecting and eliminating spyware, but suffers from a slightly disjointed GUI and a lack of centralized update distribution. Its reporting engine could use improvement.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Trend Micro Client/Server Suite for SMB 6.0

Trend Micro

Excellent, 8.9

Cost: $21 to $28 per seat, depending on volume

Bottom line: Client/Server Suite for SMB provides the best client-side and file-server protection for a midsize Microsoft shop, with a comprehensive set of admin functionalities. It"s a mature product that is easy to deploy and manage, thanks to customizable features.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Application security

DbEncrypt 2.5.0

Application Security

Very Good, 7.2

Cost: $15,000 per Oracle SID or SQL Server Instance

Bottom line: An enterprise-level database encryption utility that"s easy to install and configure, and it works at the column level. Column decryption is handled through the UI, and it"s easy to add and remove permissions. However, such software will be obsolete for Microsoft shops when SQL Server 2005 is released.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Forum XWall Web Services Firewall, Version 3.3

Forum Systems Inc.

Very Good, 8.2

Cost: Base software system for Windows platforms, starts at $2,500; all features enabled, $20,000

Bottom line: For businesses that must secure their Web services but don"t need schema tightening or have other systems in place that protect against SQL injection attacks, Forum XWall is a great, low-cost security system. It helps prevent denial of service attacks and can greatly reduce exposure to hack attempts. XWall"s policy engine is first-rate and allows for granular control of your IDP rules.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Imperva SecureSphere Version 2.0

Imperva Inc.

Excellent, 9.1

Cost: As tested, $25,000; base software includes one management server and protection for one Web and one database server

Bottom line: SecureSphere provides excellent heuristics and data analysis with its Correlated Attack Verification engine. It doesn"t rely strictly on hard triggers or predefined rulesets and is capable of learning "normal" traffic patterns.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Imprivata OneSign 2.5

Imprivata Inc.

Excellent, 8.9

Cost: 200 users, starts at $15,995; fingerprint option, $10,000

Bottom line: A simple and effective way to enable single sign-on for an entire enterprise, OneSign supports virtually any application and directory. This appliance can heighten security dramatically by ensuring that all users need only one strong password, or, even better, token-based or biometric authentication.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

KaVaDo InterDo 3.0

KaVaDo

Excellent, 8.8

Cost: Software, starts at $15,000; appliance, starts at $19,000

Bottom line: InterDo has a strong UI, with a wizard-driven setup process that even non-experts can follow. A well-designed security dashboard makes monitoring and management easy. ScanDo, an add-on that checks for vulnerabilities, provides excellent feedback to tighten up Web apps.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NetContinuum NC-1000 Web Security Gateway V3.5

NetContinuum Inc.

Very Good, 8.5

Cost: $29,000

Bottom line: From a network performance and capability standpoint, the NetContinuum Web Security Gateway is a very strong product. With a better serial console and stronger GUI presentation, it could be the strongest player in the Web app security market.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Permeo Application Security Gateway Version 5.0

Permeo Technologies Inc.

Good, 6.6

Cost: 50 users, starts at $12,784

Bottom line: This is an effective solution for companies that must control how users and their applications access internal and external networks -- after it"s up and running. Unfortunately, it"s poorly documented and very difficult to implement, frustrating users and administrators alike.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sanctum AppShield 4.0

Sanctum Inc.

Very Good, 8.1

Cost: Software, $25,000; appliance, $35,000

Bottom line: The Sanctum solution is designed for those who want to incorporate security into their Web apps throughout the development and deployment cycles. The interface makes setting up the product seem much more complicated than it is -- the only real downside to a very capable security system.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sentryware Hive Version 2.0

Sentryware

Excellent, 9.1

Cost: Five protected domains, starts at $13,995; yearly maintenance, 20 percent of list

Bottom line: Hive provides exceptional, proactive security at a price even small-to-midsize enterprises can afford. Installation takes a bit of planning, but after it"s running, Hive requires little ongoing maintenance.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Teros Secure Application Gateway (Teros 100)

Teros Inc.

Very Good, 8.3

Cost: $25,000

Bottom line: The Teros 100 is a solid choice for those with an existing application that they have no intention of changing. Setup and configuration are easy, except for an awkward interface for creating JavaScript during the learning process. The system protects all common Web servers and app types.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Physical security

Axis Camera Station 1.0

Axis Communications Inc.

Very Good, 7.0

Cost: 10-camera installation, $999

Bottom line: Axis Camera Station is a solid, midlevel IP camera-management system, capable of supporting 25 cameras per station. ACS doesn"t have the scalability or advanced features of the NetDVR-64, but its affordability and easy setup make it an attractive option for smaller deployments.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Mobotix M10

Mobotix AG

Very Good, 7.2

Cost: $1,025

Bottom line: This is a feature-rich IP camera and a viable all-in-one surveillance system if only a handful of cameras are needed. Capable of multiple resolutions, it also supports enhancements for different light levels. Trigger filters are backed by environmental sensors and can be integrated with ISDN telephony features.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

On-Net NetDVR-64 Version 3.1

On-Net Surveillance Systems Inc.

Very Good, 8.0

Cost: 100-camera installation, $30,000

Bottom line: Representing the high end of IP camera managers, NetDVR is capable of scaling to large camera volumes and managing those volumes based on geographic factors. An excellent drill-down interface is coupled with a vast array of event triggers, alarm integration capabilities, and notification methods.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Firewalls

Check Point NG Enterprise

Check Point Software Technologies

Very Good, 8.5

Cost: Unlimited nodes, $21,000

Bottom line: Check Point combines the Firewall-1/VPN-1 kernel with application proxies capable of blocking both known and unknown layer 7 attacks. The result is an effective, easy-to-manage solution with significant protection against application layer attacks. Critical Web apps, however, may warrant additional safeguards.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Check Point Safe@Office 225

Check Point Software Technologies

Very Good, 8.3

Cost: $495 with 10 VPN clients

Bottom line: The Safe@Office 225 is a standout SOHO firewall -- and not just for its great price. Running a simplified version of Check Point"s powerful, complex operating platform, it was easy to configure. It also offers good anti-virus support, Web filtering, and Dynamic DNS by subscription, but it lacks anti-spam support.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Fortinet FortiGate 800

Fortinet Inc.

Very Good, 7.8

Cost: As tested, $16,793; appliance, $11,995; FortiGuard Web filtering service, $4,798

Bottom line: The FortiGate 800 is a solid, enterprise-class firewall device that gives you an all-in-one security solution with gigabit interfaces and excellent VPN throughput. But utilizing all the built-in security features will cost you a significant performance hit. The management interface is well designed with tasks broken down in an intuitive way.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ingate Firewall 1400

Ingate Systems AG

Very Good, 7.4

Cost: As tested, $3,400; optional QoS module, $810; scaling SIP licenses, range from $150 for 10 licenses to $9,000 for unlimited; scaling traversal licenses, range from $300 for five to $9,000 for 250

Bottom line: The Ingate 1400 is an excellent choice for SMBs looking to exploit SIP-based VOIP. Although it can handle H.323 as well as any other traffic type, the 1400 contains its own SIP server, making it useable as the nerve center for SIP service on the network in addition to a robust perimeter security device.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Juniper NetScreen-5GT Enhanced

Juniper Networks Inc.

Very Good, 8.3

Cost: 10 VPN clients, $495

Bottom line: With an impressive array of features in a tiny box, NetScreen-5GT Enhanced has enough CPU horsepower and advanced features to protect a midsize business. It has excellent VPN and AV support and can handle 250 specific app-level attacks. Configuration is a little difficult.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NetGear VPN Firewall FVS328

NetGear Inc.

Good, 6.0

Cost: $195

Bottom line: The Firewall FVS328 is fairly easy to configure and offers flexible support for certificates and Dynamic DNS. But it"s missing basic all-in-one features such as anti-spam and AV support. In our tests, firmware troubles were made worse by NetGear"s attempt to fix them. It needs a little more time to ripen.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ServGate EdgeForce Accel, Version 4.0

ServGate Technologies

Excellent, 9.1

Cost: Base price, $5,995; as tested, $16,990 including McAfee anti-virus and anti-spam modules

Bottom line: ServGate has implemented critically important improvements in both its management console and its product configuration, including smoother VPN setup, easier configuration of remote devices, and policy-based filtering. Raw firewall and VPN performance fell short of the FortiGate 800 in our test, but the EdgeForce Accel performed better under attack.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ServGate EdgeForce Plus

ServGate Technologies

Excellent, 8.6

Cost: $4,000

Bottom line: EdgeForce Plus uses Linux to its best advantage, providing as much or as little advanced firewall functionality as you need. It has excellent application-level firewall support, plus modular expansion that can include AV, anti-spam, content filtering, and even QOS.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

SonicWall Pro 3060

SonicWall

Excellent, 8.7

Cost: As tested, with SonicOS 2.5 Enhanced Upgrade and 225 VPN client licenses, $5,385

Bottom line: The 3060 combines outstanding performance, an easy-to-use management console, and an extensive menu of optional services, including content filtering, anti-virus, and intrusion prevention. Fully configured, it offers a well-rounded security solution -- provided you don"t need Gigabit Ethernet interfaces.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

SonicWall Pro 2040

SonicWall

Very Good, 8.4

Cost: As tested, $1,995; IDS service, $995 per year; anti-virus, $387 for 10 users, $980 for 25 or more users

Bottom line: The 2040 takes a more general approach to VOIP traffic, optimizing its NAT traversal, scanning, and logging engines for voice traffic instead of centralizing on a single VOIP protocol. Its enhanced security features and incredibly friendly UI make it a superior firewall choice for SMBs with existing VOIP infrastructure.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Stonesoft StoneGate SG-500-100

StoneSoft Corp.

Very Good, 8.4

Cost: As tested (SG-500-100 and StoneGate Management Center for a single site), $8,950

Bottom line: The SG-500-100 is a solid, if pricey, enterprise-level firewall and VPN solution for remote or branch offices. The Management Center could be more polished but provides good centralized management of multiple appliances. It"s a more affordable option for networks with lighter traffic levels.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

WatchGuard Firebox X1000

WatchGuard Technologies Inc.

Fair, 4.9

Cost: $3,000

Bottom line: The Firebox X1000 is a robust firewall that uses proxy technology for speedy deep-packet inspection. But a unintuitive, thick-client management interface, and a difficult and time-consuming configuration process make it unsuitable for SMBs that lack dedicated network security staff.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Intrusion detection and prevention

Arbor Networks Peakflow X 3.0

Arbor Networks

Excellent, 8.6

Cost: Typical deployment with Controller and Collector, $100,000

Bottom line: Peakflow X focuses on detecting worm outbreaks. It excels at threat detection, sports a user-friendly interface, and is easy to manage as a distributed system. It"s expensive to deploy, however, and requires a skilled administrator.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ISS Proventia G200

Internet Security Systems Inc.

Very Good, 7.8

Cost: Starts at $11,995

Bottom line: Proventia combines signature-based detection and prevention capabilities with a depth of packet analysis unmatched by its competitors, making it a good solution for monitoring and enforcing network policies. But a time-consuming configuration and a complex management interface mean it"s less suitable as an everyday IDS.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Lancope StealthWatch 4.0

Lancope

Excellent, 8.9

Cost: M45 appliance, starts at $9,995

Bottom line: StealthWatch tunes into deviations in normal network traffic and host behavior, an approach that enabled it to warn of a Sasser worm outbreak on the test network ahead of our signature-based detection systems. However, network expertise is required to use StealthWatch effectively; novice admins will be challenged.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

McAfee Entercept 5.0

McAfee

Very Good, 8.2

Cost: Management Server, $5,125; standard agents start at $793 for 100; Web and database server agents start at $2,900 for 100

Bottom line: Using signatures and behavioral rules to identify attacks, Entercept 5.0 effectively protects servers and desktops against new and known attacks. It thwarted all of our exploits and yielded no false positives. Reporting isn"t stellar, but management is straightforward and flexible.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Palisade Systems SmokeDetector 2.1

Palisade Systems Inc.

Good, 5.8

Cost: $5,000 to $19,000, depending on number of emulated operating systems

Bottom line: The SmokeDetector is an effective, low-interaction honeypot, providing a GUI-based management console and good standard reports. However, it isn"t easy to install or use, it offers limited flexibility in configuring emulations, and it lacks emulations of the latest OSes.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sana Primary Response 2.2

Sana Security

Very Good, 7.9

Cost: Management server, $6,500; server agent, $1,750

Bottom line: Primary Response blocks zero-day attacks, buffer overflows, and policy violations on Windows and Solaris servers. Agents are easy to install, learn normal host behavior automatically, and provide detailed information about attacks.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Snort 2.10 with ACID

Snort.org

Very Good, 7.3

Cost: Free

Bottom line: Snort is a free, flexible, effective rules-based IDS that is difficult to set up and

not particularly user-friendly. Multisystem management isn"t supported, and reporting and management fall short of commercial offerings. On the plus side, you can use existing rules, which are regularly updated by an active open source community, or configure your own.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

StillSecure Border Guard 4.3

StillSecure/Latis Networks

Excellent, 8.6

Cost: Device, starts at $7,500; maintenance, $1,500 per year (subscription option available)

Bottom line: Border Guard brings ease-of-use, multinode management, and intrusion prevention capabilities to Snort. Installation and setup are fast and easy, the GUI is top-notch, and reporting is excellent, removing all the difficulty of navigating Snort and displaying attacks and payloads.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Network security

Barbedwire DPI 100

Barbedwire Technologies

Very Good, (8.4)

Cost: As tested, including firewall, IPS, VPN, anti-virus, anti-spam, and content filtering, $1,495

Bottom line: The DPI 100 bundles everything necessary for Internet security in a 1U box, including firewall, VPN, anti-spam, anti-virus, and content filtering, and it offers additional services via software upgrade. Performance is good, but configuration of some modules is complex and not well-documented.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

BigFix Patch Manager 4.0

BigFix Inc.

Very Good, 8.4

Cost: As many as 1,000 agents, $21.50 per agent for Windows, $58 per agent for non-Windows; quantity discounts available

Bottom line: Scalable and easy to install, BigFix Patch Manager effectively keeps desktops and servers updated and free of security holes. It provides a near real-time view of as many as 75,000 systems and can keep them in compliance with fast, automated patch rollouts.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Check Point Integrity 5.0

Check Point Software Technologies

Very Good, 8.1

Cost: Commercial, $2,500 for 25 users to $48,000 for 1,000 users; GSA, $2,232 for 25 users to $41,667 for 1,000 users

Bottom line: Integrity requires a dedicated server, so you can"t share the platform with another application. The default client deployment is clunky, although most companies will use SMS or ZenWorks to deploy the software. Either way, Integrity makes heavy use of Zone Lab"s highly regarded firewall technology customized for different platforms, and its superior management interface.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e-Security v4.2

e-Security

Excellent, 9.2

Cost: Starts at $40,000

Bottom line: e-Security"s management suite sorts through the vast quantities of data from the various security products on your network, picks out what"s truly important, and compares it with other events using a correlation engine to uncover attacks or vulnerabilities. It presents the data in a clear graphical form that makes it easy to stay on top of security management.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Network Engines Steel-Belted RADIUS Enterprise Edition Appliance Version 2.0

Network Engines Inc.

Excellent, 8.7

Cost: $7,500

Bottom line: This RADIUS server is a scalable, versatile addition to an ISV or corporate network that will simplify life for both the IT and accounting departments. It incorporates Version 4.5 of Funk Software"s Steel-Belted RADIUS Enterprise Edition software. The SBR provides impressive, highly customizable control over wired and WLAN user authentication, access, and accounting information.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Guidance EnCase Enterprise Edition

Guidance Software Inc.

Very Good, 7.7

Cost: As tested, $1,600 per seat

Bottom line: EnCase"s law-enforcement roots and its capability of integrating with enterprise intrusion detection systems make this one of the more flexible and easily integrated enterprise forensic solutions. Although it"s very complex, this type of software is a must-have for companies faced with compliance issues.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

McAfee Active VirusScan Suite and McAfee Desktop Firewall 8.0

McAfee

Very Good, 8.0

Cost: Desktop Firewall, $21.25 to $7.65 per node including one year of support; Active VirusScan Suite, $47.65 to $15.72 per node; government pricing is 25 percent less

Bottom line: McAfee provides an effective anti-virus and firewall combination for enterprise desktops. The management interface is easy to use but experienced a few glitches. Updates can be slow, and policy enforcement is handled by forcing updates rather than quarantine. Additional features are planned that will make this a very well-rounded suite of products in the future.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

nCircle IP360 Vulnerability Management System

nCircle

Excellent, 8.7

Cost: One VnE1000 Manager, one Device Profiler, and 250 IP licenses, $36,250

Bottom line: Although pricey, the IP360 is a thorough, well-designed network vulnerability scanning solution that would benefit any large network. Dispersed scanners allow continuous scanning without consuming a lot of bandwidth, and application detection accuracy is solid.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Network Associates InfiniStream Security Forensics 1.5

Network Associates

Very Good, 8.2

Cost: i1600 (including optional Reconstruction/Replay software, and five consoles), $90,000; Security Forensics Console software alone, $7,500

Bottom line: InfiniStream Security Forensics provides a straightforward way to mine network data and even reconstruct network sessions during investigations of security breaches or network misuse. The ability to ID sources of security issues makes this appliance an invaluable tool.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Oblix ShareID 2.0

Oblix Inc.

Very Good, 8.4

Cost: Identity-provider site, $5,000 per server

Bottom line: ShareID"s administration aspects are straightforward, if not elegant, and the ability to deploy prebuilt source-site servers is key. If you aren"t looking forward to administering user accounts for every business partner, then you should be looking at ShareID.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

PGP Universal

PGP Corp.

Very Good, 8.3

Cost: Subscription pricing for 500 seats, $20,000

Bottom line: PGP Universal provides straightforward, easy-to-manage client-to-client or gateway-to-gateway encryption. The client handles message encryption and decryption automatically in the background and allows users to manage their own keys. More affordable than competitors, all PGP lacks is a fuller-featured Web-mail portal and more granular mail policy enforcement.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

PostX Enterprise Platform 5.0

PostX Corp.

Very Good, 8.5

Cost: High-availability systems, starts at $35,000

Bottom line: PostX Enterprise Platform provides maximum flexibility with support for encryption at the client or gateway and online and offline decryption. It also features first-rate Web-mail services and excellent mail-handling and routing capabilities. On the downside, the flexible routing engine does increase complexity for policy administrators.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Seclarity SiNic 1.0

Seclarity Inc.

Very Good, 7.7

Cost: Console management software, $10,000; $150 per 10/100 SiNic

Bottom line: SiNic combines hardware authentication and encryption processing on every workstation with a central management console that integrates with Active Directory. The result is a private, encrypted network subject to incredibly powerful security policy enforcement. SiNic is limited by 100Mbps hardware and Microsoft-only platform support.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Senforce Enterprise Mobile Security Manager 2.5

Senforce Technologies Inc.

Very Good, 7.8

Cost: Starts at $89.95 per seat

Bottom line: Senforce EMSM is a great tool for enforcing security policies on client computers. Its capability of pushing a specific policy to a client based on its network affiliation is a great way to keep mobile users in check without being too heavy-handed. Its reporting engine helps you prove compliance, and its support for wireless adapters and access points makes EMSM a great choice for users on the move.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sigaba Secure Email 5.0

Sigaba

Very Good, 8.0

Cost: One-year license, $46,500

Bottom line: Sigaba Secure Email encrypts e-mail from gateway to gateway, and from client to client via desktop plug-ins and Web-based authentication and decryption. More expensive than its competitors, it lacks a full-function Web-mail portal and requires users to be online to initially decrypt messages (although decrypted mail can be stored locally in the client).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sygate Secure Enterprise 4.0

Sygate Technologies Inc.

Very Good, 8.1

Cost: $20 to $80 per seat; GSA, $34 to $48 per seat (GSA configurations differ from commercial configurations; both ranges depend on modules selected)

Bottom line: Sygate Secure Enterprise excels at quarantining noncompliant nodes and making sure clients and other systems meet security and operational requirements. This product includes a client firewall but can also enforce granular and flexible policies governing a wide array of third-party products. The management interface is confusing in places.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Symantec DeepSight Threat Management System 5.0

Symantec

Excellent, 9.0

Cost: DeepSight Alert Services annual subscription, $5,000; annual subscription for DeepSight Threat Management System, $15,000

Bottom line: DeepSight is a boon to large enterprises that need a lot of warning to prepare for attacks on vulnerabilities. The service provides detailed intelligence about activities that could be attacks and confirmed vulnerabilities. Information is presented clearly, identifying threat levels and threat trends.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

TeleCommunication Systems SwiftLink 1400

TeleCommunication Systems Inc.

Very Good, 8.2

Cost: Base price, $16,600 (fully configured but without laptop, phone, and rolling case); as tested, $25,240 including Dell Latitude D600 laptop, secure Iridium phone, and rolling case

Bottom line: The SwiftLink 1400 can encrypt communications through nearly any connection method, including wired Ethernet, Wi-Fi LAN, and cell phones. It"s not easy to use, and consumer-grade components increase reliability doubts. But it does effectively provide secure communications from anywhere.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Trend Micro OfficeScan Corporate Edition 6.5

Trend Micro

Very Good, 7.2

Cost: Commercial, $21.25 per user for 100 users; government (federal, state, local), $15.94 per user for 100 users

Bottom line: OfficeScan has some excellent features, including its own deployment engine and vulnerability scanner, but it is not without problems. Deploying software to clients didn"t always work without tweaks to individual settings that aren"t documented, and the anti-virus module didn"t always detect our test virus. Capabilities are limited compared with competitors.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Tumbleweed Secure Messenger 6.0

Tumbleweed Communications Corp.

Very Good, 8.5

Cost: 100 managed users, $20,000

Bottom line: Secure Messenger combines nearly universal reach and extensive mail-routing capabilities. It lacks the ability to encrypt at the desktop, but supports a range of delivery methods, online and offline decryption, granular mail policies, and content filtering based on weighted word analysis. Powerful mail handling capabilities raise the level of complexity for admins.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

VPNs

Aventail EX-750 7.2

Aventail Corp.

Very Good, 8.4

Cost: 25 concurrent users, $6,995

Bottom line: For small-to-midsize enterprises, the EX-750 is a flexible, easy-to-install, and easy-to-manage appliance for secure remote access. It comes with all of the necessary plumbing for browser-based access to resources inside the enterprise and its end-point control is first rate.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

F5 Networks FirePass 1000

F5 Networks Inc.

Excellent, 9.0

Cost: 25-concurrent-user license, starts at $9,990

Bottom line: The FirePass 1000 provides remote access to virtually any enterprise network application. It"s easy to use and boasts excellent security, offering granular administration of users and groups, compatibility with a wide array of clients and browsers, and easy setup and configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Rainbow NetSwift iGate Pro SSL VPN Appliance

Rainbow Technologies Inc.

Good, 6.7

Cost: 70-concurrent-user license, starts at $22,995

Bottom line: iGate"s proxy engines handle both HTTP and non-HTTP traffic, but the SSL VPN currently lacks an IPSec-style tunnel capability and other enterprise-level features. Furthermore, iGate uses a Java applet to modify the host"s file to handle SSL VPN redirection.