Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Reviews /

ID, please

Today's breaking news
Send to a friendFeedback

Vasco's VACMan/Server proves its mettle in our look at five security server/hardware token combos.

By Teré Parnell
Network World, 03/01/99

Keeping unauthorized users out of sensitive corporate data files is like keeping teenagers out of Bourbon Street bars. It takes a skillful bouncer to block unwanted visitors, yet ensure that regulars are welcomed graciously.

We found that using hardware tokens with a good security server can make data access fast and easy for authorized users and also keep out the riffraff. While all the security servers we tested were comparable in the levels of security and performance offered, the servers varied widely in manageability, interoperability and price.

Managing the tokens

Hardware tokens come with their own set of problems:

  • Will they interoperate with your current virtual private network and firewall?

  • What happens when a user needs to log on to a remote server? Must each user's security be administered from a central location, or can security administration be distributed?

  • And how do you keep track of these little critters?

  • How do you manage them from a distance? And what happens if a user loses his token (personal identification numbers can be hacked as well as passwords, obviously)?

  • What if the hardware token breaks?

    • We were especially puzzled by the dramatic price differences - a server's cost often wasn't indicative of its features and benefits. In fact, the overall best security server and hardware token system we tested, Vasco Data Security's VACMan/ Server 3.0, was by far the least expensive.

    Management worries

    Token-based systems are inherently more secure than those based only on passwords, but also more difficult to manage. Of course, there's the problem of keeping track of 1,000+ tokens, but a more substantive concern is managing the back-end security server, also known as the authentication server. This is the platform that holds user configuration information for tokens and allows you to manage and edit the information. It gives the actual gatekeeper, the network access server (NAS), the information it needs to execute authorization, authentication and reporting.

    When it came to management capabilities, VACMan/ Server from Vasco was the hands-down winner. Installing the system and adding users couldn't have been easier. VACMan/Server offers an array of access parameters: time, resource, password, number of concurrent logons and more. It lets you create user templates and import users from ASCII, Unix, Unix Remote Authentication Dial-In User Service (RADIUS) and Shiva LANRover files.

    VACMan/Server was also the most flexible security server we reviewed. It interoperates with a variety of firewalls and virtual private networks (VPN), and through its Proxy Manager, VACMan/Sever can support pretty much anyone else's programmable hardware tokens.

    Most important, its auditing and accounting capabilities are superb. VACMan/Server's Open Database Connectivity (ODBC) Accountant interface lets you log accounting information in real time into an ODBC-compliant database, which you can then use with any ODBC-compliant reporting tool. VACMan/Server's audit database is comprehensive, and it offers a module that can be used with Microsoft Access to create ad hoc reports.

    Vasco even includes a RADIUS test simulator that lets you conduct thorough RADIUS testing without configuring and deploying a special test NAS.

    Placing second in the manageability category was ActivPack from ActivCard. Adding and managing users with ActivPack is simple. And more so than the other security servers in this comparison, ActivPack concentrates on the management and administration of hardware tokens, making it easy to remotely activate, deactivate and reprogram tokens.

    ActivPack has test utilities that let you ensure that its database and RADIUS components are correctly configured to work with client applications before full implementation on the network. It also has an easy-to-use utility to let you customize user messages in Windows NT Remote Access Server (RAS).

    However, ActivPack is specifically designed for a Microsoft environment. Although its RADIUS module supports authentication for all RADIUS-compliant environments, it really isn't intended for use as an authentication server for anything but a Windows NT logon, Windows NT RAS or Microsoft Internet Information Server (IIS) application.

    Coming in a distant third for manageability was Secure Computing's SafeWord. SafeWord allows you to set user authorization privileges by time of week, time of day, day of week and date locking. As with VACMan/ Server, you can specify the number of invalid logon attempts allowed before the system locks a user out. SafeWord also has access quotas, which allow you to specify that users with a given token are only allowed to access the network a limited number of times. However, while adding and managing users in SafeWord isn't difficult, it is clumsy.

    In fact, everything about SafeWord is cumbersome. Its reporting capability is severely limited, and the best thing you can say about its management interface is that it isn't text-based. Furthermore, while the amount of data that can be stored in the database and log files is fairly extensive, pulling reports from them is anguishing. Managing the database is most easily done by exporting it to a standard format such as .dbf, making changes in your own database management system and then reimporting it into SafeWord.

    As for managing the RADIUS interface - well, keep the documentation close by, and be sure to purchase a few hours of technical support (only the first 30 days are free) before you try it for the first time. Take careful notes during your attempt and store the notes in a safe place.

    SafeWord's strong point is its elegant method of authentication forwarding. If a guest user tries to authenticate, SafeWord forwards the authentication request to the user's home domain. With this method, authentication domains don't have to be maintained separately at each remote site.

    Within North America, SafeWord supports only hardware tokens from Secure Computing. ActivCard tokens are supported in SafeWord outside North America. Be-cause of patent limitations, Secure Computing verifies a customer's location before activating support for Activ-Card hardware tokens within the SafeWord software.

    Defender Security Server (DSS) from Axent Technologies is best suited for those who want one-stop shopping for all of their security needs because interoperability is not its strong point. Case in point: During our test with our Aventail VPN, the connection kept locking up during the challenge/response sequence.

    After a quick chat with technical support, we learned that DSS isn't guaranteed to work with any VPN but Axent's PowerVPN because of the design of the token's challenge/response security feature.

    To work with DSS, a VPN client must be able to open a terminal window to initiate the challenge/ response routine, which occurs at the character level. This is disheartening and, in our opinion, a kludge and a potential safety violation. Isn't an open terminal window a great place to weasel into a network?

    DSS doesn't support any hardware tokens other than its own, although software developers' kits are available for developing interfaces to support other cards.

    But many network managers won't want to go to the trouble of custom development; for those seeking a soup-to-nuts security system, Axent may just be the ticket.

    Axent's strongest feature is its reporting capability. DSS comes integrated with Crystal Reports and offers 21 report templates that will probably meet most of your needs.

    NOS integration and scalability

    As it did in the management category, VACMan/Server again distinguished itself in terms of interoperability. It supports Windows 95, NT 3.51 and 4.0, and Unix. It also has optional models to support NetWare binderies, Novell Directory Services, and firewalls from Security Dynamics and Axent. Through its Proxy Manager, VACMan/Server can interoperate with almost any firewall and VPN. Therefore, it can spread happily throughout your network without becoming troublesome to integrate or manage.

    ActivCard's ActivPack is made exclusively for Windows NT, which limits its scalability.

    Secure Computing's SafeWord supports tokens from ActivCard, WatchWord and SecureNet, as well as its own. However, while it worked well with a BorderWare firewall, it wouldn't work with the Axent Raptor firewall. SafeWord supports authentication on all versions of Unix, VAX/VMS and NT 4.0 domains. It supports RADIUS for Windows NT RAS, allowing SafeWord through its RADIUS server to authenticate users trying to access Windows NT domains. Although SafeWord supports a broad range of platforms and authentication forwarding among the platforms, we think the task of managing them, given the cumbersome tools provided, would be monumental.

    Axent's DSS for RADIUS runs only on an NT platform. Its one-platform support and practically nonexistent interoperability make it a unified security system only for companies that want to buy into a single-vendor framework. However, its awkward update procedures should make even one-stop shoppers hesitate. Because it doesn't support direct queries to NT domains, you have to import the NT domain user data into the DSS database - and you have to do so each time you make changes to the user authorization information.

    Performance and security

    We attempted to break into the servers as a hacker would. All of the systems performed efficiently and well - and comparably - with authentication time being negligible. None of the security servers failed our security test. VACMan/Server outshone the crowd by supporting the broadest array of authentication protocols: RADIUS, TACACS, XTACACS and TACACS+. Also, its integrated RADIUS proxy module supports proxies to a host of other RADIUS-compliant servers.

    One of the greatest features Vasco's VACMan is not the security server, but rather its amazing Digipass 300 hardware token.

    Digipass 300 offers a full range of features, such as support for Triple-DES and optical data entry, which no other token offers.

    ActivPack supports RADIUS, Microsoft's IIS and Windows NT RAS authentication. With this range of support, ActivPack offers tight security for Microsoft- and RADIUS-compliant shops, but prevents it from being a choice for networks that must support other authentication protocols.

    Secure Computing's SafeWord supports RADIUS, TACACS+ and its SecureID authentication protocols.

    With its focus on end-to-end security, Axent's DSS offers tight security within a pure Axent security environment, but limited options otherwise. For example, DSS supports RADIUS only as an option - at a cost of an additional $1,000. And as we mentioned, it supports only its own VPN, PowerVPN 3.2.

    Installation, documentation and online help

    The quality of each product's documentation varied as much as their other features, but the best performer in other areas failed to follow through here. VACMan/Server's documentation is not only thin in content, it is poorly organized and difficult to follow. However, its technical support staff is accessible, responsive and knowledgeable.

    ActivPack installed smoothly, and its documentation was well-organized and informative.

    Secure Computing's SafeWord has an arcane installation routine and a convoluted scheme for adding licensing and serial numbers. The online help is skimpy. Customers receive 30 days of technical support free for evaluation purposes. After 30 days, customers have to purchase a support package if they need further help.

    Installation of Axent's DSS is simple. That's good, because the product has minimal documentation. However, the vendor's technical support department is available via a toll-free number, and we found its personnel to be prompt, courteous and knowledgeable.

    Keeping out the riffraff

    All of the systems we tested provided great security. Furthermore, each had unique strong points. For networks with widely distributed authorization, Secure Computing's SafeWord is a solid security server platform with an elegant distributed-authorization architecture. For sites with only Windows NT networks, ActivPack from ActivCard is definitely worth consideration. Network managers looking for a single-vendor, soup-to-nuts security system that includes firewalls, VPNs, authentication and authorization servers, should consider Axent's DSS.

    Security being equal among servers, however, we think that for ease of management, reporting capability and interoperability with other vendors' firewalls, VPNs and tokens, VACMan/Server was tops. Its great performance and reasonable price tag are also definitely advantages.

    RELATED LINKS Parnell is a telecommunications consultant and author with more than 18 years of experience in the telecommunications and data networking industry. She has written many articles, columns and product reviews, and is the author of four books on telecommunications, telephony and data networking. She can be reached at RedReviews@aol.com.

    Scorecard and NetResults
    How we rated them in several categories, key findings and vendor contact info.

    How we did it
    A look at our testing setup.

    Network World Fusion Focus on Security
    Archive of our free e-mail newsletter.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    * HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

    Contact us | Terms of Service/Privacy | How to Advertise
    Reprints and links | Partnerships | Subscribe to NW
    About Network World, Inc.

    Copyright, 1994-2006 Network World, Inc. All rights reserved.