Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Web/E-business /

Web access control market offers many options

Securant Technologies' product tops the list with its management tools and ties to Check Point firewall. | What does it mean to be a user today? |
| Why do you want web access control anyway? | Scorecard and NetResults |
| How we did it | Shoring up security |
| To infinity and beyond... |

By Steve Lewis, Steve Wilson and Martin D'Cruze
Network World, 05/28/01

If you've got a Web site, controlling who gets in and out of your company's Web-based resources can quickly become an administrative nightmare. Fortunately for Web administrators, many Web access control packages on the market can help address this problem.

We evaluated six of them: Entrust's getAccess 4.5, Oblix's NetPoint 4.0, Netegrity's SiteMinder 4.5, Open-Network's DirectorySmart 4.5, Securant Technologies' ClearTrust SecureContol 4.5 and Symantec's Webthority 3.0.

Blue Ribbon winner

ClearTrust SecureControl
ClearTrust SecureControl tops our list. Its unique features - including "smart rules" that allow or deny access depending on definable user attributes; a rule-testing feature that lets you select a user account and resource and verify access permissions; and "event actions" features that can trigger another task when a system event occurs - coupled with its ability to communicate with a Check Point Firewall-1 to block a potential hacker's IP address and a powerful, intuitive interface earns it the Network World Blue Ribbon award.

We rendered a tie for second place. The features of NetPoint and SiteMinder make each a strong product. NetPoint's Active Automation utility, which provides built-in workflow processes for system events, helped it stand out. SiteMinder's Active Responses feature, which can be fired up when certain events occur within the system, also makes this product a serious contender. NetPoint and SiteMinder contain a test function, which can be used to verify that rules work the way they were intended to before applying them to actual accounts. Both also let you store the entire program logic in Active Directory with the user accounts, which can reduce the amount of hardware and software required.

The remaining three products, while not as full of enterprise features as the top three contenders, performed well in our tests. DirectorySmart can audit system events and includes a menu of services feature, which creates a customized portal page for each user. Webthority is the only product tested that relies completely on a proxy method for handling Web access rights, which requires no software or hardware configuration changes on back-end content servers. GetAccess has a useful feature that generates an individualized portal page for each user, which can reduce help desk calls from users trying to access controlled portions of your Web site. GetAccess also provides wireless access support with its mobile services component, which can provide a "cookie-proxy" where all cookies are cached at the proxy and not sent to the client browsers.

Absolute power or delegation?

All six products we tested can adequately assist in administering a large company Web environment.

It would be a difficult task for any single administrator to stay on top of hundreds of thousands of user accounts. To solve this problem, Web access control vendors use a process called "delegated authority," which simplifies administration by passing certain rights to "sub administrators." Within the delegated authority hierarchy are two basic types of administrators: the more powerful "super administrator," who has administrative rights throughout the entire system; and the lower "sub administrators" with delegate duties and administrative rights to a specific set of accounts and/or resources.

In our tests, five of the six products established delegated authority. Symantec's Webthority did not have the ability to create a limited administrative account, so an administrator has absolute powers or none at all.

When it comes to creating and administering users, ClearTrust SecureControl was the simplest and most intuitive. We could create and assign rights to users in minutes. The interfaces for Webthority and getAccess were easy to use, but did not contain as much functionality. DirectorySmart's interface made it easy to complete administrative changes in the system, but we thought some prompts for information were confusing.

The self-registration utilities common in these products let users create their own accounts, which eases the strain on administration. ClearTrust SecureControl, NetPoint and SiteMinder support self-registration out-of-the-box. We liked the self-registration process provided by ClearTrust SecureContol and NetPoint because they required the least amount of work to deploy. The remaining vendors provide the ability to perform self-registration, but require some customization.

ClearTrust SecureContol, NetPoint and SiteMinder also offer a test option that lets an administrator test the security logic they create before applying it to a real account. The test feature makes assigning permissions quicker and less prone to errors because you can actually test the rights of users instead of using a dummy test account and reassigning permissions to the real user after the test run.

Oblix picked up administrative points because it incorporates workflow support into its NetPoint system that provides a mechanism for keeping administrators alerted when system changes are needed. For instance, an e-mail with a link to the proper URL could be sent to an administrator when someone self-registers and needs further attention. This e-mail could then notify the administrator that permissions need to be assigned to the user.

Remote management of a Web access control system is a vital tool because sites may be hosted in a remote location. All vendors in our test provided some level of remote management via a Web browser. NetPoint, SiteMinder, DirectorySmart, getAccess and Webthority provide full-featured remote administration that is entirely HTML based. SecureControl has two methods of remote control. You can install the Java client or you can use the Web graphical user interface (GUI). The Web-based GUI runs as an applet on the server and provides complete administrative functionality.

Creating logic

For these products to be useful, you must first configure them properly. You will need to configure user accounts and resources, then you will need to create the "logic" of the program. Logic is our term for the rules of the system that permit or deny users from accessing a specific Web resource.

NetPoint, DirectorySmart and SiteMinder can store program logic directly in Active Directory. This method requires a few more steps during the installation process because you have to modify the Active Directory schema to support the information. Scripts are supplied, which help make the required modifications to the schema for you. Storing everything in Active Directory means you don't need a second database to house the Web access control product's rule base, and all the administration overhead of maintaining a second database. This can also reduce the amount of hardware required. But be warned that your system logs will grow as you use the system and this can cause some overhead if you are replicating the information between servers.

ClearTrust SecureControl requires the use of an Oracle database - which is included in the product - to house all the user accounts and rules of the program. Securant has covered the complexities of Oracle with its program, so you really do not need to know much about Oracle to install and use ClearTrust SecureControl. We also used an Oracle database with getAccess because its support for Active Directory was undocumented when we tested the product. Webthority uses a proprietary database to store its program rules.

Security assessment

Each product provides security in real time, meaning that when a user's access is modified, the change is enforced immediately. As part of our test, we changed access from permit to deny while the user was logged on. Each product could deny access, and our next attempt to download the information was blocked.

In terms of intrusion detection, all participating vendors could lock out an account after a limited number of unsuccessful logon attempts. SecureContol goes a step further because it can block an intruder at the company's Check Point Firewall-1 firewall by instructing the firewall to block an individual's IP address.

The products tested included support for Secure Sockets Layer (SSL). However, with the proxy implementation method used by Webthority, SSL processing can be off-loaded from the content server to the proxy server. This is beneficial because it can off-load the process of encrypting data from the content server to the proxy server. A Web browser contacts the proxy server using SSL, and then the proxy server contacts the content server using straight HTTP.

Authentication methods for these products go beyond the simple user name and password. Other forms of authentication include SmartCards and Remote Authentication Dial-in User Service. Additionally, all products we tested support x.509 certificate for use with installed public-key infrastructures.

While basic reporting was included in all the products we tested, DirectorySmart provides an excellent online auditing tool that lets you see a history of modifications, logons and access failures.

SiteMinder ships with a useful troubleshooting option in addition to its basic reporting tool. You can direct any one, or all four services (accounting, administration, authorization and authentication) of SiteMinder to log information to the console screen. With this consolidation, you can see all operations of the system as they happen and can debug issues more easily.

Performance assessment

Our performance evaluation centered on whether the products functioned properly, what redundancy and scalability options were offered and whether the products supported multiple domains.

Every product tested performed well, but ClearTrust SecureControl was the easiest to operate overall.

When it comes to functionality such as redundancy, scalability and load balancing, these products are strikingly similar in execution. All provided component-level redundancy and scalability. While each product uses different names for internal modules, all support several instances for providing systemwide redundancy.

Multiple domain capabilities - also referred to as Single Sign-on functionality - is provided through encrypted session cookies. For each domain resource that a user accesses, the Web access control product verifies the user's rights. If the user is permitted access, a cookie is created and downloaded to the client's browser. All six products could log on to multiple domains with single sign-on using cookies.

Enterprise features

For our enterprise evaluation, we looked at how widespread each product's support for other components of an enterprise network was. We took into consideration the support for directory services, operating systems and Web servers.

We used Active Directory to store our user accounts. There was some difference in the way programs utilized Active Directory. ClearTrust SecureControl imports user accounts from Active Directory into its user Oracle database. We would have liked to have seen Securant offer direct access into Active Directory, but its import utility worked flawlessly and could even schedule imports on a recurring basis. The import utility only imports new accounts after the initial import.

DirectorySmart, SiteMinder, NetPoint and Webthority directly accessed the Active Directory, and we had no problems accessing user accounts. For getAccess we used an Oracle database because Active Directory support was not documented with the version we tested, but again we did not experience any problems.

While we did not test all the directories supported by these products, there was broad support for directories via Lightweight Directory Access Protocol (LDAP) and Open Database Connectivity.

We based our operating system evaluation on which operating systems the program itself resides on. During our testing, we used Windows 2000 or NT, but all products claim to run on Sun's Solaris as well. ClearTrust SecureControl supports IBM's AIX and Hewlett-Packard's HP-UX. SiteMinder also supports HP-UX, and DirectorySmart supports AIX.

There is wide support for Web servers among the products we tested. Microsoft's Internet Information Server (IIS) and iPlanet's Web Server are supported by every vendor tested. ClearTrust SecureControl and Webthority lead in this category because both have support for any make and model Web server in production due to the proxy implementation option. Netegrity has a long list of supported Web servers including Apache, Lotus Domino, IIS and iPlanet. OpenNetwork offers support for the IBM HTTP server.

Unique features

Wireless Application Protocol (WAP) gives Web access to mobile users. WAP does not have support for session cookies, which are used by Web access control vendors to store a user's session ID. We did not test any wireless functionality because wireless support went outside the scope of our methodology. However, getAccess and SecureControl ship with support for WAP including support for Web-enabled mobile phones and wireless PDAs.

Another feature we liked was having the Web access control program automatically create a personalized portal page for each user. A portal page was generated out-of-the-box by getAccess and DirectorySmart. The portal page was customized for the user, only showing links to pages for which the user has access. These pages can be customized to match the look and feel of your Web site. Of course, you could customize the rest of the programs mentioned in this review to create your portal page, but we liked the fact that getAccess and DirectorySmart created one for us automatically.

For the purpose of this test, we defined serviceability as the ability for a program to be customized to work within a company's existing infrastructure. Specifically we looked at what APIs are available to customize each product. Securant's offering of native Java, C and COM was simpler and more extensible than the options offered by other vendors. OpenNetwork offers APIs in Java, C++ and C. NetPoint, SiteMinder and getAccess offered program APIs in C++ and Java.

Webthority lost points in this category because program APIs are not directly available, but you could request that Symantec write one for you. Symantec offers a "payload" or "personalization" feature, which lets you extract information about individuals from their user account.

Webthority was the simplest product to install. We then configured it to point to our Active Directory and changed our Domain Name Server so requests for our Web server were pointed to the Webthority proxy server. Installing ClearTrust SecureControl was straightforward but more involved. We first installed the Oracle database and then the ClearTrust SecureControl program, both painlessly. We also needed to install the Active Directory migration module and to point the migration piece to the Active Directory before we could import the user accounts into the Oracle database. The installation of NetPoint, SiteMinder, Directory Smart and getAccess were a little complex because modifications to the user store were required.

The documentation provided by all vendors was pretty detailed and useful, but Securant's was a little more informative and easier to understand than the documentation offered by rest of the pack.

Although operating these products is fairly straightforward, we urge you to evaluate each product based on your specific needs. All vendors in the Web access control market have their own strengths and use slightly different architectures to accomplish the same end. The good news is that - while we say Securant Technologies' ClearTrust SecureControl is a step ahead of the competition a number of levels - all the products we tested for this review will provide your company with an adequate level of control over the users going in and out of your network via the Web.

RELATED LINKS

Related links

Lewis is an information assurance specialist working at the U.S. State Department. Wilson is a security engineer at GRC International, and D'Cruze is an optical engineer at Corvis. They can be reached at slewis@ex-pressnet.com, swilson@grci.com, and martin@dcruze.com, respectively.

Shoring up security
New security techniques include honeypots, decoys, air gaps, exit controls, self-healing tools and denial-of-service defenses.

Cover your apps
Your security plan may not be complete if you haven't protected your applications.

How we did it
An explanation of how our tests were conducted.

What does it mean to be a user today?
Helpful explanations of some common terminology.

To infinity and beyond...
Newest upgrades to the products we tested.

Why do you want web access control anyway?
The push for e-commerce has created a need for the ability to process transactions on the Internet securely.

Interactive scorecard and NetResults: Web access control packages
Use our calculator to see what product would best suit your needs.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.