Shielding Nets from Prying Eyes

Four access-control tools offer solid, selective protection for sites of all sizes.

Rising awareness of network security risks has spurred more vendors to offer access-control solutions. This eWeek Labs eValuation pits two relative newcomers against new releases from two long-established players.

On the side of the Old Guard are Netegrity Inc.s SiteMinder 4.5 and Securant Technologies Inc.s ClearTrust SecureControl 4.5. (These two have been competing so long that even their release numbers match.) The newcomers are PKI (private-key infrastructure) veteran Baltimore Technologies Ltd.s SelectAccess 2.0 and Entegrity Solutions Corp.s AssureAccess 1.1.

Two other products that companies should keep in mind when looking at this category are Axent Technologies Inc.s Webthority, which provides proxy-based access control, and GetAccess, formerly from EnCommerce Inc., being rereleased by PKI leader Entrust Technologies Inc. following its acquisition of EnCommerce.

To evaluate these products, we looked at all of their features and capabilities, from their ability to integrate with Web and application servers to authentication integration and, especially, their ability to easily create and manage access-control rules.

What we found should be good news for businesses looking to lock down access to their Web sites, portals, intranets and extranets. Each product provided good, detailed access- control mechanisms while also offering specific advantages—SiteMinder has broad server and application support, SelectAccess includes excellent management features, AssureAccess supplies well-integrated authentication, and ClearTrust SecureControl offers nearly painless implementation.

In general, these newest releases reveal logical steps forward in the technology. Classically, access-control products work by linking directly with a companys Web servers and user authentication directories. The products then enable site administrators to control access to all elements in a site, not only deciding who can see which Web pages but also providing such detailed control that two visitors looking at the same page might see completely different elements of it. These capabilities make access-control applications a major part of any personalization schemes for e-business sites.

According to David Thompson, senior manager at PricewaterhouseCoopers, in Boston, access control has become an important product for many of its clients, especially for cutting down on the number of log-ins that users have to perform. "Weve had a lot of luck using access control to provide single-sign-on capabilities," Thompson said.

Some companies might wonder about the necessity of these applications. After all, isnt access control built into every Web server already? Yes, but these controls are usually limited in scope and are unable to tie into strong authentication schemes. Access-control products such as these four go far beyond the capabilities found in Web servers.

Businesses implementing access control may find that it benefits both administrators and users by easing management and authentication, Thompson said. "Its one of those rare products thats a win-win for everybody."

Baltimores SelectAccess

Previously, PKI vendors simply partnered with access-control vendors to offer access-control features to customers. These days, PKI vendors are beginning to offer their own products, often with better integration with their PKI than third-party access-control products can offer. Although this is also true of Baltimores SelectAccess, the product does a good job of standing on its own.

SelectAccess was easy to set up, and the product automatically pulled pertinent user information from our LDAP (Lightweight Directory Access Protocol) directory. A very nice and unique feature of this product is its resource discovery capability. The product was able to automatically discover all servers in the test network, and from there it was a simple matter to control access to these resources.

SelectAccess also had one of the best interfaces we saw during the eVal, providing a cross-grid matrix that made it simple to match up access to servers with our directory users. We did run into a few classic Java bugs in the interface, but they were more annoying than problematic.

Prices for SelectAccess, which began shipping in November, start at $20 per user.

Entegrity Solutions AssureAccess

Entegrity has a strong background in authentication products, and this focus showed in AssureAccess, which had some of the best built-in authentication capabilities in access-control products weve seen. Companies with extensive security infrastructure in place will probably find AssureAccess to be a good fit because it works more like an authentication application than a straight access-control product.

For its browser-based management options, AssureAccess requires JSP (Java Server Pages). Sites that dont have JSP support will have to add it via a product such as Allaire Corp.s Jrun, which will add to the setup cost and complexity for sites not using JSP. We installed Jrun to provide JSP support on the test network.

Once set up, AssureAccess tied easily into our LDAP server, and we were able to define our access policies. AssureAccess features built-in support for digital certificates, and we were able to either create our own or import Public Key Cryptography Standard files into the system. It did have a few problems with some Web application servers, forcing us to alter how some content was output.

Prices for AssureAccess, which shipped last month, start at $15,000 for 1,000 users on a single server and go up to $45,000 for unlimited users on a single server.

Netegritys SiteMinder

The granddaddy of Web access-control products, SiteMinder uses server-based agents to provide detailed component-level access control. Although the agents often limited what servers SiteMinder could run on, the product has reached a point where it has agents for nearly everything—including, in this release, the popular WebSphere and WebLogic application servers.

Setup of SiteMinder isnt difficult, but it can be tedious, especially if there are lots of agents to deploy. One potential negative in this release is that the agents for WebSphere and WebLogic didnt work with Java Development Kit 1.2 or later, which could be a problem for sites that are using these long-available Java implementations.

Along with the detailed control SiteMinder has long provided, Version 4.5 adds reverse-proxy capabilities for Apache Web servers, which makes it much more flexible for delivering broad control across a site.

SiteMinder, which shipped in November, is priced starting at $15 per user.

Securant Technologies ClearTrust SecureControl

Version 4.5 includes several welcome new features and improvements to the already solid access-control product from Securant. Administrators are now freed from the products GUI-based management interface and can administer ClearTrust SecureControl via a Web browser. The product still has some of the best LDAP capabilities around, with nearly seamless integration with installed user directories.

If a company is already using the Oracle Corp. or Sybase Inc. databases required by ClearTrust SecureControl, setup is painless and quick. If not, the time and cost of implementation go up quite a bit. Setting up access-control rules was a simple and intuitive task. The product also now has a unique feature that can alter access controls if it detects potential hacker activity.

Some of the agent plug-ins had problems with some Web servers, although workarounds were available in most cases.

Prices for ClearTrust SecureControl, which shipped last month, start at $20 per user.