Although custom modules can be built in any language, and can use SSL (Secure Sockets Layer) to secure password transmission and LDAP to manage user accounts, the scripts are difficult to manage and slow to process, and they lack strong security for storing passwords. In contrast, commercial Web-based policy-management packages provide a strong alternative to custom authentication modules for intranet, Internet and extranet applications.
We tested five Web-based policy-management packages. Each boasts of having performance, management, scalability, security and reliability. And all take advantage of SSO (single sign-on) so users can authenticate just once and access multiple resources within the same or external domains. In most cases, our tests showed that the products could handle 100,000 connections per hour without a performance hit. The packages do this by using a delegated (decentralized) authority model, which allows an organization to assign various administrative and user levels.
Most of the products offer several layers of security, including:
« User authentication before a request reaches the Web service.
« Communication encryption.
« Storage for encrypted passwords in an LDAP or standalone database.
« A comprehensive set of logging and auditing features.
Users who have multiple roles in an organization can take advantage of SSO, while administrators can track and build reports of activity within their environment. In addition, through APIs authenticated users can be given personalized views of the enterprise, with only the resources to which they have access shown. This eliminates "access denied" errors and reduces failed attempts to access secure resources: If they don't know it's there, they won't try to get in.
|
Online-Only Special
Traditional password-only security is not enough these days. Novell's Modular Authentication Service fills the gaps by providing an array of additional authentication methods.
Click here to find out how to use this extra muscle in your network. And for tips on developing an authentication policy for your enterprise, check out our tutorial.
|
A Clear Winner
We tested Baltimore Technologies SelectAccess, Entegrity Solutions AssureAccess 1.2, Entrust Technologies getAccess 4.5, OpenNetwork Technologies DirectorySmart and Securant Technologies ClearTrust SecureControl 4.5. Netegrity declined to participate, telling us its product is too complex to be accurately tested in a competitive review.
For about six weeks, we tested and compared installations, configurations, customization features and performance results. Of course, all five products perform basic Web authentication and authorization, but we took our tests to the next level to find out how tightly and securely the products integrate with new or existing environments. We ran each product with our database-driven Web site and found that all five offer similar degrees of security. Therefore, we focused our evaluation on ease of integration, product management and performance. Based on these criteria, ClearTrust SecureControl emerged as our Editor's Choice. The package's Java- and Web-based management clients, performance results and custom intrusion detection impressed us the most.
The variety of personalization techniques inherent in each product was a key aspect of our tests. We wanted to use a unique identifier provided by the product to retrieve existing user profile information from our SQL database. Depending on the product, we were able to retrieve a user's unique ID from HTTP header variables or by implementing an API to request the ID from the authentication system. By using the unique ID as a common link between our database and the authentication system, we could provide personalized content on our Web site.
The most important question we asked before testing the management tools was whether we could comfortably manage a complex user and resource access list for any length of time. ClearTrust SecureControl, SelectAccess and getAccess each provides excellent management features that we found easy to use. We couldn't ask for much more from ClearTrust SecureControl's interface, with its simplicity and live testing features. We were also impressed with SelectAccess' management tools, which are well-organized and offer resource discovery as well as a drag-and-drop policy builder. While no particular feature within getAccess stands out, the product is solid and offers an easy-to-use Web-based management console.
Performance was largely affected by the different techniques for processing and caching user credentials and resources during sessions. In a typical session, the Web server plug-in intercepts a page request, makes a call to the authorization service or local cache to determine if the page is protected, and either challenges the user for credentials or grants access. Depending on the product, credentials are sent using SSL (if activated) to an intermediary authorization server or directly to the directory server. ClearTrust SecureControl performed the most transactions per second, while getAccess petered out far too early.
Logging and reporting features were secondary in our evaluation. ClearTrust SecureControl's logging and reporting are well-organized and thorough. The built-in SecureDetector software, designed to monitor and alert administrators about potential attacks, is also useful as an application-monitoring tool. Although no other product offers a comparable feature, we were more concerned with whether each product could generate log files for use with a third-party reporting tool. We found that though each product performed logging, the various levels of detail and formats made the difference. The most detailed and easy-to-read logs came from ClearTrust SecureControl, which logged Web site security and management console usage. Entegrity's AssureAccess audit service wasn't particularly intuitive but did provide versatile logging options.
REPORTS
ANALYTICS
Follow 
