Securant's ClearTrust SecureControl outperformed the competition in every category; it has unique features, a superb management console and lightning performance. Although the two runners-up, Baltimore SelectAccess and Entrust getAccess, offer very good solutions, the final tally for best product put ClearTrust at the top.

The ClearTrust environment includes an entitlements server, a dispatch server, an authorization server and a Web server plug-in. All the services installed without errors on our Microsoft Windows NT 4.0 servers, and subsequent installations on our other two Web servers went quickly and flawlessly. ClearTrust uses secret keys generated by the authorization server to secure communication between Web servers and authorization servers. Although this is a manual process, we like the added degree of control over the security keys, a facet not found in other products. The command-line keygen utility, contained on secure CT authorization servers, gave us the flexibility to generate new keys for secure communication between each Web and authorization server.

After setting up the environment, we easily created custom login pages for our pre-existing, forms-based logins. By default, ClearTrust uses a rather annoying pop-up box to request user credentials. However, the product ships with templates for forms-based, SecureID and NT logins. As a result, adding new authentication types is a breeze.

ClearTrust's greatest strength is its management environment, offered both as a Java client and as a Web interface driven by servlets. The Java client is well-organized and easy to use and provided the fastest response time among administrative tools of the products we tested. Because our product server was not set up to use servlets, we downloaded and installed Allaire Corp.'s JRun as our Web server for the ClearTrust servlet-management interface. The Java- and Web-based interfaces are identical in design and functionality, so we stayed with the Java client for our tests.

Although ClearTrust's administrative-delegation capabilities are similar to those of the other products, this product has some helpful enhancements. For example, it can track users and resources other administrators have added. This alleviates security concerns regarding administrative control if an administrator leaves the company.

Securant also leads the pack with its SecureDetector component. No other product we tested offers an IDS (intrusion-detection system) with the application and security logging features SecureDetector provides. SecureDetector lets you define a broad range of reports, from password guessing to time-of-day restricted access.

Most impressive, we found no significant performance degradation when using the SecureControl plug-in on our Web servers. In the SecureControl environment, the transaction chain begins with the Web server plug-in, which speaks to a dispatch server. Subsequently, an authorization and entitlements server communicates with the directory server. No user or authentication information is cached by the plug-in, dramatically reducing security risks by eliminating stale data. Repeated calls to the authentication server is the performance trade-off, but it took three Web servers handling more than 2,000 simultaneous connections (logging in and browsing) to raise CPU usage on the authorization and entitlements server above 50 percent. When we stopped our test at 2,400 simultaneous connections, response time was 4.7 seconds per Web page and 569 transactions per second across the entire system. For this test, we considered each file request -- HTML/ASP (Active Server Page), image and so on -- as a transaction.

ClearTrust SecureControl 4.5, starts at $20 per user. Securant Technologies, (415) 315-1500; fax (415) 315-1545. http://www.securant.com