<PAGE>
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------
SCHEDULE 14A INFORMATION
PROXY STATEMENT PURSUANT TO SECTION 14(A)
OF THE SECURITIES EXCHANGE ACT OF 1934
Filed by the Registrant / /
Filed by a Party other than the Registrant /x/
Check the appropriate box:
/ / Preliminary Proxy Statement
/ / Confidential, for Use of the Commission Only (as permitted by Rule
14a-6(e)(2))
/ / Definitive Proxy Statement
/x/ Definitive Additional Materials
/ / Soliciting Material Pursuant to Section 240.14a-11(c) or Section 240.14a-12
INFORMATION RESOURCE ENGINEERING, INC.
(NAME OF REGISTRANT AS SPECIFIED IN ITS CHARTER)
- --------------------------------------------------------------------------------
STEVEN N. BRONSON
(NAME OF PERSON(S) FILING PROXY STATEMENT IF OTHER THAN THE REGISTRANT)
- --------------------------------------------------------------------------------
Payment of Filing Fee (Check the appropriate box):
/x/ No fee required
/ / Fee computed on table below per Exchange Act Rules 14a-6(i)(4) and 0-11
(1) Title of each class of securities to which transaction applies:
- --------------------------------------------------------------------------------
(2) Aggregate number of securities to which transaction applies:
- --------------------------------------------------------------------------------
(3) Per unit price or other underlying value of transaction computed pursuant to
Exchange Act Rule 0-11 (Set forth the amount on which the filing fee is
calculated and state how it was determined):
- --------------------------------------------------------------------------------
(4) Proposed maximum aggregate value of transaction:
- --------------------------------------------------------------------------------
(5) Total fee paid:
- --------------------------------------------------------------------------------
/ / Fee paid previously with preliminary materials.
/ / Check box if any part of the fee is offset as provided by Exchange Act Rule
0-11(a)(2) and identify the filing for which the offsetting fee was paid
previously. Identify the previous filing by registration statement number,
or the Form or Schedule and the date of its filing.
(1) Amount Previously Paid:
- --------------------------------------------------------------------------------
(2) Form, Schedule or Registration Statement No.:
- --------------------------------------------------------------------------------
(3) Filing Party:
- --------------------------------------------------------------------------------
(4) Date Filed:
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------
<PAGE>
Article entitled "Virtual Private Networks" appearing on pp. 36 - 38, 40 and
42-45 of the June 1998 edition of SC Info Security News Magazine
[start of page 36] More and more organizations are looking beyond the
physical boundaries of their own sites in quest to make the best business use
of new technology.
Data communications between physically remote sites - perhaps for
branch office to head office connectivity, or links between business partners
- - have become an essential part of modern business practice. In the past, such
links have been forged using dedicated connections such as lessened lines, but
this approach - whilst certainly secure - can prove to be extremely expensive
and inflexible.
What if the sites are at opposite ends of the country, for example,
or even on opposite sides of the globe? Imagine the costs involved in creating
a dedicated network of such proportions. If such links are heavily used, it
may be cost-effective to take such an approach, but there are many
organizations who may only require those connections for a couple of hours a
day, leaving much unused bandwidth lying idle for the rest of the time.
We also mentioned a lack of flexibility. Leased lines provide only
fixed point-to- point network connections, which cannot be changed easily -
certainly not without incurring additional cost.
How, therefore, does one cope with network connections created to
service transient business partnerships, which will no longer be required once
the project is completed? And how does an organization go about servicing its
mobile users, each of which require a secure connection to the corporate
network, but possibly from a different location every day?
Internet working is becoming the technology platform for a growing
range of business uses: secure access to global resources on the Internet and
other public networks; secure remove access to the enterprise network for
remote users and branch offices; and compartmentalization of the internal
network for enterprise-wide connectivity and security. To meet the rapidly
evolving connectivity needs of today's networks, corporations require an
integrated network security solution that is flexible and extensible enough to
meet their requirements now and in the future.
Public networks like the Internet provide a flexible and inexpensive
solution for long distance internet working. Instead of establishing dedicated
lines, enterprises can communicate using the Internet as the "middle man."
Once connected to a local ISP (internet service provider), private networks
can quickly and easily connect to any destination around the world.
<PAGE>
Organizations with large populations of mobile workers also need to
be able to provide flexible yet secure (preferably encrypted) remote access to
business applications which are located behind firewalls. The same is true of
any organization wishing to implement electronic commerce systems, but he
traditional firewall implementation is not designed to allow such free
movement o traffic.
A private network that uses some public segments is called a VPNs,
and is significantly less expensive and more flexible than a dedicated private
network. Each of the private networks need only be connected to a local
Internet provider, and adding new connections is simple and inexpensive.
The major disadvantage of a VPN is that, because of its public
untrusted segments, it is insecure. The Internet connection exposes the
enterprise to two dangers unauthorized Internet access into internal
enterprise networks (break-ins), and eavesdropping on [end of page 36][start
of page 38] and tampering with enterprise communications as they pass over the
Internet. Companies need to know that their private data is not at risk from
being hijacked, tampered with, or even simply being viewed by persons not
authorized to do so.
The most important considerations for Internet security are:
Authentication - verifying that the parties on each end of the link
are who they claim to be;
Privacy - ensuring that transmitted content is not read or intercepted
by unauthorized recipients;
Integrity - verifying that the transmitted data is received in an
unchanged state.
The security risks involved in communicating over the Internet have
deterred enterprises from taking full advantage of Virtual Private Networks.
Doing business over the Internet - including transferring funds, obtaining and
verifying credit information, selling and even delivering products - requires
a reliable and effective security solution.
Current offerings in the VPN market place are more than capable of
providing secure links between two locations. Some are only capable of
establishing a link between two secure gateways, or firewalls, while others
are designed to provide a client-server VPN, allowing individual remote and
mobile users to establish secure links back to head office from their hotel
room. High levels of authentication and encryption - using digital
certificates and powerful encryption algorithms - ensure that sensitive
corporate data remains private.
Unfortunately, in the last couple of years we have seen a great deal
of press coverage
<PAGE>
devoted to Internet security - or rather the lack of it. This makes people
wary of losses through electronic crime and credit card fraud, resulting in
confusion and worry for those businesses who would otherwise be interested in,
and reap a huge benefit from, the adoption of electronic commerce.
It is important to put these things into perspective, however. There
have always been impediments to business, whether it be highwaymen,
shipwrecks, pirates, bank robbers, or white-collar fraudsters. Each new
innovation brings a new risk, yet whatever the risk, the business community
must learn to adapt, minimize and, at worst, insure against, that risk.
At the end of the day, moving the computing platform from a
traditional "in-house" model to the apparently insecure model of the Internet
does not significantly increase or decrease the overall risk- we simply get a
new breed of pirate. Firewalls and VPNS are the means by which we can repel
boarders, as we move forward into the world of electronic commerce and
communications.
SPOT CHECK
clPro
Version: n/a
Company: RADGUARD
Prices: $5,950
Phone: (201) 828-9611
Email: [email protected]
Web: www.radguard.com
[IMAGE OF DEVICE]
RADGUARD believes that specialization allows for higher work specs,
and so takes a different approach to most of the other VPNs on the market.
Since encryption and decryption are resource hungry processes, no matter what
algorithm you use, clPro implements what RADGUARD calls PSP (parallel security
processing) in a turnkey hardware solution.
Within the clPro box are a number of dedicated processors which
simultaneously perform distinct functions. An encryption/decryption chip
processes the incoming and outgoing information, while an authentication and
integrity chip performs the necessary identification functions.
Simultaneously, the central CPU prepares the next batch of data for security
processing, and a key generation and exchange functions so that ne keys are
available the instant they are needed, even in the middle of communications
sessions.
The clPro's private key is stored in a [text of article continued
below opinion box]
<PAGE>
OPINION
clPro
Features XXXX
Ease of Use (novice) XXXX
Ease of Use (professional) XXXXX
Support XXXX
Performance XXXXX
Documentation XXXX
Value for Money XXXX
Overall XXXX
Comment:
An excellent product for those who require the highest levels of security and
performance. [end of opinion box]
[continuation of text of article] memory chip that is physically isolated from
the other components of the system and sealed in an epoxy substance which
makes the whole thing about as tamper proof as you can get. The whole thing is
based on a secured real-time operating system, which doesn't suffer from the
potential security flaws inherent in general purpose operating system's such
as UNIX or NT. Management is via an intuitive graphical user interface, and
IPSec-compliant protection to all management communications.
Other noteworthy features include automatic, secure key exchange
(even mid- session), dedicated hardware CA (certificate authority) and remote
user authentication and encryption, providing a client-server VPN for mobile
workers. For those sites who need a firewall as well, the RADGUARD 'family'
includes a separate dedicated firewall card which may be installed in the
clPro box.
FireWall-1
Version: 3.08
Company: Check Point Software Technologies
Price: contact vendor
Phone: (650) 628-2000
Email: [email protected]
Web: www.checkpoint.com
Check Point provides both firewall-to-firewall and client-to-firewall VPN
capabilities through its FireWall-1 product.
Transparent encryption is provided between two FireWall-1 hosts, and
three encryption schemes are supported: FWZ (a proprietary FireWall-1 system),
manual IPSec (a fixed key system), and SKP (simple key-management for Internet
protocols, which offers improved keys and key management to IPSec), VPN set-up
and configuration is
<PAGE>
straightforward, simply requiring the addition of a new rule to the rules base
via the normal firewall administration GUI (graphical user interface). For
each encryption rule, it is [end of page 37]
[start of page 38] SPOT CHECK
[IMAGE OF PRODUCT]
possible to specify different source and destination addresses (which can
represent entire networks, network services, or individual users), and the
encryption scheme to be used from those listed previously. This allows
multiple encryption schemes to be run concurrently throughout the enterprise.
Check Point has recognized, however, that remote and mobile users
also require the facilities of a VPN when accessing head office systems, but
will rarely have the benefit of a FireWall-1 system at their remote location.
This situation is handled by SecuRemote, Windows 95/NT client software that
extends the VPN to the desktop and laptop and transparently encrypts all
TCP/IP communications before they leave the remote PC. This allows a secure
VPN to be established between a single client and the 'firewalled' host
systems over dial-up connections. SecuRemote encrypts any TCP/IP communication
transparently, so there is no need to change any of the networking components
or applications on the user's PC. It is also possible to connect a single PC
to a number of different sites, all using VPNs.
SecuRemote is complete integrated with all FireWall-1 features,
including authentication, logging and alerting. After a remote user is
authenticated, a completely transparent secured connection is established and
the user is treated just as any other user in the VPN.
The final points worth considering for larger installations are load
balancing and redundancy. FireWall-1 is capable of distributing a processing
load across any number of servers based on a number of user-selectable
algorithms. For sites where continuous operations are of paramount importance,
however, FireWall modules may be installed on multiple machines [text of
article continued below opinion box]
OPINION
FireWall-1
Features XXXXX
Ease of Use (novice) XXX
Ease of Use (professional) XXXXX
Support XXXX
Performance XXXX
Documentation XXXXX
Value for Money XXX
<PAGE>
Overall XXXXX
Comment:
The VPN provides a seamless addition to an already excellent product. [end of
opinion box]
which can share state information and mutually update each other. This allows
synchronized firewalls to take over from each other if one of them goes down.
NetFortress VPN
Version: 3.0
Company: Fortress Technologies Inc.
Price: contact vendor
Phone: (813) 288-7388
Email: [email protected]
Web: www.fortresstech.com
NetFortress VPN is a combination of four hardware and software products
(namely VPN-1, VPN-2, NetFortress Manager and NetFortress Remote) designed to
provide a secure VPN out of the box, with plug-and-play encryption,
authentication and integrity checking. Coming in two versions, the VPN-1 comes
with twin 10Base-T cards for date transmission in excess of T1 speeds, while
the VPN-3 utilizes 100Base-T cards to provide T-3 capabilities.
The VPN-1 is available in two types: Host and LAN. The Host unit
provides protection for one client mode of a network, while the LAN version
provides security for up to 254 modes on the same Class C LAN. It may also be
purchased as Class B type, while the VPN-3 is available as a LAN type only.
The Net Fortress is virtually a self-configuring turnkey (hardware
and software) solution, and neither keyboard nor monitor may be attached to
the box. It therefore cannot be logged into, and all management and
configuration is [text of article continued on page 40]
[sidebar article]
How to Read the Opinion Boxes
Features: This illustrates the richness of the feature for the product.
Weighting 5
East of use (novice): Will users find the product easy to install and
configure, or will it take up too much of their time? Is the product usable
and well documented for users not to require special training?
Weighting 4
<PAGE>
Ease of use (professional): Professional users have different concerns from
novice or ordinary users. They will want to implement, manage and roll out a
product within a given time period. How easy is the task of installing the
product?
Weighting 5
Support: Is support available outside normal office hours, when things often
go wrong and how quickly may users speak to technical support?
Weighting 3
Documentation: Documentation is vital, since an inappropriate installation
could hinder the user. It is necessary to understand the significance of
choosing certain option. Documentation includes online and context-sensitive
help.
Weighting 4
Performance: This shows that performance of the product in West Coast's Test
Lab.
Weighting 5
Value of Money: Price itself is not the absolute criterion. You don't want to
buy additional features which are not needed, but are reflected int he price.
But you have to be able to get good value for money since you may want to
implement the product over a small or a large organization.
Weighting 2
Overall: With this mark we try to balance the parts of the equation and bring
in factors that other relevant products offer. The aggregated marks are
affected by the weightings attached to each category and not merely the sum of
the individual marks. Please keep this in mind when looking at the Opinion
Boxes.
OPINION
The Product
Features XXXXX
Ease of Use (novice) XXXX
Ease of Use (professional) XXX
Support XX
Performance XX
Documentation XXX
Value for Money XXXX
Overall XXXXX
Comment:
Basic PC product. Not the most usable software, despite the graphical front
end, but you get accustomed to it. Suitable for smaller systems. [end of
sidebar article][end of page 38]
<PAGE>
[start of page 40]
[IMAGE OF PRODUCT]
performed, via the NetFortress Manager. Through this intuitive utility, it is
possible to manage every NetFortress unit (or remote user) from a single
console.
Network managers may dynamically add, remove or reconfigure any
NetFortress unit on the network, and real-time encryption testing ensures that
encryption is taking place with all VPN units at all times. This utility also
provides customized membership and communications status tracking, together
with instant notification and logging of hostile activities and suspected
spoofing attacks.
NetFortress uses some of today's strongest encryption algorithms
(where allowed), including 128-vit IDEA, 56-bit DES, and 168-bit DES3. Unlike
many VPNs which operate at the application layer, NetFortress utilizes
something called SPS [text of article continued below opinion box]
OPINION
FireWall-1
Features XXXX
Ease of Use (novice) XXX
Ease of Use (professional) XXXXX
Support XXXX
Performance XXXX
Documentation XXXX
Value for Money XXXX
Overall XXXX
Comment:
A good price for a well-specified turnkey solution. [end of opinion box]
(Secure Packet Shield) technology which fully automates all encryption
operations at the network layer. SPS handles all critical security functions,
including packet inspection, authentication, data encryption, key exchange,
data integrity and compression.
Automated key exchange is via encrypted Diffie-Hellman techniques,
and dynamic keys are regenerated automatically at intervals specified by the
administrator. The units may be configured to accept packets from another
NetFortress unit, or to allow unencrypted conversations in either direction
with other non-NetFortress nodes.
NetFortress Remote is the software sibling of the VPN-1/VPN-3 that is
designed to connect remote workers securely to their corporate network.
Working in conjunction with a VPN-1 at head office; NetFortress Remote
transparently combines dual mutual
<PAGE>
authentication, data integrity checking and the same range of strong (where
permitted) encryption algorithms.
Raptor Firewall VPN
Version: 5.0
Company: AXENT Technologies Inc.
Price: $2,500 (25 users)
Phone: (888) 440AXENT
E-mail: [email protected]
Web: www.axent.com
Raptor Systems
[IMAGE OF BIRD AND LOGO]
Virtual private networking is an extra-cost option for the Raptor Firewall
product. A VPN gateway is required at each end of the tunnel in order to
perform encryption/decryption, encapsulation/decapsulation and authentication,
thus providing a secure link between two remote networks. This gateway may be
a Raptor Firewall 5.0, Raptor Mobile or any other IPSec-compliant encryption
device or authentication engine.
Unlike packets handled by the Raptor Firewall's Telnet, ftp, and
other server applications, VPN packets do not have to be sent up to a protocol
stack for processing. Tunnel traffic is not subject to authorization rules,
and tunnel traffic is not logged. This is because it is assumed that the VPN
[text of article continued on page 42]
[sidebar article]
TRUSTED FIRST PARTY KEY RECOVERY
An executive order - regarding Administration of Export Control on
Encryption Products - took effect in the U.S. on January 1, 1997, effectively
allowing all vendors to begin shipping 56-bit key encryption products
worldwide providing that they agree to add Key Recovery to their products
within two years.
Initial proposals for key recovery are based around the use of the
'Trusted Third Party' (TTP). There are a number of Implementations of this,
each of which involves providing a licensed 'Key Recovery Center' (KRC) with
the means to decrypt your encrypted sessions. This proposal has seen strong
opposition from end users who are naturally reticent about allowing copies of
their master keys to be held by an external organization, trusted or not.
However, the U.S. administration also seems prepared to accept a
'Trusted First Party' (TFP) approach, providing auditable systems are in place
to support it. With TFP, it is still possible to retrieve keys and thus
decrypt data from a particular captured session,
<PAGE>
yet this time the entire process is under the control of the end user
organization. There is no need to deposit any keys with third parties, and
only the end user may obtain access to session data.
Some security vendors (such as V-One, with its SmartGate (product)
already have authorization to supply European companies with strong US
encryption technology. Although initially restricted to 56-bit encryption
total compliance with the U.S. 'Key Management Infrastructure' (KMI).
Initiative, will eventually pave the way for the use of 128-bit keys (and
beyond) outside the U.S.
Another vital breakthrough is the ability to bypass the
much-criticized TTP method of key recovery and implement TFP instead. Under
the terms of KMI, end-users are still required to furnish their keys to
Government agencies on presentation of a court order, but the Trusted First
Party system allows companies to run their own KRC internally, thus
maintaining complete control over all their data, together with the associated
public and private keys. [end of sidebar article][end of page 40]
[start of page 42] connections are only established between trusted networks,
and also that all traffic is encrypted and encapsulated between the two
systems.
This also allows the VPN to process packets at the IP (Internet
protocol) layer of the protocol stack, rather than having to pass them all the
way up to the application lawyer. However, for additional security where
required, it is possible to force all tunnel traffic through the application
layer proxies, as well as being able to apply packet filters to tunnels. With
Raptor Firewall 5.0 it is now possible to nest and cascade tunnels. In a
cascaded configuration, a tunnel is created between two machines on separate
secure networks whose gateways are themselves connected via a VPN tunnel. In a
cascaded configuration, the firewall is the end-point of two tunnels to
separate machines, thus allowing VPNs to be 'daisy chained' together.
Also with the release of version 5.0 came support for ISAKMP
(Internet security association and key management protocol), which overcomes
the problems of static configurations, and allows Raptor Firewall VPN to
negotiate with its peers to dynamically create IPSec tunnels.
The RaptorMobile product enables remote PC users to create secure
connections to systems or subnets protected by a Raptor Firewall VPN. Client
support is provided for Windows 95 and Windows NT.
OPINION
Raptor Firewall VPN
Features XXXX
Ease of Use (novice) XXX
<PAGE>
Ease of Use (professional) XXXX
Support XXXX
Performance XXXX
Documentation XXXXX
Value for Money XXXX
Overall XXXX
Comment:
A good range of VPN products for existing users of Raptor Firewall systems.
[end of opinion box]
SmartGate
Version: n/a
Company: V-One Corporation
Price: contact vendor
Phone: (301) 515-5200
Email: [email protected]
Web: www.v-one.com
Unlike many of the offerings here, SmartGate is not a firewall in its own
right.
[IMAGE OF PRODUCT]
It actually provides a client-server VPN for all TCP applications, and works
with most currently available firewalls.
SmartGate includes both a client and a server component which between
them manage the authentication, encryption and fine-grained access control
between client and server. As its name suggests, SmartGate acts as a gateway
to the private network, protecting the privileged resource and only allowing
access to users who present a validated pass. The pass, or user credential, is
validated by means of a user-token that can range in relative strength from a
simple password to smart cards or X.509v3 certificates.
In addition to being transparent at the application level, SmartGate
is also virtually invisible to the user- the only interaction with the
security system is by entering an authentication code at the beginning of a
secure session. Different methods of authentication may be employed per
application, and on a user-by-user basis, including ISO standard smart cards
for both authentication and stored data, virtual smart cards, FORTEZZA
authentication cards, and X.509v3 digital certificates.
Once the SmartPass client software has been installed at the
customer's desktop, the client application communicates directly with
SmartPass (treating it as a proxy server on the local machine) which, in turn,
communicates with SmartGate over an encrypted link.
<PAGE>
While SmartPass manages authentication and encryption between the
desktop and SmartGate, it is the server that manages access control. Within
SmartGate is a complete access control database, allowing the administrator to
assign each user to groups, and to apply user or group-level permissions on
what applications they may access through the server.
For example, a site might have one group of users that were in the
'customer' group, and were only permitted access to an SQL services behind the
firewall, while another group 'staff' could have telnet, POP Email, and ftp
capabilities. This makes SmartGate suitable for corporate remote access as
well as e-commerce applications.
End-to-end encryption is provided via a 56-bit DES or RC4 mechanism,
while user authentication is accomplished using a mutual challenge/response
authentication for each session that is created. This is a high-security form
of secret-key based authentication, chosen for its performance advantages over
public key techniques.
SmartGate circumvents the problematic management issues of secret key
cryptography by allowing 'dynamic enrolment', in which a virtual smart card is
securely exchanged with a user, but is left deactivated until the
administrator enables it. The process of creating the user's keys, exchanges
them, and initializing their access control is completed automated and
invisible to the user.
Environments with more stringent security requirements - such as
on-line banking, for instance - may prefer to issue virtual smart cards on
floppy disks with predetermined keys, or even use real smart cards, all of
which are supported by Smart Gate.
OPINION
SmartGate
Features XXXXX
Ease of Use (novice) XXX
Ease of Use (professional) XXXX
Support XXXX
Performance XXXX
Documentation XXXXX
Value for Money XXXX
Overall XXXX
Comment:
SmartGate offers an excellent means of providing secure, fine-grained access
to business applications behind a firewall. It is flexible enough to work with
any TCP/IP application and has the benefit of a Trusted First Party approach
to key recovery. [end of opinion box]
<PAGE>
Stoplock Connect-IP
Version: 2.03
Company: CyberGuard Corp./PCSL
Price: from $110
Phone: (600) 666-4273
PCSL: (800) 733-8065
Email: www.cyberguard.com
Web: www.pcst.com
Many of you will be aware of PCSL and the Stoplock range of PC and network
security products, covering such areas as [end of page 42]
[ start of page 43]
[IMAGE]
system access control, file and application controls, automatic file
encryption, audit, boot protection and smart card systems, amongst others.
Stoplock Connect-IP is a Windows based (3 x 95 and NT) communications
product that provides secure, trusted TCP/IP communications between a client
PC and a networks domain protected by a CyberGuard Firewall.
Trust is achieved through song remote user authentication, and
security is further enhanced by option encryption of all communications over
the link. No user interaction is required to establish the link, since all
authentication and encryption services are handled transparently by Stoplock
Connect-IP.
Client configuration is single enough, first specifying the available
gateways, together with what type of encryption to use - none, Stoplock,
56-bit DES, or 40-bit DES. After configuring a gateway, the next step is to
tell Stoplock what 1P addresses are [text of article continued below opinion
box]
OPINION
Stoplock Connect - IP
Features XXX
Ease of Use (novice) XXX
Ease of Use (professional) XXXXX
Support XXXX
Performance XXXX
Documentation XXX
Value for Money XXXX
Overall XXX
Comment:
<PAGE>
Although fairly basic, Stoplock Connect-IP is the ideal solution for those
CyberGuard users wishing to implement VPNs. [end of opinion box]
protected by each gateway in order to secure a network. Once configured, the
Stoplock client automatically loads each time a WINSOCK application is invoked
in order to transparently encrypt and decrypt the information passed between
the PC and the appropriate gateway for the specified secured network.
Every protected Stoplock client session is authenticated by a
gateway, and each user has to be identified and authorized prior to
establishing a client session. This is achieved by the client PC making a call
to the ENCRYPTD daemon running on the CyberGuard firewall, at which point
authentication takes place directly between the Stoplock client and
CyberGuard. Two logical connections are established: from PC to firewall, and
from firewall to internal server. In order to achieve this, a certain amount
of configuration is required to create a number of new pocket filtering rules
and entries in the user authorization database.
The final part of the package is the Stoplock Connect-IP Remote
Administration utility, which enables any number of CyberGuard Firewalls
connected to the network to be remotely administered via a secure link. [end
of page 43]
[start of page 44]
VTCP/Secure
Version: n/a
Company: InfoExpress
Price: from $89
Phone: (650) 969-9609
Email: [email protected]
Web: www.infoexpress.com
[IMAGE OF DIALOGUE BOX]
As with SmartGate, VTCP/Secure provides a client-server VPN through a
corporate firewall, creating individual remote VPNs for off-site users. The
remote VPN allows users to gain secure access to the corporate network by
encrypting, authenticating and authorizing data sent over untrusted networks
such as the Internet.
Each remote PC requires the VSCLIENT software, while the VSGATE
component is installed on a machine behind the firewall. Client software is
provided for 16- and 32-bit Windows environments (3.x, 95 and NT), Mac and
Solaris, while the gateway can run on either UNIX or NT. By installing itself
between application programs and the network software - i.e. as a local proxy
- - VSCLIENT can transparently encrypt data [text of article continued below
opinion box]
<PAGE>
OPINION
VTCP/Secure
Features XXXX
Ease of Use (novice) XX
Ease of Use (professional) XXX
Support XXXX
Performance XXXX
Documentation XX
Value for Money XXXX
Overall XXX
Comment:
A well-specified product which offers excellent client-server VPN
capabilities, though it is not as straightforward to configure as some. [end
of opinion box]
and redirect it to the appropriate VSGATE machine on the protected network.
The gateway then decrypts the data and relays it to the hosts on the internal
network, to which the remote PC appears to be residing on the protected net.
In fact, the remote PC assumes the identity of the VSGATE host, because VSGATE
is executing the network operations on behalf of the remote PC.
This approach means that no changes are required to either the client
applications or network software, and the whole process is virtually
transparent to the user. For vertical applications, VTCP/Secure may be
configured to tunnel only specific programs - other programs on the remote PC
will behave as if the remote VPN were not present and bypass it completely.
This selective tunneling feature is useful when certain applications require
encryption, while other programs installed on the user's PC must not be
affected.
The VTCP/Secure gateway provides compatibility with installed
authentication servers through the TACACS+ protocol. If desired, users can
also be authenticated through the built-in one-time password system. Access
control lists are maintained to prevent users accessing resource to which they
are not entitled, and for authentication, VTCP/Secure supports one-time
passwords based on MDS like S/KEY and OPIE, and also supports the option to
use hard or soft tokens.
VTCP/Secure also works with, but does not require, firewalls and
routers at the corporate site. To protect against active and passive attacks,
VTCP/Secure uses a Diffie- Hellman (D-H) symmetric key exchange, and public
key certificates. MD5 hashing and sequence numbers are used to validate all
data and ensure that sessions are not tampered with.
Software compression improves performance by compressing data before
it reaches the modem, although it helps to have a reasonably powerful client
PC to see the biggest
<PAGE>
performance gains. For large remote VPNs consisting of thousands of nodes,
load balancing and redundancy capabilities ensure scalability and uptime.
WatchGuard Firebox
Version: n/a
Company: WatchGuard Tech, Inc.
Price: contact vendor
Phone: (208)521-8340
Email: [email protected]
Web: www.watchguard.com
At the end of 1997, the WatchGuard firewall was extended as WatchGuard Firebox
to provide VPN capabilities. Remote User VPN, for linking users on the road to
head office, now comes as a standard with the firewall; and Branch Office VPN,
for linking branch offices, is available as an optional add-on.
Configuring the Branch Office VPN is virtually fool-proof, thanks to
the VPN wizard which takes the user through the set-up process with
point-and-click ease. It is also possible for the set-up and management of one
or multiple branch office connections to be done remotely from head office,
saving on valuable management time.
Encryption is 40-or 128-bit RC4, though obviously only the 40-bit
version is available outside the U.S. There does not appear to be any form of
automated key exchange or centralized key management. (Ed: WatchGuard says
that key management will be included in the next release and that automated
key management is scheduled for September). The VPN does have logging
capabilities, however, and has the ability to automatically add source
addresses to a "blacklist" once they have been denied access.
Once the Branch Office VPN is set up, a secured encrypted link is
automatically created, allowing sensitive information to travel safely between
branch and head office. There can only be one VPN connection between any two
Fireboxes, although one [text of article continued on page 45 after opinion
box]
[IMAGE OF PRODUCT] [end of page 44]
[start of page 45]
OPINION
WatchGuard Firebox
Features XXX
Ease of Use (novice) XXXX
Ease of Use (professional) XXXXX
Support XXXX
Performance XXXX
<PAGE>
Documentation XXXX
Value for Money XXXX
Overall XXXX
Comment:
A competent VPN solution which is easy to install and very cost-effective.
[end of opinion box]
Editor's Choice
All of these products does the job it is designed to do, and it is
thus virtually impossible - and grossly unfair - to attempt to pick an overall
winner. A couple of products did stand out from the rest, however.
SmartGate provides an excellent client-server VPN solution with a
wide range of features, high levels of security and excellent key recovery
features based on a Trusted First Party approach. For those who require the
ultimate in tamper-proof security in a turnkey configuration, while still at a
reasonable price, clPro is well worth a further look.
[IMAGE OF PRODUCT]
Firebox may have connections to many different Fireboxes. Nor is it
possible to 'daisy chain' VPNs. (Ed: WatchGuard says that daisy chaining is
possible although not a recommended configuration).
Remote User VPN allows mobile workers and telecommuters to connect
securely to head office over the Internet. Data encryption ensures that
transmissions are private, and user authentication makes sure that only
authorized users gain access to the corporate network. The system uses
standard PPTP (point-to-point tunneling protocol), which creates a secure
tunnel through which information can flow safely across the public network.
Once the VPN has been activated, VPN-connected machines are treated
like any other machines that are allowed access to the network. For instance,
to allow VPN remote networks to have access to an internal web server, simply
configure an icon within the firewall allowing communications from the remote
VPN to the Internal web server. In this way, even supposedly trusted machines
on a secure VPN are still being controlled by the firewall itself. [end of
article]
