Among the thousands of new products that appeared in 2000, the editors of Network Magazine recognize 34 that stand out from the rest. The year 2000 will be remembered as the year the fever broke. Web-only content sites and dubious online retailers came face to face with the actual economy, and the service providers and networking suppliers that drank the most Kool Aid are the ones with the worst hangovers. The epidemic that began with the dot-coms swept across the Competitive Local Exchange Carrier (CLEC) and ISP population, infected the server and PC markets, ravaged the operating systems vendors, devastated the cellular phone providers, and even wrought havoc on the seemingly immune optical networking manufacturers. But judging by the winners of our Product of the Year awards, the effects of Internet flu on true innovation in the networking world were negligible. The editors of Network Magazine, with help from our contacts in the analyst, vendor, and user communities, identified 34 new products and services worthy of special recognition. These winners were chosen for multiple reasons: They display significant new capabilities before their competitors can; they represent breakthroughs in performance and price; and they solve problems that affect a wide cross section of the magazine's readers. Taking all of these factors into consideration, a Product of the Year award signifies that a product or service that was available for actual deployment in the year 2000 was the most significant product or service in its category. If we're lucky, innovation itself will emerge from the Internet plague without a diminished reputation. Much of the Microsoft trial consisted of competing claims about the kinds of competitive practices that foster and impede innovation. Various industry leaders have, in the name of innovation, proposed that enterprises rewrite all of their applications in Java, instructed Oracle customers to leave customization to Oracle, recommended the wholesale replacement of PBX systems with Internet telephony systems, and claimed that the Incumbent Local Exchange Carriers (ILECs) were vulnerable to competition built upon the cable television infrastructure. So let's celebrate 34 examples of true innovation in the networking industry. These companies came through at a time full of distractions, interruptions, and changing strategies. It's too soon to predict who will win next year's awards, but it seems the contenders will have an easier time focusing on adding value for customers than in the past few years. Enterprise Backbone Device Catalyst 6500 Cisco Systems There are two ways to deal with perpetually increasing user demands on a network: throw bandwidth at them, or prioritize the most important traffic. Cisco's Catalyst 6500 does both, with a 256Gbit/sec switching fabric and sophisticated QoS features. It also combines wire-speed Ethernet switching with multiprotocol routing, making it ideal for a complex network that needs to integrate different traffic types. The 6500 is based around one of two chassis, the 6506 and 6509, which have six or nine slots, respectively. One of these must contain a Switch Fabric Module (SFM), the brains of the device, while the others are free for modules supporting almost every high-speed transport in networking. Gigabit Ethernet cards are available for fiber or copper, each containing 16 ports. Fast Ethernet cards each supply 48 ports. Fully loaded, the 6509 acts as a wire-speed switch for up to 130 Gigabit or 384 Fast Ethernet ports, or as a router interconnecting these with ATM, ISDN, and packet-over-SONET. When that's not enough, a distributed forwarding module allows several 6509s to link together. But the Catalyst 6500 doesn't win on raw speed alone. Other cards offer improved reliability and security, plus advanced management features. A hot-swappable redundant SFM can take over switching within a second of failure, allowing the main SFM to be repaired or replaced with no service interruption. An Intrusion Detection System (IDS) module monitors for hundreds of different attacks, and can be updated with new hacker “signatures.” The Fast Ethernet modules are available with inline power, allowing the 6500 to act as a giant UPS for low-voltage devices such as wireless access points and IP phones. Included management software allows network administrators to restrict or prioritize traffic by protocol or port. The 6500 also uses cards intended for the less-powerful 6000 series, providing an even wider range of connectivity options. These include modules for Voice over IP (VoIP) and interconnection to an analog PBX. Combine these connectivity options with its blazing speed, and the 6500 is equally at home in the carrier or corporate core network. Content-Aware Switch or Traffic Manager ACEdirector 4 Nortel Networks Content Networking Business Content Delivery Networks (CDNs) are one of the few new technologies that have found a ready market, pushing oft-requested data closer to the end user for better performance. Public and private networks, driven by greater e-commerce and application-aware- transaction demand, have embraced CDNs and caching. You need to switch on layers 4 through 7 for optimal security, QoS, load balancing, and general traffic management. Our pick for Content-Aware Switching goes to Nortel Networks via its Content Networking Business acquisition. Several vendors have excellent products here, with slightly different foci-Top Layer dominates in the security space, for instance, and Cisco Systems' Arrowpoint is the strongest competitor to Alteon-but we went for Alteon's switch performance and layer-7 logic. Capable of fitting into almost any network architecture (at the edge of the network or closer to the server farm), the ACEdirector 4 switch has great throughput, performance (it actually performs more transactions per second at layer 7 than layer 4!), and scalability, and can filter on port, protocol, URL, VLAN, cookies, application, and so on. Other capabilities include layer-4 to layer-7 QoS support, firewall and VPN load balancing, application and Web-cache redirection, rate shaping and limiting, and extensive health checking, including ping, TCP port checks, and the ability to pull content pages. The WebOS is also highly rated, supporting Call Level Interface (CLI) and Web configuration and management, as well as additional load balancing, bandwidth management, QoS intelligence, and stateful failover. Though not the easiest device to configure, it's well suited for a service provider based on its raw firepower. Proof lies in the number of customer wins for both the ACEdirector 3 and 4: Loudcloud, Verisign, Orange, and iWon.com, to name a few. Its success is partly due to its per-port ASIC design, which outperforms the competition's centrally designed implementations. Nortel has unveiled plans for its personal Internet initiative, which will use the Alteon product line to bring personalized and customized content to customers. Though Alteon is just one piece of the product portfolio behind this strategy, it's the key to recognizing end-user ID characteristics and application attributes at layer-7. Local Loop Access Device Accelerator AN-32 Integrated Access Device Accelerated Networks Integrated Access Devices (IADs) reside at the customer premises and consolidate multiple WAN lines into one, obviating the need to maintain separate WAN connections for voice and different flavors of data. And if this aggregated traffic exceeds the capacity of a T1 connection? Enter the Accelerator AN-32 Integrated Access Device from Accelerated Networks. The AN-32 IAD thinks bigger than just one T1 or DSL line-the uplink to the service provider is actually four T1s acting as one. The sexiest aspect of the AN-32 is a little thing called Inverse Multiplexing over ATM (IMA). On the WAN side, the AN-32 supports four ATM T1 circuits, aggregated by IMA and load balanced to furnish the equivalent of one high-speed connection for all enterprise voice and data traffic. Not only does this afford greater-than-T1 service, it also offers greater resiliency: If one T1 goes down, Internet access and voice don't necessarily follow. The AN-32 offers G.726 voice compression, support for VPNs, and full PBX functionality, and leverages ATM's QoS expertise. On the LAN side, two digital DS1 interfaces (48 DS0s) or 16 analog FXS ports provide voice support. Data access includes one 10/100BaseT Ethernet port and two serial ports for frame relay. Other features include Network Address Translation (NAT), Network Address Port Translation (NAPT), DHCP server functionality, and DNS relay. The AN-32 is only half of the picture, however. The brains behind the operation is the Accelerator AN-3200 Multi-Service Access Platform (MSAP), which resides either at a service provider POP or Central Office (CO) and can manage and configure customer-premises IADs remotely. With AN-32 IADs at customer locations and the AN-3200 MSAP at a POP or CO, Accelerated Networks provides an end-to-end voice and data solution. Wireless LAN Spectrum24 HR AP 41X1 Symbol As wireless LANs have gone mainstream, IEEE 802.11b has emerged as the industry standard. With an independent alliance (www.wi-fi.org) that ensures interoperability between more than fifty vendors, PC Cards and access points now seem like commodities. But there's still room for innovation in areas such as QoS and security, as demonstrated by Symbol's Spectrum24 HR series. Like other 802.11b access points, the Spectrum 24 HR AP 41X1 acts as a switch between 10/100 Ethernet and up to three sep-arate wireless segments, each with a theoretical maximum capacity of 11Mbits/sec. (Real through-put is typically no more than 7Mbits/sec, thanks to interference from microwave ovens, cordless phones, and other equipment that uses the same 2.4GHz frequencies.) It can communicate with an unlimited number of wireless nodes up to 90 meters away and is backward-compatible with older 2Mbit/sec 802.11 Direct Sequence Spread Spectrum (DS/SS) cards. QoS is more important in a wireless network than a regular LAN because interference can suddenly reduce the amount of available bandwidth. Unfortunately, the 802.11b standard is based on Ethernet (and hence is often called “Wireless Ethernet”), so it includes no traffic prioritization features. Symbol added its own to the AP 41X1, ensuring that scarce bandwidth is allocated to the most important applications. The scheme is proprietary and only works with devices made by Symbol or its partner Ericsson, but these include more than just PC Cards. Symbol has a range of Voice over IP (VoIP) wireless phones, which score above the standard cordless variety in spectral efficiency and data capability. Standard 802.11b includes an encryption system called Wired Equivalent Privacy (WEP), but it's so awkward that many users ignore it, allowing anyone with a packet-sniffer and a radio to eavesdrop. Even when implemented properly, WEP requires that everyone use the same key (inconvenient in a public building), and if one device is lost or stolen, the entire network segment is compromised. Symbol's access points and cards do support WEP, but are also designed to work with Ericsson's WLAN Guard, which generates a separate key for each node, ensuring that each receives only its intended traffic. Fiber-Based Access Device QB100 Intelligent Optical Terminal Quantum Bridge Communications Many promising vendors have announced products that sit at or near the customer premises. These usually work with a public network edge counterpart to provide greater bandwidth, and afford the end user or provider greater control and flexibility over their capacity. But promising players such as Appian Communications and Luminous Networks are still in beta, exemplifying the embryonic state of the market. Our vote goes to Quantum Bridge Communications' QB100 Intelligent Optical Terminal, customer premises equipment (CPE) for the enterprise that works with the QB5000 Optical Access Switch (which sits at the provider CO). The system provides T1/E1 and 10/100 Ethernet for both voice and data. More importantly, and crucial to our selection, it's designed for ATM-based Passive Optical Networking (PON), an access network topology popular among Competitive Local Exchange Carriers (CLECs) and Incumbent Local Exchange Carriers (ILECs), which bank on its low infrastructure cost-model for their own access buildouts. PON avoids using expensive active electronics in the outside plant; instead, fiber runs past a cluster of users, with splitter feeds branching off from the main trunk to the end user. Big cost savings and easier provisioning make PON well suited to the RBOCs DSL access plans. RBOCs also like ATM in the local loop, so QB is covered there too. We also like Quantum's ability to empower the provider and end user with flexible bandwidth control. QB Vision, the network management platform, permits bandwidth to be dynamically modified as needed in increments as small as 64Kbits/sec, or up to 2.5Gbits/sec. You can also make changes according to time of day, and set different service levels based on business events such as nightly updates, weekly videoconferences, and so on. Performance monitoring stats can be accessed via the Web. Customers such as ATG, Comcast, and Time Warner Telecom haven't seen fit to extend this functionality to end users, but the option exists and should be rolled out shortly. Internet Core Device MultiWave CoreDirector Ciena The network core is accorded less attention than the edge these days, but remains equally relevant since the “big dumb pipes” approach is being rethought. More and more, vendors are trying to bring greater intelligence to the core, rather than letting the edge do all the work of aggregation, grooming, and multiplexing. The high expense and operational overhead of SONET add/drops, as well as optical regeneration in the core, is exacerbated by increasing Dense Wavelength Division Multiplexing (DWDM) traffic, and threatens carriers with spiraling management costs unless they can reduce spending while creating revenue-generating services. And the solution must scale with only limited manual supervision. Enter Ciena's MultiWave CoreDirector (CD), an intelligent optical networking core device that can switch 640Gbits/sec (supposedly scalable to 38Tbits/sec) at OC-3 to OC-192, with wavelength granularity down to STS-1. Such flexibility is crucial and permits the CD to act as a SONET Add/Drop Multiplexer (ADM), digital cross-connect, and optical cross-connect in a single unit. This ability to perform multiplexing, aggregation, switching, and traffic management reduces regeneration chores and capital expenditures by 30 to 70 percent. New service revenues will come from its LightWorks Operating System, permitting the CD to provision wavelength paths quickly across the network for priority-based services and paving the way for just-in-time, bandwidth-on-demand applications. In addition, you can provision multiple concurrent protection schemes, supporting tiered services for different customers or applications, including simultaneous ring, linear line, and path-level fast mesh restoration. A few similar products (the Sycamore 16000, for instance) have hit the market, but the CoreDirector leads in market share with at least 10 customers, including Williams Communications, Level 3, Broadwing, Genuity, and McLeodUSA. Most of the big backbone providers are taking a long look. Expect more of the same in 2001 and 2002, especially when carriers begin to bring their provisioning capabilities fully online. Wireless WAN Ricochet Wireless Modem Metricom Plenty of vendors talk about the wireless Web, but Metricom is the only one able to offer it right now. Instead of “compact” sites or new protocols, its Ricochet delivers what most of us really want: bandwidth. The stated capacity of 128Kbits/sec doesn't sound fast compared to fiber or DSL, but it's more than 10 times better than any other wireless system in the United States. The Ricochet Wireless device is the same shape and size as a regular external modem, and installs via a PC or Mac's Universal Serial Bus (USB) port in the same way. Aside from the lack of wires, the only noticeable difference is that it's around twice as fast. Real throughput is usually at least 100Kbits/sec, and that's full duplex, so users can send as well as receive large e-mail attachments. Dialing is also fast, and establishes a TCP/IP connection often within one second. The modem is available in two models: the plastic GS and the stronger metal GT. They are identical internally, and both can attach to the back of a laptop using strong Velcro straps. This is a bit awkward, so Metricom is also licensing the technology to PC Card manufacturers Sierra and Novatel, whose products (released in 2001) fit inside a laptop or even an iPAQ. However, the larger modems do have one advantage: battery life. Rather than leech the PC's power, they include their own battery, which can sustain five hours of continuous surfing. The GS and GT both cost $99, but are sometimes given away free by service providers anxious to hook users into a $70 per month contract. By wireless standards, this is a bargain: Most carriers charge $50 for CDPD, whose maximum throughput is between 2.4 and 9.6Kbits/sec. Third-generation (3G) mobile networks should eventually overtake Ricochet in the high-speed Internet race, but these will take at least six years to reach the United States. (See “America On the Couch,”) Ricochet is already available in 10 major U.S. cities, and building out to 46 more. If you can justify the cost to your accountants, try it. Storage Management ARCserve 2000 Advanced Edition Computer Associates The flood of corporate data created every minute of every day is reaching biblical proportions. Besides needing somewhere to put it all, network administrators have to ensure that this data is available on demand. Thus, administrators awash in this sea of information turn to storage management to keep afloat. The aptly named ARCserve 2000 Advanced Edition from Computer Associates does an admirable job of permitting administrators to control, rather than be controlled by, their storage needs. ARCserve 2000 offers a host of features designed to simplify and centralize storage management. The Advanced Edition is targeted at medium to large organizations with heterogeneous operating environments. A central database acts as a one-stop administration console, granting device management, job log review, and centralized reporting for multiple devices across the enterprise. All storage-related information-including job logs, event logs, and device information-is contained in the database. A Web-based GUI provides remote management of every storage task. A major feature of ARCserve 2000 is its serverless backup option, which enhances the benefits of Storage Area Networks (SANs). Serverless backup takes the backup and restore data off of enterprise servers and transfers it directly between disk and tape, freeing the servers' CPU resources for other mission-critical processes. Computer Associates has also integrated its anti-virus engine, InoculateIT, into ARCserve 2000. The engine scans for viruses during backup operations and automatically cleans infected files, preventing viruses from being inadvertently unleashed if infected files are restored. Other tools include an Image Option, which makes block-level images of data instead of processing them file by file. This dramatically increases the speed of backup and restore operations. Backup Agents for Databases protects popular database packages, including Oracle, Microsoft SQL, and SAP R/3. The Client Agents for the Advanced Edition support Windows NT/2000, Unix, NetWare, Linux, and OS/2. Server OS Windows 2000 Advanced Server Microsoft Despite the incursion of Linux and new releases of competing NOSs from Microsoft's traditional competitors, Gates and Co. still command a huge swath of the OS market. In Windows 2000, the company has released a product that may finally be worthy of its installed base. Targeted for file and print sharing, desktop and resource management, as well as e-commerce applications, Windows 2000 Advanced Server touts itself as a complete networking solution. It's got a mile-long list of features to prove it. Perhaps the most significant element of Windows 2000 is Active Directory (AD). As a built-in directory service, AD provides a centralized authority for administrators to manage users, clients, servers, and applications. Using AD, administrators can automatically distribute software across the enterprise and exercise fine-grain control over user access to system resources. AD supports security functions such as Kerberos, X.509 digital certificates, and smart cards to provide strong user authentication. The Microsoft Management Console lets administrators control all functions of Windows 2000, including AD, from a central location. It sports a graphical user interface and works with AD to create and distribute management policies for both users and machines. Reliability problems with Windows NT will certainly haunt adoption of the new OS, but analyst and customer reports of Windows 2000's significantly improved reliability may banish those blue-screen ghosts. In addition to stabilizing the OS, Windows 2000 adds a Kill Process Tree, which lets an administrator stop a process that's going bad without rebooting the system. Windows 2000 Advanced Server also takes availability seriously with its clustering and load-balancing capabilities. The Cluster service authorizes two servers to connect, providing automatic failover if one goes down. Multiple clusters can be managed from a single location. The Network Load Balancing (NLB) feature lets administrators distribute traffic across as many as 32 servers to help share traffic loads. Advanced Server turns up the juice in processing power and memory by supporting eight-way Symmetric Multiprocessing (SMP) for Intel's Profusion chipset. It also supports up to 8Gbytes of RAM. The COM+ development environment is also integrated into the product, as is an Extensible Markup Language (XML) parser that lets Web servers exchange XML-formatted data. High-Availability System NSI Double-Take for Windows 2000/NT 4.0.1 NSI Software As networks become more and more dispersed and distributed-and their applications more mission critical-high availability is high priority. In addition, increasingly diverse combinations of backup and storage equipment in the network have created the need for high-availability systems that leverage investments in existing equipment while accommodating future requirements. These are just a few of the factors that make NSI Software's Double-Take for Windows 2000/NT, version 4.0.1, a significant release. The system provides mirroring, replication, failover, and restoration, with some intriguing twists. Double-Take for Windows 2000/NT can be used in a wide variety of clustering environments, including Microsoft Cluster Service and Novell NetWare Cluster Services. The system can automatically reconfigure replication as resources move between various nodes within a particular cluster. The product also lends itself to a wide variety of configurations, including a relatively complex “multilayered” configuration that could come in handy when load-balancing requirements are high. Double-Take for Windows 2000/NT is also compatible with products from numerous other storage vendors, including Veritas, Legato, and Computer Associates. This can help users leverage existing investments, mitigate compatibility problems, and eliminate the need to purchase additional components that would otherwise be required to construct or complete certain high-availability configurations. The product also scores high on resource utilization. For example, it can mirror a database file and then replicate only the byte-level changes (deltas) in the file, on a real-time basis. A bandwidth throttling feature lets you transmit data at varying speeds, and you can establish limits on the basis of bandwidth percentage. Double-Take for Windows 2000/NT also has a tool that lets you estimate in advance the amount of bandwidth a particular configuration would require, and thus determine what impact that configuration would have on resource utilization. This feature can be particularly useful when transmitting to a remote location via a WAN (for example, establishing cluster nodes on an offsite location such as a branch office). Double-Take for Windows 2000/NT, version 4.0.1, incorporates elements that can significantly ease the potential pain-and help minimize the expense--of implementing a high-availability solution in an increasingly distributed and diverse networking environment. Directory NDS eDirectory 8.5 Novell Whether or not variety is the spice of life, it often seems to be the bane of network life. If Calgon is listening, managers of enterprise networks could really go for a magic bath gel that makes all the complexity transparent to the administrator. At least for directory services, there's NDS eDirectory from Novell. eDirectory wins this category for the second year running because when it comes to managing directory data across different platforms, no product rivals its broad platform support and replication dexterity. First venturing from the NetWare nest in May 1999, eDirectory makes itself at home on most leading operating systems-Windows NT/2000, Linux, Solaris, and most recently Compaq Tru64 Unix-without requiring a NetWare server to perform back-end directory functions. Users also say that Lightweight Directory Access Protocol (LDAP) integration improved substantially with version 8.5, and synchronization and replication are cited as key strengths. Novell also impresses with demonstrated mastery of up to one billion objects. There is a great schism in the directory services world: Are you looking for speed, or will it serve as your general-purpose directory that handles authentication, authorization, and everything else you need in it? Novell must concede to the competition in performance metrics such as how fast it can bulk-load the LDAP directory from scratch, but high-speed bulk-loading isn't a deal-breaking feature for the majority of enterprises. What many want is a single source for IT objects and all user profiles, in order to bridge islands of data into a unified directory structure. In this regard, eDirectory is king. DirXML, Novell's answer to the eternal metadirectory question, has connectors from eDirectory to Active Directory, iPlanet Directory Server, Lotus Notes, and Exchange. The technology shipped in 2000 but was not bundled with eDirectory. DirXML, though still in its infancy, may forge the future of eDirectory, which seems likely to determine the future of Novell. Server Storage Symmetrix 8730 EMC Storage giants take large strides. When EMC went about beefing up its popular Symmetrix line of Storage Area Network (SAN) disk arrays, it basically multiplied everything by two. A pox on incremental improvements! The EMC Symmetrix 8730 disk array stows away up to 19.1Tbytes of data storage on up to 384 disk drives, and the company has revved internal bus speed to 1.44Gbytes/sec. Cache size similarly has doubled to 32Gbytes, no doubt the result of peer pressure from other enhancements. All of these numbers represent 100 percent increases over the Symmetrix 5000 series. With both SCSI and Fibre Channel connectivity options, the Symmetrix 8730 supports Windows NT/2000, Linux, Unix, IBM mainframes, and IBM AS/400 environments. Configurations often entail an EMC Celera Network Attached Storage (NAS) file server on the network serving as the front end to a Symmetrix-based SAN, and Symmetrix is compliant with all leading SAN switches. Customers like the stability of an established storage vendor, and data protection tools such as Symmetrix Remote Data Facility (SRDF) and TimeFinder keep customers satisfied and coming back for more. Flagship software SRDF performs data mirroring between Symmetrix devices, and EMC's TimeFinder platform enables administrators to use up to eight active data snapshots for data warehouse refreshing, application testing, and so on, without shutting the system down or otherwise disrupting network operations. Many networks aren't currently shopping for a 19.1Tbyte SAN server, but with the way information proliferates and business pivots on the availability of key data, hefty storage needs are never outside the realm of possibility. Network Server ProLiant DL360 Compaq Computer Data center real estate is like Silicon Valley real estate: You pay a king's ransom for property that, at times, lacks even the charm of a strip mall. Companies paying colocation rent want to pay less, so Compaq built the Compaq ProLiant DL360 network server as dense as they come. Limboing into enterprise and service provider premises at an impressive 1U, the rackmount server comes armed with dual 800MHz Pentium III chips, 256Kbyte cache, a 133MHz frontside bus, and up to 4Gbyte ECC Synchronous DRAM (SDRAM) memory. Two 18.2Gbyte Wide Ultra2 SCSI disks, hot-swappable from the front of the unit, furnish a total internal disk storage of 36.4Gbytes. The unit ships with both floppy and CD-ROM drives. With two 133MHz PCI slots (one each of the 32-bit and 64-bit varieties), a main contender for one of them will be the adapter for the system's Remote Insight Lights-Out tool, which enables a Web browser to manage the server off-location. This full remote functionality emerges as a huge advantage when you're talking about lights-out data centers, where hands-on troubleshooting isn't an option. Users laud the ease of rebuilding the Compaq servers from the ground up, and Compaq's Insight Manager management utility also gets gold stars. Optimized as a Web server or application server, the form factor of the DL360 lends itself best to environments that demand flexibility and scalability. The system ships with two 10/100Mbit/sec Ethernet NICs and an internal Wide Ultra2 SCSI RAID controller that plugs into the motherboard to support hardware-based RAID 0 and 1. Operating systems Windows NT/2000, UnixWare 7.1, and NetWare 5 are all supported. The DL360 steps out of its weight and height class to snag the server title for all the little guys out there. It may not outslug a larger server with more processors and disk drives, but when it comes to scrappiness, the DL360 proves that even featherweights can pack a hefty punch. Network Anti-Virus eSafe Enterprise 2.2 Aladdin Knowledge Systems Virus writers and virus defenders seem locked in a perpetual cycle: The virus writers launch attacks, and the virus defenders scramble to concoct defenses. Then the virus writers design new attacks, and the battle starts afresh. However, several security vendors set out to break this cycle by developing solutions that stay a step ahead, rather than a step behind, the assailants. One such vendor is Aladdin Knowledge Systems. Its eSafe Enterprise 2.2 client sits on each user desktop in the network. It combines several technologies to offer proactive protection against viruses, macroviruses, worms, and malicious mobile code such as Java applets and ActiveX. The eSafe client functions like a standard anti-virus scanner by examining files for known viruses. Regular updates keep the scanner abreast of the latest threats. However, Aladdin also backs up its scanner with behavior blocking. Viruses, whether known or unknown, must execute specific functions to replicate themselves, such as attaching code to boot sectors or tampering with program files. The eSafe client monitors for such behavior, halting new attacks not identified by the scanner. Aladdin deals with mobile code through its Sandbox II technology. Whenever mobile code is executed on the desktop, Sandbox II monitors the system resources that it tries to access. A predefined Access Control List (ACL) determines whether the code should have access to those resources; if it detects potentially hostile activity, it quarantines the code and alerts the user. Each desktop client is centrally managed from the eConsole. Administrators can remotely configure clients enterprise-wide, in groups, or individually. Software updates are automatically deployed from the eConsole server, and administrators can lock down user configurations to prevent accidental or deliberate changes to security policies. The Enterprise 2.2 clients support Windows 95/98 and Windows NT/2000. The eConsole supports Windows NT/2000 and NetWare 3.X, 4.X, and 5.X. Intrusion Detection System Entercept 2.0 Entercept Security Technologies Most host-based Intrusion Detection Systems (IDSs) use attack signatures to secure a system; that is, the IDS has a database of attack profiles, and whenever it detects behavior that matches a profile, it generates an alarm and stops the behavior. But what happens if an attacker uses a technique that doesn't yet have a signature? If you're lucky, the attacker breaks into someone else's machines. Then the word spreads and your signature profile gets updated. This reactive mode works pretty well-unless you're the one who gets burned. Entercept 2.0, launched in July 2000, takes a proactive approach to host-based security. At the heart of Entercept's technology is a software agent that resides near the kernel of the host's OS. This agent monitors system and API calls before those calls reach the kernel. Because system and API calls are very well defined, the agent identifies potentially malicious behavior, even without a predefined attack signature, and blocks new or unknown attacks. Using a rules-based engine, the agent can halt the operation, alert an administrator, or let the operation proceed and simply log the event. In addition to stopping unknown attacks, Entercept 2.0 comes with a full complement of known attack signatures, and its database is regularly updated. It guards against a host of prevalent exploits, including buffer overflows, Trojan Horses, and other attacks. It also prevents access to popular intruder targets such as registry keys, passwords, and authentication mechanisms. Of course, some operations unique to your organization may trip Entercept's alarm, generating false positives. To avoid false positives, Entercept's policy database can be customized to allow administrator-defined operations to run unhindered. A central console manages up to 1,000 agents. The agents themselves continuously pull both generic and specific attack updates from the console, which in turn pulls its own updates using the Entercept Instant Update feature. All communications use Triple DES encryption. Entercept 2.0 is available for Windows NT/2000 and MicroSparc 32 and UltraSparc 32 platforms running Solaris 2.6 and 2.7. The management console runs on Windows NT/2000. Firewall VelociRaptor Symantec Firewall appliances serve a pressing need in the enterprise security market by combining strong security, relative ease of setup and management, and a reasonable price. Small and medium-size companies can secure their primary LAN or a branch or remote office without breaking the bank, and without drowning administrators in the arcana of firewall installation. The VelociRaptor from Axent Technologies (acquired by Symantec in 2000) packs a lot of power into a small package. Targeted primarily at small and medium-size enterprises, the product bundles the well-respected Raptor 6.5 firewall software into a 1U Cobalt RaQ server. Axent says the product has a throughput of approximately 90Mbits/sec. The VelociRaptor's OS is a hardened Linux kernel, which serves as an additional layer of protection because unnecessary services and functions are removed, reducing potential OS vulnerabilities. The VelociRaptor is an application-proxy firewall, which is considered more secure than other techniques such as stateful packet inspection. A proxy firewall filters traffic at the Application layer, allowing for very fine grained security. VelociRaptor supports proxies for common services such as HTTP, FTP, DNS, Telnet, and others. Many of today's firewall appliances also bundle a VPN, and the VelociRaptor is no exception. The Axent PowerVPN is included in the appliance, although the throughput clocks in at a poky 10Mbits/sec. The PowerVPN supports both DES and Triple DES encryption and a variety of authentication schemes. Axent claims that you can set up the VelociRaptor in 30 minutes, from out of the box to running live. A series of wizards provides for simple installation, and the product is remotely manageable via the Microsoft Management Console. These features make the VelociRaptor especially suited for offices that lack onsite administrators. VelociRaptor includes four 10/100 Ethernet connections. It supports Network Address Translation (NAT), and you can export detailed log files for analysis. The basic version protects up to 25 unique IP addresses. The VelociRaptor can also scale to 100, 250, and unlimited addresses. VPN Check Point VPN-1, version 4.1/Check Point 2000 Check Point Software Technologies Check Point's venerable VPN-1 got a face-lift in 2000 that significantly altered not only its appearance but also its functionality. This time-tested, battle-hardened core product now has fortified manageability, availability, and interoperability features that continue to make it a standout in an increasingly packed crowd of VPN players. Included in VPN-1, version 4.1, Check Point 2000 expands platform support to include Windows 2000 and Linux. The product also supports an expanded array of authentication methods, including Remote Authentication Dial-In User Interface (RADIUS), hardware tokens, and Terminal Access Controller Access Control System (TACACS). Check Point 2000 is equipped with an API that provides support for third-party authentication products, including tokens, fingerprint scanner/voice recognition products, and other biometric devices. In a world where there's basically no such thing as a non-mission-critical application, Check Point 2000's High Availability Module is a particularly useful feature, providing backup functionality for Check Point's central-site VPN gateways. In the event of a gateway failure, sessions are automatically switched to a designated backup gateway. The system alerts you via methods that include e-mail, SNMP, or pager. State table synchronization among members of a cluster can be used to prevent dropped connections, and gateways can be added to or removed from a cluster without reconfiguring or restarting the cluster. A major enhancement in the manageability department is the Visual Policy Editor, a graphical interface for Check Point's existing policy editor. The Visual Policy Editor provides a map of your network's security configuration and lets you determine the impact of specific policies on the network. This object-oriented tool is much more user-friendly than a lengthy rules list. It lets you map out objects-such as VPNs, firewalls, routers, servers, and so on-and illustrates their relationships to each other. You can define groups of objects and edit individual objects' properties as well. The Visual Policy Editor lets you try out different topologies to determine the optimal setup for your network, which means fewer post-installation configuration tweaks and policy changes. Check Point 2000 also inspects log files for suspicious activity, such as successive login failures, port scanning, SYN attacks, and address spoofing. Enhanced URL filtering and logging capabilities are also incorporated into Check Point's stateful inspection engine. Authentication/ Access Control Entrust/PKI 5.1 Entrust Technologies PKI can be difficult to get a grip on even in the best of circumstances, which makes manageability a huge factor in PKI system deployment and maintenance. Without an efficient way to access and manipulate all the pieces of the PKI puzzle, you can have a real mess on your hands. Entrust/PKI 5.1 is a standout in the manageability department. Entrust starts with a streamlined architecture, then fortifies it with time-saving bulk user management capabilities, a flexible role-based management system that has a set of predefined roles providing varying levels of privilege, and easily created custom roles. Network managers now have more flexibility when it comes to delegating authority, allowing staff such as junior-level administrators more rights, and enabling a more distributed management structure. While enhanced role-based management can be architected into other products through relatively cumbersome processes, Entrust/PKI 5.1 spares network managers the hassle of extensive text editing typically required to accomplish this. The product also provides efficient creation and modification of user groups-increasingly important in an environment where turnover is high, or where individuals migrate frequently between various departments or job functions. Flexible, easy-to-use log auditing capabilities are another time saver, as locating specific information in the logs can be tedious without the right tools. An add-on, Web-based, self-enrollment tool called Entrust/ AutoRA further alleviates the management burden. Another add-on package, Entrust/Roaming 5.1, lets users log in from any workstation. Entrust/PKI 5.1 supports both hierarchical and peer-to-peer PKI. In a hierarchical configuration, the root certificate (CA) can be taken offline without impacting the operation of subordinate CAs. This setup enhances security and is particularly useful in installations where tightly controlled policy enforcement is imperative. Version 5.1 provides support for WAP certificates. It also allows temporary suspension of a certificate so that you can more securely evaluate whether to reinstate or revoke a particular user. In addition, Version 5.1 has expanded PKCS 11 support, and offers a wider range of hardware options, such as tokens and smart cards. Network Analyzer Sniffer Wireless Network Associates After years of toiling in the nether regions of “vertical markets,” such as warehouses and rental car return centers, wireless LAN technology has finally reached a critical mass with reasonable prices, reasonable performance, reasonable security, and reasonable reliability. One issue remains: How can enterprises manage and troubleshoot 802.11b wireless networks to the same degree that they do with wired networks? The Sniffer Technologies division of Network Associates was the first protocol analysis provider to answer the call. Sniffer Wireless provides the same upper layer decodes and monitoring capabilities as other members of the Sniffer family, but it also understands the Physical Layer and Link Layer protocols specific to 802.11b networking. Though the Sniffer Wireless (and its wireless Cisco/Aironet or Symbol network PC Card) is visible to the network access unit, the system is passive and utilizes none of the network's throughput capacity. Sniffer Wireless can provide a consolidated monitoring view of the 14 possible channels in an 802.11b LAN. It can break out traffic statistics based on the four throughput rates these wireless LANs support: 1Mbit/sec, 2Mbits/sec, 5.5Mbits/sec, and 11Mbits/sec. Its Host Table display can show the minimum, maximum, and average signal strength of each connected device, and Sniffer Wireless can decode the Extended Service Set ID (ESSID) that identifies networks built with access points. The monitor can also show any unauthorized hosts on the network. If Sniffer Wireless operators are given the Wireless Equivalent Privacy (WEP) keys, they can decode traffic in real time. Sniffer Wireless includes the traditional Sniffer expert analysis capabilities, so the system identifies many kinds of problems quickly and accurately. Sniffer Wireless will become an essential tool for putting wireless LANs on par with the rest of the enterprise network infrastructure. Systems and Desktop Management VitalSuite SP Lucent Technologies The creation of comprehensive, accurate Service Level Agreements (SLAs) is key to a new infrastructure of Web-based services and ubiquitously available applications. These SLAs can only be built upon performance and availability measurements, including low-level plumbing statistics, as well as application, transaction, and business process details. Lucent's breakthrough with VitalSuite SP is to provide performance and availability measurement tools designed for service providers. First of all, VitalSuite SP is built to scale to support large global networks. Second, it permits service providers to partition data between customers in order to monitor and report on individual service levels, while also letting service providers aggregate performance results to understand overall system performance. In addition, VitalSuite SP enables service providers to create customer portals where they can formulate customized views of the real-time performance statistics they find most valuable. While VitalSuite SP enables service providers to manage many customers, the software is designed to keep data partitioned tightly within a domain, visible only to the customer and the service provider. VitalSuite SP has four components. VitalNet uses SNMP and RMON to develop performance information on a broad selection of routers, switches, servers, probes, and other devices, as well as operating system software. VitalAgent is desktop software that provides the essential client endpoint data required for end-to-end performance assessment. VitalAnalysis is an application performance reporting tool attuned to SLAs, with built-in analytic capability for some 30 applications. VitalHelp is a proactive troubleshooting and fault detection module. Before the introduction of VitalSuite SP, the Application Service Provider (ASP) industry's management infrastructure was an obstacle to successful implementation. Lucent has made a tremendous contribution to the necessary underpinnings of the new software-and-services delivery model. Management Platform Unicenter TNG Computer Associates The year 2000 saw two significant enhancements to Computer Associates' management platform, Unicenter TNG. First, the key networking module of the Unicenter TNG system, NetworkIT 2.0, improved its fault anticipation technology, expanded its application support to additional protocols and devices, and improved its performance management from the top of the stack to the bottom. Second, with the introduction of Unicenter TNG 2.4, the system now supports Linux, along with new Windows 2000 performance monitoring capabilities and SAN management functions. It has also increased support for database and application availability and performance.