[ From http://www.codetalker.com/comments/1998products.html ]

Security Products of the Year

The following article was originally printed in the December 1998
Codetalker Digest. For information on receiving this printed
newsletter, please contact info@codetalker.com.

Due to the increasingly low cost of dedicated, high speed Internet
connectivity, we've seen many small and medium sized companies
"getting onto the Internet" in 1998. These 10-40 person shops can't
afford many of the high-priced security products that seem to dominate
the field. To address security in these environments, we have kept an
eye on some of the low cost, do-it-yourself types of solutions. We've
always been fans of security-oriented products that include source
code (for what I hope are obvious reasons). Sadly, however, fewer and
fewer commercial products seem to think that open source code is an
important consideration in the area of Information Security. In 1999,
we'd like to see that change. For this reason, we have chosen products
that are not only among the best in their class, but are available for
a low cost, and include full source code.

                      Firewalls

OpenBSD 2.3: The combination of the OpenBSD project's core operating
system with Darren Reed's IPFilter product makes for a highly secure,
high performing firewall product.  The recent release of OpenBSD 2.4
has brought an updated version of IPFilter as well.

                      Audit and Scanning

NMap 2.03 : In its latest version, Fyodor's popular port scanning tool
has added TCP Fingerprinting technology to allow remote Operating
System identification. This, in addition to its plethora of port
scanning methods makes it an tool for every Infosec Professional's
arsenal.

                      Virtual Private Networks

IPSec: As the IPSec standard moves closer to acceptance, Virtual
Private Network vendors will finally have the tools they require for
produce a demonstrably secure, cross-platform VPN solution. Regardless
of the implementation chosen (and there are some free ones), the IPSec
standard will finally allow the VPN market to thrive.  Look for great
movement in the IPSec arena in 1999.

                      Intrusion Detection

NFR + N-Code: Marcus Ranum's Network Flight Recorder is an invaluable
tool for anyone interested in Intrusion Detection. In contrast to
virtually all other Intrusion Detection products, NFR has chosen to
concentrate on the development of the Network Monitoring engine,
making it as powerful and flexible as possible. Users are free to
implement their own custom modules in NFR's N-code to detect the
widest variety of attacks and intrusion attempts. Looking for a head
start? The L0pht's repository of N-Code is a good place to begin.

                      Encryption

The AES candidates: On August 20, 1998, candidates for the Advanced
Encryption Standard (AES), the eventual replacement for DES, were
announced. Unlike DES, the AES will be an encryption algorithm
reviewed and endorsed by the cryptographic community as a whole. (DES,
if you recall, was tweaked by the NSA before its eventual release,
leading to volumes of speculation on whether the algorithm was
strengthened or weakened in the process). Want to test the security of
these algorithms yourself? Feel free. The specifics of each algorithm
have been published for mass consumption, and reference
Implementations for many are available.

                      Onion of the year

The Wassenaar Arrangement: In early December, the 33 countries
agreeing to this international convention on the trade of offensive
weaponry voted to accept proposed changes to the arrangement. One of
these proposed changes involved limiting the sale of shrink-wrapped
cryptographic software - a category of software that was previously
exempt from restrictions. The end result is that the participating
countries, including Canada, can no longer export commercial software
employing cryptographic algorithms stronger than 64 bit symmetric
(unless the software in question is in the public domain). By an
interesting coincidence, these restrictions happen to correspond very
closely with the US Government's existing cryptographic export
restrictions. We at Codetalker would like to issue a special thanks to
everyone who limited the world's ability to export commercial strong
encryption to 64 bits symmetric. What cryptography is doing in an
agreement on the proliferation of offensive weaponry is beyond us.

That's it for 1998. Good luck to all in 1999!