[ From http://www.codetalker.com/comments/1998products.html ] Security Products of the Year The following article was originally printed in the December 1998 Codetalker Digest. For information on receiving this printed newsletter, please contact info@codetalker.com. Due to the increasingly low cost of dedicated, high speed Internet connectivity, we've seen many small and medium sized companies "getting onto the Internet" in 1998. These 10-40 person shops can't afford many of the high-priced security products that seem to dominate the field. To address security in these environments, we have kept an eye on some of the low cost, do-it-yourself types of solutions. We've always been fans of security-oriented products that include source code (for what I hope are obvious reasons). Sadly, however, fewer and fewer commercial products seem to think that open source code is an important consideration in the area of Information Security. In 1999, we'd like to see that change. For this reason, we have chosen products that are not only among the best in their class, but are available for a low cost, and include full source code. Firewalls OpenBSD 2.3: The combination of the OpenBSD project's core operating system with Darren Reed's IPFilter product makes for a highly secure, high performing firewall product. The recent release of OpenBSD 2.4 has brought an updated version of IPFilter as well. Audit and Scanning NMap 2.03 : In its latest version, Fyodor's popular port scanning tool has added TCP Fingerprinting technology to allow remote Operating System identification. This, in addition to its plethora of port scanning methods makes it an tool for every Infosec Professional's arsenal. Virtual Private Networks IPSec: As the IPSec standard moves closer to acceptance, Virtual Private Network vendors will finally have the tools they require for produce a demonstrably secure, cross-platform VPN solution. Regardless of the implementation chosen (and there are some free ones), the IPSec standard will finally allow the VPN market to thrive. Look for great movement in the IPSec arena in 1999. Intrusion Detection NFR + N-Code: Marcus Ranum's Network Flight Recorder is an invaluable tool for anyone interested in Intrusion Detection. In contrast to virtually all other Intrusion Detection products, NFR has chosen to concentrate on the development of the Network Monitoring engine, making it as powerful and flexible as possible. Users are free to implement their own custom modules in NFR's N-code to detect the widest variety of attacks and intrusion attempts. Looking for a head start? The L0pht's repository of N-Code is a good place to begin. Encryption The AES candidates: On August 20, 1998, candidates for the Advanced Encryption Standard (AES), the eventual replacement for DES, were announced. Unlike DES, the AES will be an encryption algorithm reviewed and endorsed by the cryptographic community as a whole. (DES, if you recall, was tweaked by the NSA before its eventual release, leading to volumes of speculation on whether the algorithm was strengthened or weakened in the process). Want to test the security of these algorithms yourself? Feel free. The specifics of each algorithm have been published for mass consumption, and reference Implementations for many are available. Onion of the year The Wassenaar Arrangement: In early December, the 33 countries agreeing to this international convention on the trade of offensive weaponry voted to accept proposed changes to the arrangement. One of these proposed changes involved limiting the sale of shrink-wrapped cryptographic software - a category of software that was previously exempt from restrictions. The end result is that the participating countries, including Canada, can no longer export commercial software employing cryptographic algorithms stronger than 64 bit symmetric (unless the software in question is in the public domain). By an interesting coincidence, these restrictions happen to correspond very closely with the US Government's existing cryptographic export restrictions. We at Codetalker would like to issue a special thanks to everyone who limited the world's ability to export commercial strong encryption to 64 bits symmetric. What cryptography is doing in an agreement on the proliferation of offensive weaponry is beyond us. That's it for 1998. Good luck to all in 1999!