Reporting can be a godsend or completely useless for finding attackers. The Internet is a hostile place, with millions of scans for vulnerabilities conducted every second. Simple sweeps for vulnerabilities on the Internet occur often enough that tracking them is futile. However, you may be interested in knowing if scans are being conducted inside the LAN by a disgruntled employee. We evaluated reporting capabilities based on the number of available reports, filtering data and presentation.
Finally, though price is always important, we found that the vendors all quoted about the same list price, and we therefore gave it little weight on our scorecard.
After considering all these factors, we gave our Editor's Choice award to Sygate Secure Enterprise 3.0, which did the best job of balancing protection, management and integration. Each of the other products fell short in at least one area, and none approached Sygate's superiority across the board.
Sygate's package--comprised of Sygate Management Server (SMS) and Sygate Security Server--offers the best blend of protection, management and integration. Its support for multiple administrators and policy inheritance and its compatibility with antivirus and VPN products helped this firewall win our Editor's Choice award.
Sygate's Java management-configuration tool uses an inheritance structure in which global security policies apply to all users and groups. Once you've established the global policy, you can create subpolicies that override or supplement it. You can also nest multiple subgroups. For example, we created a global policy to allow Internet Explorer for all users. We then created a "tech editors" subgroup with FTP access. Changes in the parent policy take effect on all the subgroups below it. If we added a rule to allow SSH (Secure Shell) in global, the tech editors would have gotten access to SSH. Users can be assigned and moved around any of the groups or subgroups.
SMS lets you create multiple administrators and give them tasks, adding to the product's flexibility. To test this feature, we created groups called CMP East, CMP West and NWC Syracuse, then assigned one administrator account to each group. The NWC Syracuse admin could manage all his or her users based on his or her network's security policy, without seeing or affecting the other two groups. Besides SMS, only ISS's RealSecure package gets as granular.