MAY 27, 2002 • eweek.co m
`
`SAP America splits division, moves CEO Kemna
`
`1 1
`
`Review: Netscape 7.0 adds usability enhancements 14
`
`Microsoft security chief faces formidable task
`
`Tape storage technology reaches big milestone
`
`29
`
`41
`
`Review: SuSE upgrade edges desktop Linux rivals 54
`
`EMCrevsup
`Symmetrix
`
`COMPANY PLANS SYMMETRIX
`UPGRADE IN 2003 WITH FIBRE
`CHANNEL REPLACING SCSI
`
`By Evan Koblentz
`AFTER ALE GTHY SABBATICAL,
`EMC Corp. is developing
`updatesforitsSymmetrixenter(cid:173)
`prise storage systems that will
`employ Fibre Channel internal
`designs for the fu·st time. The
`company is also revamping one
`of its Clariion storage systems
`fo r the nudrange market with
`added capacity.
`The Symmetrix moves, seen
`largely as necessities, sho uld
`bring the EMC product in lme
`with such high-end storage
`systems as those from rival
`Hitachi Ltd.
`"It's about time," sajd Tom
`Black, a storage administrator
`at Petro-Canada, in Missis(cid:173)
`sauga, Ontario. Black manages
`24 terabytes of EMC's Sym(cid:173)
`metri.x systems and Clariion-
`
`based AS (netwo rk-attached
`storage) in two datacenter . ''I'd
`actually started lookillg more
`clo ely at Hitachi and some
`other things on the market in
`anticipation that EMC rudn 't
`have something up their sleeve."
`The forthcoming update to
`Symmetrix, Version 6.0, is
`due early neA.'t year and will be
`the product's first major update
`in 12 years. T he most notable
`change to the system will be its
`use of a Fibre Channel internal
`architecture instead of its em(cid:173)
`rent SCSI design, sources srud.
`The design change, how(cid:173)
`ever, wiU not affect user iJlter(cid:173)
`actions witl1 the microcode(cid:173)
`rath e r the way ymmetrix s
`cache, rusk drives, host inter(cid:173)
`faces and processors commu(cid:173)
`nicate internally, sources srud.
`But moving to Fibre Chan(cid:173)
`nel will also help the Hopkjn(cid:173)
`ton , Mass., company greatly
`reduce production co t , as a
`ICONTlNUED ON PAGE 18]
`
`Microsystems Inc. to integrate
`products and create an iden(cid:173)
`tity infrastructure across a
`n etwork. RSA's ClearTrust
`and Keon software will be inte-
`ICONTlNUED ON PAGE 18]
`
`eWEEK LABS
`
`WEB SERVICES:
`SAFE OR SORRY?
`
`STANDARDS MAY BE MONTHS AWAY, BUT
`SOME ENTERPRISES ARE FORGING AHEAD
`TO LOCK DOWN TRANSACTIONS PAGE 47
`
`Merged management
`team faces challenges
`in multiple sectors;
`how will it fare?
`
`Zander: Sun
`still riding
`right track
`
`By Peter Galli IN MENLO PARK. CALIF.
`SUN MICRO Y TE IS I 1C.'S OUT(cid:173)
`going chief operating officer
`and president, Ed Zander, sajd
`he decided to leave Sun partly
`bee a use his chances ofbecom(cid:173)
`ing CEO were slim.
`In a ca ndi d interview at
`Sun's offices here last week,
`Zander, a 15-year un veteran,
`said that after three or four
`yearsofdoingajob, "you hope
`to get more challenged. And
`when you're COO and pre i(cid:173)
`dent, there's only one other job
`you can get, and I knew [CEO]
`Scott [Me ealy] wascommit-
`]CONTlNUED ON PAGE 141
`
`Scrambling to secure Web services
`
`By Dennis Fisher
`WHILE MUCH OFTHEATTENTIO
`surrounding Web serv ices
`security has focused on stan(cid:173)
`dards efforts, software devel (cid:173)
`opers and users are rea lizing
`that standards a lone won't
`solve the problem .
`As a result, developers such
`as RSA Security In c., Oblix
`Inc. and even networking
`manufacturer Cisco Systems
`
`Inc. are starting to take a more
`holistic approach to ecurity
`w ith new products that
`addre s key Web ervices
`sec urity matters. Potential
`u se rs, h wever,
`till h ave
`questions about the technol (cid:173)
`ogy's vulnerability.
`R A, which is counti ng on
`demand for Web serv ice to
`driv e much
`fits future
`growth, wi ll partner with un
`
`111''''1"11"1'" '111(1 'T'I'I 'I'''I"I'I"II 1'1'1
`
`1lEOO
`l800
`
`8~01 - ~~8 8~ I W 'ISNijl 1 S ~ 3
`A~ij~ f:l ll 001
`Q~ij Slijl~3S S3l~ijM8Il
`~ I Nn 3J.ijJ.S Nij ~IH~IW
`886 ~617"\:6
`H 600 689EOlEO~ M 3 H~/8~/~9L~O C~ OOO#
`OSO - J ->i.¥ .101 . 1CI-:clti J .. . ¥>f¥¥:ot¥¥ Cbct:.lNXatl·
`
`Page 1
`
`

`

`JUN 0 5 ZOOZ
`
`'Cr ,1Gf I' SiATE UNIVERSITY
`LIBRARiES
`
`Page 2
`
`

`

`eWEEK LABS: REVIEW
`
`Sanctum's simple approach to security
`
`APPSHIELD 4.0 USES AGENTS
`TO GUARD MULTIPLE SYSTEMS
`
`By Jim Rapoza
`Si\ 1 CTUM INC.' APPSH IELD 4.0
`uses a s imp le b u t effective
`method to prevent attack on
`Web app lica tio ns: It finds out
`wha t th e application is sup (cid:173)
`posed to do and what type o f
`u er activity is no rmal-then
`it stops anything else.
`In eWEEK Labs' test , App(cid:173)
`Shi eld 4.0 proved to be very
`effective at stopping a variety of
`attacks and probeson anyWeb
`application, topping every(cid:173)
`thing from worms to attempted
`code insertions, and AppShield
`works with almost every Web
`server a nd Web app licatio n
`development language.
`AppShi e ld 4. 0 , re lea ed
`
`las t mo nth , is priced sta rting
`at $15,000. It r un s o n olaris,
`W indows T a nd Wind ws
`2000.
`App hield will bee pecially
`att ractive to comp a ni es that
`rely on Web applica tio ns fo r
`fun ctio ns, e pe(cid:173)
`co re busin e
`cially given its ability to sit in
`front ofand pro tect man y W eb
`erve rs a nd it abili ty to sto p
`known a t tac k s a nd n ew
`e>..'plo its.
`Whil e A p p hi eld is ve ry
`efficient at protecting dynamic
`Web a pp lica ti o ns, it pretty
`much to p there, relyin g o n
`good netwo rk securi ty and a
`hard e ned o pe ra tin g sy tem
`to pr o tect it aga in s t o th e r
`fo rm of attacks. In some ways,
`th is makes it less effective than
`co m peting produ cts uch as
`
`- I ' * : ~~- ..!.....--,·'-=--
`
`....t:.lB
`
`liiNIIr- ~ .... r u.. .....
`
`[
`--- ~
`-.--
`[
`,...... ... _... ......
`· ·---~-....a ................. ......_
`[
`...... ~ ... ,..._...,---
`
`..:..
`
`Wrth AppShield, admins can choose from three pre-defined security settings.
`
`Enterce pt Securi tyTechnolo(cid:173)
`gies inc.' Entercept2.0, which
`i pr iced a t ro ugh ly $ 1,500
`per server and not only ecure
`th e W e b a ppli ca ti o n s a nd
`erve r bu t al so the o perating
`sys tem . However, AppShield ,
`
`whi ch ca n u e both agentsand
`a p roxy approach, can mo re
`ea ily protectmultiplesy tems.
`In Ve rs io n 4. 0, Sa n c tum
`has included new features that
`make it much easier to get up
`and running with App hield .
`
`Once we installed the system,
`we were able to choose among
`three preset tern plate fo r secu(cid:173)
`ri ty protection: a Basic level,
`which protects against the most
`common attacks; an Interme(cid:173)
`di ate level, which adds more
`protection against application
`tampering; and a Strict level,
`wh ich tries to block almost
`everything. We could also opt
`to pick our own security set(cid:173)
`ti ngs t hro u g h t h e c ustom
`option (see screen).
`AppSh ield can run in pas(cid:173)
`sive o r active mode. In the pas(cid:173)
`sive mode, the program logs
`ali acti vity but doesn't block
`anything. In active mode, the
`progran1 blocks nonstandard
`ac tivity from th e protected
`Web applications.
`!CONTINUED ON PAGE 561
`
`Hat. With sectio ns for managing soft(cid:173)
`ware, hardware, networking, security,
`sys tem a nd mi sce ll aneous option s,
`Y AST2 provided the widest range of
`utilities in a single space of any of the
`three distributio ns we reviewed.
`We particula rl y li ked th e way that
`YAST2 provid ed bri ef, o n -screen
`explanatory no tes rela ted to the tool
`we were using at the time. Thi s helped
`a lot, since th ere a re ge nerall y mo re
`configuration options fro m whi ch to
`choose than on a Windows sy tem . The
`Red Hat and Mandrake control pan(cid:173)
`els offered no such note .
`Mandrake's control panel i very use(cid:173)
`ful as well, and although it lacks a few of
`the features ofYAST2, it boa ts a co u(cid:173)
`ple unique to itself. Two such features
`are Mandrake's util ity for configuring
`Sa mba file sharing a nd browsing a nd
`Mand rake's font insta ll er app lica tion
`(see screen, left) . Unattractive, out-of(cid:173)
`the-box fonts typically plague Li n ux dis(cid:173)
`tributions, so a good font insta ller is a
`must. In tests, the Mandrake font util(cid:173)
`itywasm uch easierto use than the KDE(cid:173)
`based utilities upon which Red Hat and
`SuSE depend.
`
`Th e Red Ha t control panel includes
`16 sepa ra te con fi guratio n applets fo r
`eve ry thin g fro m ha rdwa re to n e t(cid:173)
`working to security- many of which
`have unique interface tha t can take
`ome getting u ed t . We coul d place
`ourRedHat ysteminto allof th esame
`configuration s a our u E and Ma n(cid:173)
`drake machines, but it wasn' t as easy
`o r co nvenient to figure out.
`Ma ny desktop- related co nfiguration
`tasks mu t be performed in a KDE Con(cid:173)
`tro l Pane l located away fro m t h e
`SuSE, Ma ndrake or Red Ha t co ntrol
`panels-the same circ umstan ces exist
`fo r ystem with N ME. We'd like
`to see futur releases tie in more tightly
`t
`th eir de kto p enviro nments.
`SuSE's softwa re u tility enabled us to
`change the so urce ofinstallation, install
`a nd re m o ve softw a re, a nd access
`upd a te fr m th e W b
`r fro m a n
`install atio n D .
`W h e n we fir ed up t h e softw a re
`upd a te too l, itt ld us if a n y of o ur
`in s ta ll ed pac kages h ad un ful filled
`dependencies a nd wh ther anyofthem
`co nfli cted with any other. Mandrake
`offers th e sa me fu nctio nali ty in its own
`
`software installer, and all th ree distri(cid:173)
`butions enabl ed us to fe tch upd ates
`through the Web.
`The d isp lay prope rties sec ti on in
`SuSE's co ntrol pa nel was particularly
`n ice- us ua lly, co n figur in g X for a
`
`Li nux box is som ewhat unpredictable.
`SuSE'sX setup tool, called SaX, probed
`hardwa re fo r tl1e appropriate settings
`and allowed us to make changes. The
`model of tl1e monitor that we used for
`testing was not
`!CONTINUED ON PAGE 561
`
`Red Hat's Red Hat Unux 7.3 makes a solid desktop operating system, but this distribution's
`particu lar strengths lie on the seNer side. Still, Red Hat Linux is somewhat of a U.S. indus(cid:173)
`try standard for Unux, and many companies that opt for Li nux ·"'~"~!!!!/!!II
`across their organization will likely select Red Hat.
`INDICATORS
`POOR
`USABilllY
`GOOD
`CAPABILilY
`GOOD
`PERFORMANCE
`FAIR ·
`INTEROPERABILilY
`~ __ FAIR ,-:
`MANAGEABILilY
`FAIR
`SCALABILilY
`SECURilY
`G~O~- .J
`
`COST ANALYSIS
`Red Hat Linux 7.3 comes in $59.95 Personal and $199.95 Pro(cid:173)
`fessional editions. For those who wish to forgo printed docu(cid:173)
`mentation and professional support, Red Hat is also availa ble
`for free download over the Internet.
`0 Ships with latest version of KDE; ships with new printing con(cid:173)
`figuration tools. 0 Control panel is less conveniently orga nized
`than those for Mandrake and SuSE.
`
`EVALUATION SHORT LIST
`• MandrakeSoft's Mandrake Unux 8.2
`• SuSE Linux's SuSE Linux 8.0
`
`• Microsoft Corp.'s Windows XP Professional
`• Apple Computer Inc.'s Mac OS X
`
`www.redhat.com
`
`Page 3
`
`

`

`APPSHI ELD FROM PAGE 55
`
`The pas ive mode is ideal fo r teach(cid:173)
`ing AppShield how to protect a Web
`applica tion. To do so, we ass igned a
`workstatio n to be a trusted IP so urce
`for AppShield. We th en surfed th e
`applications and carriedo ut aJl norm al
`activity while AppS hield watched and
`learned. Once we we re fi ni shed , we
`could au tom atically crea te a secu rity
`rule for that site.
`Beca u se AppS hi e ld wa tc h es th e
`cl ick stream, it ca n protect almost any
`ap plication. In test , we protected appli(cid:173)
`cations wri tten in Active Server Pages,
`JavaServer Pages and PHP. It was a sim(cid:173)
`ple matter to manually ed it the created
`rules or to autom atically create a new
`rule from th e administration interface.
`AppShield ca n pro tect regul ar Web
`traffic and traffic within SSL (Secure
`Sockets Layer) co nnectio ns, al tho ugh
`to protect SSL tra ffic , the ce rtifi cates
`must be added to AppSh.ield. Some per(cid:173)
`fo rman ce hi t is poss ib le si nce App (cid:173)
`Shield must decrypt an d re-encrypt the
`traffic. However, the product ca n also
`work wi th third-party SSL accelerators.
`Companies de ploying AppShiel d
`can choose fro m n-vo implementatio ns.
`T he mo re traditional, host-based mode
`involves installin g AppS hield o n the
`same system as the Web server an d
`using o ne of the bu il t-in Web serve r
`plug-ins. AppSh.ield has pre-b uilt pl ug-
`
`ins fo r m o st pop ul a r We b se rver s
`includ.ing Apache, Microsoft Co rp .'s
`In ternet Informati on Se rvices a nd Sun
`Micro system s In c.'s Su n Ope n N e t
`Enviro nmen t.
`T he other dep loyme nt op ti on is to
`install AppShield in a ga teway m ode,
`where it sits in fro n t of the W eb servers
`a nd redirects requests to the appro (cid:173)
`pr ia te servers.
`Acco rd ing to Sanctllln officials, per(cid:173)
`for m an ce in Version 4.0 o f AppShield
`is much imp roved over previo us ver(cid:173)
`sions. Still, som e negative effect is prob(cid:173)
`able becau e the product resides in fro nt
`of traffic . AppS hield can be set up in
`lar ge cl usters to in1 prove pe rform an ce.
`In add.itio n, the p roduct automatically
`passes through all standard HTML and
`o tl1er nona pplication traffic.
`Like m ost se curi ty app li cat io n ,
`besides trying to sto p unwan ted activ(cid:173)
`ity, AppShield does extensive logging
`and an alysis of tl1is activity. O ne wel(cid:173)
`com e new feature in tl1is versio n is the
`introductio n o fprivacy cont:rols, wh.ich
`make it possible to preset info rmatio n
`that wiU not be sto red in the applica (cid:173)
`tion's logs. T his is welco me fo r co m(cid:173)
`pa ni e
`that do n 't wa nt in fo rm a ti o n
`such as their cu to me rs' cred it ca rd
`n umbers sto red in security Jogs. e
`
`East Coast Techn ica l Director ji m
`Rapoza can be reached at j im_rapoza@
`ziffdav is.com.
`
`COST ANALYSIS
`At $15,000, AppShield is considerably more expensive than many
`competitors, which generally are priced at about $2 ,000. In addi(cid:173)
`tion, while a single AppShield installation can protect many servers,
`pricing is still on a per-server basis, although volume discounts
`do apply.
`0 Simple ru le creation th rough passive moni to ring of Web
`application activity; can selectively block sensitive privacy infor(cid:173)
`mation from security logs. 0 Needs to be insta lled in conjunction with good system secu(cid:173)
`ntv to protect against direct attacks on the AppShield system .
`EVAlUA"flON SHORT LIST
`• Argus Sy::>tems Group Inc.'s PitBull
`• eEye Di~ft.al SPcunty Inc.'s Securei iS
`
`• Entercept Security Technologies'
`Entercept 2.0
`
`·
`
`www.sanctuminc.com
`
`LINUX FROM PAGE 55
`
`inclu ded in the list f mo nitors we had
`to selec t fr om , but we co u ld put a
`Wi ndows driver disk into th machin e,
`from which Su E ga th ered the ap pro (cid:173)
`p riate sett.ings.
`
`Setting up security
`ALL T HR EE DISTRI IW TIO SO FF ER PE R(cid:173)
`so na] fir ewa ll . ftware, b ut whe n it
`cam e to configurati on , SuSE wo n o u t
`aga in . SuSE' s firewa ll and sec urit y
`d.ialogs en abled u either to elect a p re(cid:173)
`set securi ty level o r t dri ll down into
`in d.ividuaJ option . Mandrake Lin ux's
`co ntrol panel did not conta in a utili ty
`fo r con fig uring th e sy tem ' firewa ll ,
`a nd Red Hat's fir ewall e tup applet
`req uired m o re bas ic fa mi lia rity with
`fi rewall s to set up .
`Speak.ing of sy tem co nfiguration ,
`o ne qual ity of Linux th at we appreci (cid:173)
`ated in contr a t with Vlindows wa s
`the ease with which we could as umc
`administrative right to make change
`witho ut logging o ut and back in a root.
`Upo n laun ching a ystem setu p utili ty
`in o ne of the Li n ux d istr ib uti ons we
`tested , we we re p rompted for o ur root
`passwo rd to make ystem cha nges.
`Tn W ind ow , acq uir ing admi n is(cid:173)
`trative rights t change a etting o r to
`insta ll so ftware often requ ire loggi ng
`
`ut as a regula r use r a nd logging back
`in as an adm inistrator. o poorly imple(cid:173)
`m e nted is thi s fac ili ty in W ind ows
`th at b y d efaul t, Windows XP users are
`assigned adm inistrative rights- a secu(cid:173)
`ri ty fa ux pa , since li m ited user rights
`restrict the d amage that a virus oracon(cid:173)
`fig ura ti n erro r ca n ca use in a system.
`All three d is tribut ion s were fa irly
`sim p le to in ta ll , but we fo un d SuSE
`the sim ples t. SuSE sta rted us o ut with
`a set
`f d efa ult se ttin gs, the acce p(cid:173)
`ta nce of whi ch et th e in stall p rocess
`unde r way with a sin gle click. We could
`also change each of the settings.
`For use rs who wish to install SuSE
`a longside a copy of W indows, SuSE
`offe rs to re-size W indows pa rtitions to
`make way for Lin ux. In on e of the test
`systems, u E re- ized a 38MB Win(cid:173)
`dows fi le allocatio n table pa rtition to
`l9MB a nd in tai led u E in the result(cid:173)
`ing free pace. We co uld the n choose
`indows or uSEatboot. T his feature
`\
`doe not, however, wo rk with T File
`ystem pa rtition s.
`f the p rod u c ts we tested
`o ne
`in cl uded co nfigura tion tool for wire(cid:173)
`less LA 1 s in its co n trol panel ap pl.ica(cid:173)
`tio ns-thi is a gap we ho pe to see fiJJed
`in future releases. e
`
`Technical A nalyst jason Brooks can be
`reached at jason_brooks@zijfdavis.com.
`
`l
`
`•
`
`.
`
`- .
`
`.~:··
`t·
`SuSE Linux 8.0
`·
`-··
`With a focus on usability that doesn't come at the cost of flexibility, SuSE Linux's SuSE Linux
`8.0 rose to the top in our tests to earn the Analyst's Choice designation.
`Th1s SuSE Linux upgrade proved that 1t is well -~~~"'~~~~
`suited to supplant Windows on many main(cid:173)
`INDICATORS
`stream desktop machines, with industry-leadmg
`GOOD
`USABILilY
`distnbution control and streamlined Installa(cid:173)
`GOOD
`CAPABILilY
`tion.
`GOOD
`PERFORMANCE
`FAIR
`INTEROPERABILilY
`GOOD
`MANAGEABILilY
`FAIR
`SCALABILilY
`GOOD
`SECURilY
`
`COST ANALYSIS
`SuSE 8.0 comes in $39.95 Persona l and $79.95 Professional
`editions. With a friendly interface for most system setup tasks,
`use rs shou ld take to SuSE with minimal retrai ning, and SuSE's
`open-sou rce status means there's no software licensing to track.
`0 Best control panel of the distributions we tested ; very good installation routine; ships
`with KDE 3.0. 0 Lacks Mandrake Linux's fi le sharing and font utilities; no tools for setting
`up WLANs.
`
`EVALUATION SHORT LIST
`• Red Hat's Red Hat Linux 7.3
`• MandrakeSoft's Mandrake Linux 8.2
`
`• Microsoft Corp.'s Wi ndows XP Professional
`• Apple Computer Inc.'s Mac OS X
`
`M'.'•'·''~'&11Mf83•l ,, M
`
`Page 4
`
`