Computers and Security, Vol. IS, No. 2

anti-virus software and a firewall. Computeworld,

Januavy 18, 1999, p. 6.

Sidewinder Security Server 4.0, Keith Schultz.

Secure Computing Corp.? version 4.0 of Sidewinder Security Server is an application-level proxy firewall that is tightly woven into a hardened version of BSD Unix. It includes a couple of new proxies, strongVPN support and an automatic failover feature. The new version adds enhanced VPN functionality, special filtering options and a larger number of Internet ser- vices.The backup Sidewinder is a hot-standby firewall that will take over and function exactly as the prima- ry Sidewinder, right down to IP address.Your security policy is determined by entries in the Access Control List (ACL) database.The ACL enables you to manage your network resources based on source or destination interface, network object type or group, type of connection, type of requested Internet service, user authentication and time of day. User authentication can be standard passwords or strong authentication such as LOCKout DES challenge and response. You can filter E-mail messages based on binary attachment type, keyword and overall size. This can help protect your users from malicious inbound file attachments and also help keep confidential files inside the firewall. Internet Week, December 14, 1998, p. 3 6.

Lock up your data, Ross Bentley. The chances are our personal details and preferences are registered on a computerized database somewhere unbeknownst to us and against our will. The misuse of data in good faith is one fundamental area covered by the UK’s revamped Data Protection Act which encompasses the changes that electronic business and the transfer of data via the Web has brought about. The Data Protection Act 1998 has its origins in European Directive 95/46/EC which is now being implement- ed into national laws throughout the EU. At the heart of the revised Act is the intention to tighten up the laws relating to data protection as set down in the 1984 Act. Organizations will now have a duty of care towards the ‘personal’ information they hold and must take adequate security measures to ensure the integri- ty and security of this data. Companies now have three years grace to ensure the information is secure, e.g. safe from hackers and protected against destruction or

damage as well as ensuring that the information is not used for ‘unspecified purposes’.The new act demands that organizations ‘convince’ the data registrar that they have provided an ‘adequate’ level of security for the data. The Government plans to pass additional legislation regarding the secure transfer of data via the Web.The legislation aimed at security plans to facili- tate the setting up of Licensed Certification Authorities who will offer secure electronic signature and encryption services. IBMToday, January 1999, pp. 52-53.

Motorola CipherNET certifies security, Barry Name. Having a network server that issues digital certificates is like having remote access to a machine that issues driver’s licenses, credit cards or passports. Security for both the hardware that issues the certifi- cate and the communications link is critical. Motorola believes it has an answer in its CipherNET 1000 Certificate Authority Server 2.0, a Web-based digital- certificate management tool.The author tested a late beta version along with the included Netscape Directory Authentication Module and Registrar 2.0. In the lab, it proved to be a highly secure and reliable management tool. CipherNET is intended primarily for E-commerce security, and essentially is a special- purpose, limited-function Web server running in a secure environment. In the tests, the product proved to be robust and reliable when configured to use encryp- tion. Network Computing, December 15, 2998, pp. 34-36.

Server -based Java security products help guard your enterprise flank, Barry Name. If you thought that Java’s design kept applets safe and benign, think again. The forging of digital signatures and advent of restrained ActiveX controls undermine Java’s security significantly. Anyone with a valid E-mail address can obtain a Class 1 digital signature, and all it takes to acquire a Class 2 signature is a credit check. By no means does a digital signature mean that an authorita- tive source has evaluated a signed applet or deemed it safe. Assessing the risk of encountering malicious Internet-borne software is complicated. On the one hand, only about 250 known malicious applets and ActiveX components exist and the Java applet envi- ronment incorporates a number of stringent built-in security measures. On the other hand, Java security

153