 |
 |
 |
Encryption and Key
Management |
|
|
| |
| |
|
|
|
|
|
| |
| |
View detailed
findings for all Criteria Groups. Please be patient while the data
loads. |
|
|
| |
|
|
|
| |
|
Administration |
|
|
|
|
| |
|
The
features and functionality that facilitate the management of the
product. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
146 out of 210
Total Score:
1505 out of 2325 |
|
Group Score:
130 out of 210
Total Score:
1264 out of 2325 |
|
Group Score:
100 out of 210
Total Score:
967 out of 2325 |
|
| |
|
Administrative
Approach |
|
| |
|
Weight: 3 |
|
Weighted
Score:
16
|
|
Weighted
Score:
12
|
|
Weighted
Score:
8
|
|
| |
|
|
There is an elaborate division of administrative tasks. The
site planner is in charge of the installation and deployment. Master
users have physical access to the CA host computer, can recover
Security Officers and create reports. Security Officers have access
to all administrative tasks. They can set the security policy, add
and remove Administrators and authorize sensitive operations.
Administrators can authorize and revoke user privileges. It is
possible to require that several administrators authorize sensitive
operations. Also, custom roles can be created for any organizational
structure. |
|
Administration and control of the certificates can be split
into a large number of roles, as each server can be administered by
security personnel, uptime administrators, recovery specialists, and
normal user managers. The Console allows administrators and security
personnel to control multiple machines if they have the clearances
to do so. Roles for each of these tasks should be kept somewhat
separate to prevent certificate forging and collusion. |
|
User accounts and certificates can be managed from the Check
Point Account Management Client, which orchestrates the third-party
products (directory and certificate authority). The Check Point
Certificate Authority Account Management program is Entrust/Master
Control used, in particular, to start and stop services. The
third-party products retain their other administrative client/server
interface and administrative users. |
|
| |
|
Administrative
Interface |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
32
|
|
| |
|
|
The administrative interface, Entrust RA, which is most
commonly used, is well designed and allows administrators to easily
control all appropriate aspects of their users. Since different
roles have different capabilities, the interface's effectiveness
depends on what kind of role the user has access to. The interface
handles the administration of multiple users, groups and machines
easily. |
|
The CMS uses the new iPlanet Console that is now common
across all enterprise products, improving efficiency for admins
familiar with this interface. The interface is a large improvement
over the pre 4.0 release. Management of multiple servers and
specific tasks is much easier. The task flow is much improved, and
there is very little switching back and forth among multiple
windows |
|
Several tasks are only semi-integrated and it is necessary
to use the administrative clients of the third-party products and/or
the command line, adding to administrative burden. |
|
| |
|
Back
Up/Recovery Options |
|
| |
|
Weight: 3 |
|
Weighted
Score:
16
|
|
Weighted
Score:
4
|
|
Weighted
Score:
12
|
|
| |
|
|
Entrust PKI can be configured to perform periodic, automated
database backups at off-peak hours. Logs are kept and can be
audited. On the client side, the user profile, which contains a
complete history of the user's decryption private keys, can be saved
on diskettes, or stored on the local servers if designed by the
administrators. |
|
Limited backup and recovery options are available, and only
include restoring database and directory files from a normal system
backup. |
|
Backups are not orchestrated by the Chec kPoint Account
Management client. One must rely on the management tools of third
party products (certificate authority and directory). |
|
| |
|
Remote
Administration |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
| |
|
|
The protocol used to protect the remote communication
between Entrust/Authority and Entrust/RA is based on the standard
GSS-API. |
|
Remote administration can be done with the administration
server. The administration server can be configured to use SSL (2.0
or 3.0) and run in secure mode. Hosts which are allowed to access
the administration server can be restricted. Under Unix, the whole
application can be installed and configured remotely. |
|
Remote administration can be done over the intranet,
firewall protected or using SSL on the Internet, with Check Point
Account Management client. |
|
| |
|
Performance
Monitoring |
|
| |
|
Weight: 2 |
|
Weighted
Score:
2
|
|
Weighted
Score:
2
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust does not provide complete monitoring, but can
monitor some information from the command line. |
|
The certificate server activity can be monitored from the
administration server. The absence of graphical display does not
make performance monitoring easy. |
|
Check Point does not provide performance
monitoring. |
|
| |
|
|
|
| |
|
General |
|
|
|
|
| |
|
Basic
information about the product. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
188 out of 330
Total Score:
1505 out of 2325 |
|
Group Score:
192 out of 330
Total Score:
1264 out of 2325 |
|
Group Score:
165 out of 330
Total Score:
967 out of 2325 |
|
| |
|
Components
Included |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
| |
|
|
The following components are included in the PKI package:
Entrust/Authority, Informix Database, PeerLogic i500 Directory,
Entrust/RA (not /Admin) |
|
The following components are included in the package:
Certificate Management System includes a Certificate Manager,
Registration Manager and Data Recovery Manager, Directory Server,
and Administration server. |
|
The following components are included in the package: Check
Point Account Management Client, Netscape Directory Server, Entrust
Certificate Authority-Alliance. Other components often used in
conjunction: Check Point FireWall-1, CheckPoint SecuRemote
Clients. |
|
| |
|
Ease
of Installation |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
32
|
|
Weighted
Score:
24
|
|
| |
|
|
The installation of the Entrust PKI suite uses a standard
installation wizard, which proposes default values and does not
require in depth knowledge of the operating system. Uninstallation
is standard, as well as backing up to previous choices in the
install process. When customizing the installation, things can get
complicated and somewhat confusing, because of all the possible
choices. |
|
Installation was a simple process of following a standard
'wizard' and providing the system architectural information where
needed. The administrator can back up though the process to fix any
mistakes. Thought should be but into the installation of the
different components, based on possible load and your security
infrastructure. |
|
The installation of the VPN-1 Certificate Manager is easy
but takes some time. It does not require in depth knowledge of the
OS. The user is guided by an installation wizard and has only to
choose a few options. It is possible to select default values and
run the installation very quickly. Although Entrust/Admin is part of
the release package, it does not get installed automatically by the
wizard. The platform requirement must be strictly followed. Site
planning guidelines are very slim and no installation worksheet is
provided. |
|
| |
|
Language
Availability |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
| |
|
|
English. |
|
English. |
|
English. |
|
| |
|
License
Restrictions |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
16
|
|
Weighted
Score:
4
|
|
| |
|
|
The number of users is limited by the purchase agreement.
The product may be installed on a single computer. |
|
Multiple instances of the server may be run on a single
computer. The included iPlanet Directory Server license is
restricted for use with Certificate Management System and allows
storage of millions per server instance. |
|
Check Point imposes the following license restrictions: The
Product may be installed only in combination and for use with
FireWall-1 or with VPN-1 Secure Center products from Check Point
Software Technologies Ltd. The Product may not used by more than
5000 users. |
|
| |
|
Module
Deployment and Scalability |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
64
|
|
Weighted
Score:
16
|
|
| |
|
|
There is no limitation on the number of certificates
published. It is possible to set up a hierarchy of CA with multiple
servers. The method to scale up is well documented. |
|
The Certificate Server can issue up to millions of
certificates per server. It is possible to set up a hierarchy of CA
with multiple servers. |
|
The basic license includes 5000 users. There is no
information available in the documentation about increasing beyong
5000 users. |
|
| |
|
Platform
Tested |
|
| |
|
Weight: 1 |
|
Weighted
Score:
1
|
|
Weighted
Score:
1
|
|
Weighted
Score:
0
|
|
| |
|
|
Windows NT 256MB RAM, 8GB HD, PII 333. |
|
Windows NT 256MB RAM, 8GB HD, PII 333 |
|
Windows NT 256MB RAM, 8GB HD, PII 333. |
|
| |
|
Product
Positioning |
|
| |
|
Weight: 1 |
|
Weighted
Score:
1
|
|
Weighted
Score:
1
|
|
Weighted
Score:
1
|
|
| |
|
|
Entrust's Managed PKI is a cost-effective and easy to use
solution that automates all security-related processes in your
organization. With Entrust/PKI, users don't need to know anything
about security. |
|
iPlanet Certificate Management System is the industry's most
scalable e-commerce PKI solution. Certificate Management System
provides mission-critical scalability and performance, and is the
PKI solution for market leaders in banking, healthcare,
manufacturing, telecommunications and insurance. Integrated with
iPlanet s market leading Directory Server, Certificate Management
System provides the stronger security for web services of iPlanet s
end-to-end user management solution for e-commerce, Unified User
Management. |
|
The VPN-1 Certificate Manager is a turnkey public key
infrastructure (PKI) solution for enabling IPSec/IKE-compliant
Virtual Private Networking. It allows organizations to implement
secure and scalable VPNs across intranets, extranets, and the
Internet, with unprecedented ease. |
|
| |
|
System
Requirements |
|
| |
|
Weight: 2 |
|
Weighted
Score:
2
|
|
Weighted
Score:
2
|
|
Weighted
Score:
2
|
|
| |
|
|
Windows NT 4 SP3+, 128MB RAM, Pentium 166 or better, TCP/IP
stack. |
|
Windows NT 4.0 or Sun Solaris 2.51or higher. 128MB RAM
recommended with 100MB HD. |
|
Windows NT 4 SP3+, 128MB RAM, Pentium 166 or better, TCP/IP
stack. |
|
| |
|
Year
2000 Compliance |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
| |
|
|
Yes. |
|
Yes. |
|
Yes. |
|
| |
|
Ease
of Configuration |
|
| |
|
Weight: 2 |
|
Weighted
Score:
4
|
|
Weighted
Score:
4
|
|
Weighted
Score:
6
|
|
| |
|
|
The server configuration is altered through the
administrative interface, as well as modifying the certificate and
architectural profiles on the certificate server. All but a few of
the alterations can be performed through the administrative
interface, and are well organized for most organizational
structures. |
|
While the CMS has the capability to configure the
installation to meet almost any need, most of the configuration
options are custom file creation and modification, rather than built
into the GUI. |
|
The server configuration is very simple. It is almost
entirely handled by the installation wizard. Re-configuration may be
tricky, depending on what the administrator wants to do, because it
may require using the administrative tools of the third party
products. Not all features are readily available from the Check
Point Account Management client. |
|
| |
|
Failover |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
0
|
|
Weighted
Score:
40
|
|
| |
|
|
The Entrust PKI can be configured to auto-start all PKI
services after an outage without compromising administrator and
master passwords. |
|
There is no mechanism provided for recovery from failure.
The server is restarted manually. |
|
All the components of the Certificate Manager can be
configured to auto-start after an outage. |
|
| |
|
Quality
of Documentation |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
The manuals are well written and well organized. They are
available in PDF format on the CD and as hard copies. They include a
good index and a good glossary. The reference manual is organized
into administration tasks, which facilitates understanding the
administrative approach. The PKI core products are all well
documented, with the writers stating their assumptions clearly.
There is no on-line help, just a link to the PDF
documents. |
|
The manuals are extensive and cover a large majority of any
of the issues that the administrator would come across. They are
available in print, PDF. Portions are a part of the online help
system. |
|
There is a good, simple quick start manual, with
installation instructions and basic information on PKI and how to
use the product (hard copy and PDF on the CD). The Check Point
Account Management Client has a good manual provided in PDF format
on the CD. It has an alphabetical index. The third party components
come with their respective manuals in PDF format on the CD. The
CheckPoint Account Management Client has an on-line help
system. |
|
| |
|
|
|
| |
|
Security |
|
|
|
|
| |
|
Security criteria may include, but is not limited to,
standards such as SSL and SET, protection of administrative
interfaces, user and administrator access, key management (PKI),
encryption, authentication, firewalls, virus protection, and other
various security tools and features. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
222 out of 340
Total Score:
1505 out of 2325 |
|
Group Score:
154 out of 340
Total Score:
1264 out of 2325 |
|
Group Score:
118 out of 340
Total Score:
967 out of 2325 |
|
| |
|
Administration
Security |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
A
profile and password identify Master Users and Security Officers.
The profile defines their task assignment. Some sensitive operations
may need the authorization of several Security Officers. All
administration tasks are logged and the logs are digitally signed.
GSS-API is used for (remote) Entrust/RA to Entrust/Authority secure
communication. |
|
The administrators are authenticated by multiple passwords
depending on the task: starting the administration server, starting
the certificate server, accessing the administration server, issuing
certificates. SSL can be enabled for remote administration. However,
administrators are advised against remote administration. The
administration server does not shut down automatically after a
certain period of inactivity or if an unusual pattern of activity is
detected. Administrators are advised to shut it down when it is not
in use. |
|
A
profile and password identify Master Users and Security Officers.
The profile defines their task assignment. Some sensitive operations
may need the authorization of several Security Officers. All
administration tasks are logged and the logs are digitally
signed. |
|
| |
|
Database
Encryption for Secure Storage |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
| |
|
|
Entrust provides database encryption
functionality. |
|
Certificate Management System stores encrypted private keys
in the directory in an encrypted format, and all communication with
the database or directory is Triple-DES encrypted. |
|
Check Point provides database encryption. |
|
| |
|
Detection
of Suspicious Activities |
|
| |
|
Weight: 3 |
|
Weighted
Score:
16
|
|
Weighted
Score:
12
|
|
Weighted
Score:
16
|
|
| |
|
|
The activity logs have 3 levels of audit severity; Log,
Event and Alarm. All audit records are coded and have corresponding
detailed messages allowing the administrators to correct problems or
restore older configurations. |
|
The error logs label some errors as potential security
threats, e.g. a client trying to access a page without having the
right privileges. There is no security alert mechanism. |
|
The activity logs have 3 levels of audit severity; Log,
Event and Alarm. All audit records are coded and have corresponding
detailed messages allowing the administrators to correct problems or
restore older configurations. |
|
| |
|
Integration
with OS Security |
|
| |
|
Weight: 3 |
|
Weighted
Score:
16
|
|
Weighted
Score:
4
|
|
Weighted
Score:
4
|
|
| |
|
|
Good OS security guidelines are provided to strengthen the
security of the Entrust/Authority server and the web server user
with the Entrust/Web connector. Simple steps are listed. |
|
No
real integration. It is possible for the administrator to start and
run the server(s) acting as a different user(s). Some OS security
guidelines are provided in the documentation, but no automatic
check, warnings or enforcement are done. Some system settings can be
changed or restored from the admin server. |
|
Nothing is provided by Check Point to help the administrator
enhance security for the server or servers which house the different
components. |
|
| |
|
Key
Splitting |
|
| |
|
Weight: 2 |
|
Weighted
Score:
0
|
|
Weighted
Score:
6
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust does not provide key splitting. |
|
Yes, Data Recovery Module supports M of N secret splitting
for the protection of the storage key pair. |
|
Check Point does not provide key splitting. |
|
| |
|
Password
Security |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
32
|
|
Weighted
Score:
16
|
|
| |
|
|
Good password security introduction. Flexible password rules
can be set by the administrator. The rules are enforced. Passwords
are protected by an elaborate hashing algorithm and never directly
passed over the network. |
|
Basic guidelines are provided for choosing
passwords/phrases. The guidelines are not enforced. There are
multiple passwords and password requests involved. This creates a
potential security problem in that users will be tempted to write
down, duplicate or simplify their passwords, allowing someone to
break into the system. |
|
No
detailed password choice guidelines are provided. Simple password
rules are used and enforced. |
|
| |
|
Secure
Distribution of the CA Certificate |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
2
|
|
Weighted
Score:
2
|
|
| |
|
|
Good guidelines are provided to distribute the CA
certificate securely in a variety of ways. |
|
Secure distribution is possible, but no guidelines are
provided. The admin pre-install the certificate on the
clients. |
|
Secure distribution is possible, but no guidelines are
provided. |
|
| |
|
Secure
Software Installation |
|
| |
|
Weight: 2 |
|
Weighted
Score:
2
|
|
Weighted
Score:
0
|
|
Weighted
Score:
2
|
|
| |
|
|
The software is distributed on a CD by the vendor. It is not
digitally signed. Administrators are responsible for distributing
the client software in a secure manner. There are installation logs,
but they are not designed for auditing the installation. |
|
No
particular precautions are taken for secure software installation.
The software can be downloaded from re-sellers. The software
packages are not digitally signed to authenticate them. The software
installation requires many complex steps with no installation
log. |
|
The software is distributed on a CD by the vendor. It is not
digitally signed. |
|
| |
|
Security
Lockout Capabilities |
|
| |
|
Weight: 3 |
|
Weighted
Score:
8
|
|
Weighted
Score:
4
|
|
Weighted
Score:
4
|
|
| |
|
|
Administrators are locked out after a period of inactivity
and must re-enter their passwords. Repeated failure to provide
correct passwords causes the administration programs to exit.
However, they can be started again immediately. No other suspicious
patterns of activity have lockout consequences. |
|
With repeated failure to provide the correct certificate
database password on the client, Navigator produces a warning, but
no lockout. Repeated failure to provide correct passwords to start
the Certificate Server causes the start program to exit. However, it
can be executed again immediately. No other suspicious patterns of
activity have lockout consequences. |
|
Administrators are locked out of Entrust administration
clients after a period of inactivity and must re-enter their
passwords. Repeated failure to provide correct passwords causes the
Entrust administration programs to exit. However, they can be
started again immediately. No suspicious patterns of activity have
lockout consequences. The CheckPoint account manager client does not
have any lockout capability. |
|
| |
|
Security
Policies |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
4
|
|
Weighted
Score:
8
|
|
| |
|
|
Security Officers are responsible for specifying security
policies, including the validity period of the various keys and
certificates for the user types, the number of administrators
required to authorize sensitive operations, and the nature of the
functions that administrators are allowed to perform. Support for
Policy OIDs, along with extra modules that enable security lockout
capabilities. |
|
The validity period of certificates and various other
options can be selected from the administration server. |
|
Security policies largely consist in choosing key lifetimes.
Support for Policy OIDs is possible in principle via
Entrust/Alliance, but it is not specifically supported by
CheckPoint. |
|
| |
|
Security
Tutorial and Help |
|
| |
|
Weight: 4 |
|
Weighted
Score:
32
|
|
Weighted
Score:
24
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust provides good, detailed security guidelines for the
site planner. Precise instructions for what to do to improve the
server security that does not require advanced knowledge of
NT. |
|
The install guide has basic security advice. The
Administrator's guide has a good cryptography and key management
tutorial. Good instructions on how to protect the certificate
server. The implementation of the security guidelines requires a
good knowledge of the OS, no detailed help provided. |
|
Nothing is provided by Check Point to help the administrator
enhance security. |
|
| |
|
Support
for Tokens |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
| |
|
|
Supports use of PKCS# 11 compliant hardware and software
tokens. |
|
iPlanet supports use of PKCS# 11 compliant hardware and
software tokens. |
|
Check Point supports PKCS#11 hardware and software
tokens. |
|
| |
|
|
|
| |
|
Customization |
|
|
|
|
| |
|
The
features and functionality that facilitate tailoring or modifying of
the product. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
47 out of 75
Total Score:
1505 out of 2325 |
|
Group Score:
39 out of 75
Total Score:
1264 out of 2325 |
|
Group Score:
12 out of 75
Total Score:
967 out of 2325 |
|
| |
|
API
and SDK |
|
| |
|
Weight: 1 |
|
Weighted
Score:
5
|
|
Weighted
Score:
3
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust has multiple APIs and SDKs for each of their
component products, which allows a high level of custom development
for companies that need custom programmatic solutions to their
Encryption and Key Management solutions. |
|
A
Java API is provided for configuring modules to work with the
CMS. |
|
No
API or SDK is provided directly, though the third party products do
have APIs and SDKs available. |
|
| |
|
Certificate
Customization |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
24
|
|
Weighted
Score:
0
|
|
| |
|
|
X.509 v3 extensions supported. The Flexible Certificate
Specifications are stored in an ASCII file that can be edited by
hand. |
|
X.509 v3 extensions allow organizations to add their own
attributes, or site-defined information, to the contents of
certificates. |
|
Check Point does not support certificate
customization. |
|
| |
|
Configurable
GUI |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
0
|
|
Weighted
Score:
0
|
|
| |
|
|
There are multiple ways to configure the GUI for different
purposes: user registration fields are customized based on the user
extension values needed and the naming convention chosen by the
customer. Through RA Policy Control, the GUI is dynamically altered
to just display the operations and users that a high-level
administrator wishes to assign to a particular administrator or
administrative task. |
|
The GUI uses the iPlanet Console, which currently does not
support custom configurations. |
|
Check Point does not include a configurable GUI. |
|
| |
|
Application
Performance and Optimization |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
Weighted
Score:
12
|
|
| |
|
|
Many performance optimizations are performed to minimize
network traffic, e.g. Entrust maintains multiple small CRLs and each
certificate contains a pointer to the location of its CRL; Entrust
clients also cache CRLs. |
|
iPlanet can optimize performance by multiple methods,
including the number of processes the server spawns, the minimum and
maximum number of threads the server uses, the listen-queue size,
and DNS usage. |
|
The two main third-party components can both be optimized
for performance: the Netscape Directory Server and the Entrust
Certificate Authority. |
|
| |
|
|
|
| |
|
Monitoring and
Reporting |
|
|
|
|
| |
|
System
administrative features and functionality supporting transaction
reviews. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
88 out of 140
Total Score:
1505 out of 2325 |
|
Group Score:
64 out of 140
Total Score:
1264 out of 2325 |
|
Group Score:
52 out of 140
Total Score:
967 out of 2325 |
|
| |
|
Audit
Trails and Logs |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
32
|
|
| |
|
|
The Entrust/RA audit log viewer can be sorted by column and
can be output to a file for post-processing. Audit events can also
be sent to the NT Event Viewer for viewing. |
|
The administration server can be set up to keep its own
access logs and log of configuration changes. The certificate server
activity is logged. Some basic tools are provided to examine the
logs (e.g. searching for a word). Logs can be set to record only
certain types of messages, e.g. only security-related events. No
special audit tool is provided, but the certificate database can be
searched with simple queries (name, date, serial number,
etc.). |
|
The parent third party products (certificate authority and
directory) each keep their log files. The logs are kept as ASCII
files and can be viewed with a text editor. Entrust logs are also
digitally signed and stored in the Entrust database for audits. The
Checkpoint Account manager can display Entrust logs. |
|
| |
|
Automatic
Reporting |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
0
|
|
Weighted
Score:
8
|
|
| |
|
|
The Entrust/Authority can be configured to generate
automatic reports. Reports can be saved as text files and consist of
entries separated by tabulations. This is well suited to
post-process reports with a spread sheet. |
|
No
reporting functionality is provided by iPlanet at this
time. |
|
The CheckPoint Account Manager does not provide a report
utility. Simple user reports can be generated with the Entrust/Admin
tool. |
|
| |
|
Customized
Reports |
|
| |
|
Weight: 3 |
|
Weighted
Score:
0
|
|
Weighted
Score:
8
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust does not provide customized reports, though support
for third party ODBC reporting tools is provided. |
|
Administrators can specify ranges, dates, etc. to restrict
the scope of the reports generated by the log analyzer. |
|
Check Point does not provide customized reports. |
|
| |
|
Remote
Monitoring and Alerts |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
8
|
|
Weighted
Score:
12
|
|
| |
|
|
The administration access logs can be accessed remotely with
the Entrust/Admin client. An alert mechanism can be setup by sending
all logs to the standard output for logs (syslog for UNIX and NT
Event Viewer on Windows NT), and by integrating a notification
system like pagers or email, however this is not a robust solution
for busy admistrators. |
|
All the logs can, in principle, be accessed by HTTP through
the administration server. (During testing only access logs could be
viewed with the browser.) This provides real-time monitoring. There
is no alert mechanism. |
|
All logs can be accessed remotely from the various
administration clients (web browser for Netscape Directory,
Entrust/Admin client, Checkpoint Account Manager client). There is
no alert mechanism. |
|
| |
|
|
|
| |
|
Standards Compliance and
3rd-Party Compatibility |
|
|
|
|
| |
|
The
various standards and protocols that are supported. Includes
mechanisms such as APIs or direct integration to connect to other
third party applications. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
280 out of 415
Total Score:
1505 out of 2325 |
|
Group Score:
249 out of 415
Total Score:
1264 out of 2325 |
|
Group Score:
176 out of 415
Total Score:
967 out of 2325 |
|
| |
|
API
Standards Supported |
|
| |
|
Weight: 1 |
|
Weighted
Score:
3
|
|
Weighted
Score:
3
|
|
Weighted
Score:
3
|
|
| |
|
|
Entrust supports PKCS#11 (CRYPTOKI) and PKCS#12, along with
GSS-API. |
|
PKCS#11 and PKCS#12. |
|
PKCS#11 (CRYPTOKI) hardware cryptographic interface
supporting hardware tokens from any vendor. |
|
| |
|
Certificate
and CRL Standards Supported |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
32
|
|
Weighted
Score:
48
|
|
| |
|
|
Extent's public key certificates are in accordance with
X.509, including X.509 v3 extensions. Extent provides support for
X.509 v1 certificates per Internet RFC 1422 (PEM). Certificate
revocation lists, including v2 extensions. RSA algorithm identifiers
and public key formats in accordance with Internet RFC 1422 and 1423
(PEM), and PKCS#1. |
|
iPlanet's public key certificates are in accordance with
ITU-T recommendations X.509 v1 and X.509 v3 extensions. No standard
is specified for the Certificate Revocation Lists. |
|
Check Point's public key certificates are in accordance with
ITU-T recommendations X.509v3. Certificate revocation lists are in
accordance with IUT-T recommendation X.509 (1997). |
|
| |
|
Client
Management Protocol Supported |
|
| |
|
Weight: 1 |
|
Weighted
Score:
2
|
|
Weighted
Score:
3
|
|
Weighted
Score:
3
|
|
| |
|
|
Entrust supports PKIX-CMP. |
|
iPlanet supports Secure Socket Layer (SSL). |
|
Check Point supports Secure Socket Layer (SSL) |
|
| |
|
Directory
Standards Supported |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
Entrust supports LDAP. |
|
iPlanet supports LDAP. |
|
Check Point supports LDAP. |
|
| |
|
Encryption
Algorithms Supported |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
32
|
|
| |
|
|
Symmetric algorithms: CAST, DES , Triple-DES, RC2
Hashes: MD5, SHA, RIPEMD
Public-key algorithms: RSA, DSA , Diffie-Hellman, Elliptic Curve
(ECC). |
|
Encryption algorithms include: RC4, RC2, DES, TripleDES,
FIPS DES and FIPS Triple DES with MD5 or SHA hashes. |
|
Symmetric algorithms: CAST, DES , Triple-DES, RC2
Public-key algorithms: RSA |
|
| |
|
Encryption
Applications Enabled |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
16
|
|
| |
|
|
Entrust includes Web (SSL, Object Signing), Email (S/MIME),
VPN, SET, and other enterprise applications (file/folder encryption,
desktop authentication, remote access, e-forms). |
|
Secure web transactions over SSL 2.0 and SSL 3.0. Secure
email. File encryption. Object signing. Form signing. |
|
Encryption applications include Firewall and VPN (both
gateways and clients.) |
|
| |
|
Private
Key Storage and Management Standards Supported |
|
| |
|
Weight: 1 |
|
Weighted
Score:
3
|
|
Weighted
Score:
3
|
|
Weighted
Score:
2
|
|
| |
|
|
Entrust supports private key storage based on PKCS#5 and
PKCS#8. RSA key transfer (Internet RFC 1421 and 1423). |
|
PCKS#12 format is supported by iPlanet. |
|
Check Point supports private key storage based on PKCS#5 and
PKCS#8. |
|
| |
|
Secure
Messaging Standards Supported |
|
| |
|
Weight: 4 |
|
Weighted
Score:
32
|
|
Weighted
Score:
24
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust supports S/MIME and PEM |
|
S/MIME |
|
Check Point does not support any secure messaging
standards. |
|
| |
|
Integration
with Other Products |
|
| |
|
Weight: 4 |
|
Weighted
Score:
32
|
|
Weighted
Score:
40
|
|
Weighted
Score:
24
|
|
| |
|
|
Entrust PKI is an entire suite of well-integrated products.
Entrust/RA has the ability to inter-operate with other Entrust CAs
or with other vendor's CA products via PKCS#7 and #10.
Entrust/Express provides S/MIME email to MS Exchange and MS Outlook.
Entrust PKI is compatible with other LDAP directories. Entrust has
PKI connectors for SET, VPN and web applications.
Cross-certification can be done via PKIX-CMP for inter-vendor
interoperability. |
|
iPlanet supports integration with most Netscape products,
third party VPN and routing products, token vendors, certificate
vendors and directory and database products. |
|
The Certificate Manager integrates well with the Entrust
Certificate Authority and Netscape Directory server. Other LDAP
directories can be substituted. CheckPoint Firewall-1 and other
VPN-1 products are compatible with the Certificate
Manager. |
|
| |
|
|
|
| |
|
Key Generation and Issuance of
Certificates |
|
|
|
|
| |
|
The
procedures and options for creating new keys and issuing them to the
correct user. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
284 out of 405
Total Score:
1505 out of 2325 |
|
Group Score:
242 out of 405
Total Score:
1264 out of 2325 |
|
Group Score:
176 out of 405
Total Score:
967 out of 2325 |
|
| |
|
CA
Certificate Signing |
|
| |
|
Weight: 4 |
|
Weighted
Score:
32
|
|
Weighted
Score:
32
|
|
Weighted
Score:
16
|
|
| |
|
|
Entrust has the ability to cross-certify with other Entrust
CAs or with other vendor's CA products via PKCS#7 and #10. Also
self-signs root CA. |
|
The root CA self signs its certificate. Subordinate
certificates are signed by their master CA in the hierarchy. Users
can also chain Certificate Management System under a public CA
through chaining services from CyberTrust, Verisign. |
|
The root CA self signs its certificate. |
|
| |
|
Certificate
Options |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
16
|
|
| |
|
|
When customers define policies and register the associated
OIDs with one of the international standards bodies, the OIDs can be
entered into the certificates. Alternate identities can also be
entered in the certificates. There are 4 certificate categories:
Enterprise, cross-certificates, SET and Web. SET and Web licenses
need to be purchased separately. Certificate properties cannot be
modified. A new certificate must be issued. Only one category can be
enabled at a time, making it necessary, for instance, to issue
multiple certificates for users of both Enterprise and web
certificates. |
|
The administrator can set the following restrictions on
certificates: Certify only PKCS-1 RSA public keys. Put constraints
on distinguished names. Set a validity period. Specify a signature
algorithm. Enable/disable X.509 v3 extensions. The certificate
applicant can choose among several certificate types: personal (or
client), server (or site), secure email, CA. |
|
Check Point include only one certificate type,
VPN. |
|
| |
|
Client-Side
Key Pair Generation |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
The client generates the signing key pair. Using a reference
number and an authentication code provided by an administrator, the
user can enable the client to connect to Entrust/Authority. The user
thus retrieves his private encryption key and certificates for both
public keys, all of which are added to the profile. |
|
The Client generates a key pair when you submit an HTML form
that contains the KEYGEN tag. In the certificate server user
interface, the form for requesting a certificate contains the KEYGEN
tag. |
|
The signing key pair may be generated by the firewall
SecuRemote client. Using a reference number and an authentication
code provided by an administrator, the user can enable the
SecuRemote client to connect to Entrust/Alliance. Thus retrieving
the encryption private key and certificates for both public keys,
which are all added to the profile. |
|
| |
|
Cryptographic
Hardware Supported |
|
| |
|
Weight: 1 |
|
Weighted
Score:
4
|
|
Weighted
Score:
2
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust provides support for Atalla SignMaster ISP device to
provide CA cryptographic hardware services to Entrust/Authority.
Also support Chrysalis' LunaCA. |
|
Any PKCS# 11 compliant harfware token is
supported. |
|
Check Point provides no support for cryptographic
hardware. |
|
| |
|
Key
Size |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
40
|
|
Weighted
Score:
24
|
|
| |
|
|
1024, 2048 RSA/DSA and 192-bit Elliptic Curve DSA for
asymmetric and 64 to 128 and Triple DES for symmetric
keys. |
|
iPlanet allows custom key sizes, along with 1024 and 2048
for asymmetric keys and 64,80,128 lengths for symmetric
keys. |
|
Check Point provides 1024, 2048 for asymmetric and 64 to 128
for symmetric keys. |
|
| |
|
Public
Key Registration Process |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
The registration is initiated by an administrator who must
add the user to the Entrust/Authority database and generate a
reference number and authorization code. The user must then add this
reference number and authorization code to the request for a
certificate. The certificate is automatically imported into the web
browser. Administrators can bulk add users. Entrust/AutoRA product
also allows for user self-service registration over the web. This
eliminates the need to distribute a reference number and
authorization code to the user. |
|
Once a key pair is generated by the client, the public key
is automatically submitted to the CA or the CMS for certification.
The certificate is returned by email. Its installation in the client
is automatic. Policy statements of the CA can be attached. |
|
The registration is initiated by an administrator who must
add the user to the Entrust/Authority database and generate a
reference number and authorization code. The user must then add this
reference number and authorization code to the request for a
certificate. The certificate is automatically imported into the
SecuRemote client. Alternatively, the administrator can generate a
profile with all the keys on the server directly and give his
profile to the user (e.g. on a diskette or hardware
token.) |
|
| |
|
Server-Side
Key Pair Generation |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
16
|
|
Weighted
Score:
24
|
|
| |
|
|
Encryption key pairs are always generated by the server. It
is also possible to generate the signing key pair on the server and
create a user profile containing all necessary information. This
profile is then used by Entrust-Ready applications. |
|
All enterprise servers ship with key-generation programs
that the user can use to generate key pairs for the server. CA key
change is tedious because it requires removing all copies of
certificates issued with or containing the former key. |
|
Encryption key pairs are always generated by the server. It
is also possible to generate the signing key pair on the server and
create a user profile containing all necessary information. This
profile is then used by the Entrust ready SecuRemote
client. |
|
| |
|
Time
Stamping Method |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
8
|
|
Weighted
Score:
0
|
|
| |
|
|
With Entrust, it is possible to use a central server
(Entrust/Time stamp) that imprints time stamps on data files to
support non-repudiation, otherwise uses computer clock. |
|
iPlanet uses the computer clock for time stamping. |
|
Check Point uses the computer clock for time
stamping. |
|
| |
|
|
|
| |
|
Key Management and Data
Recovery |
|
|
|
|
| |
|
Management of keys including certificate revocation and
reallocation. |
|
| |
|
Factor: Standard |
|
| |
|
Product Name |
Entrust
PKI
5.0 |
iPlanet Certificate
Management System
4.1 |
VPN-1 Certificate
Manager
1.0 |
|
|
|
|
|
|
|
|
|
|
|
| |
|
Manufacturer |
Entrust Technologies,
Inc. |
Sun-Netscape
Alliance |
Check Point Software
Technologies, Ltd. |
|
| |
|
|
Group Score:
250 out of 410
Total Score:
1505 out of 2325 |
|
Group Score:
194 out of 410
Total Score:
1264 out of 2325 |
|
Group Score:
168 out of 410
Total Score:
967 out of 2325 |
|
| |
|
Certificate
Import/Export |
|
| |
|
Weight: 4 |
|
Weighted
Score:
24
|
|
Weighted
Score:
24
|
|
Weighted
Score:
0
|
|
| |
|
|
Entrust can import and export certificates as ASCII files. A
cut and paste method is available to install certificates in
servers. Additionally, servers that are Entrust-Ready can import
certificates and keys automatically. |
|
iPlanet can import and export certificates as ASCII files. A
cut and paste method is available to install certificates in servers
(including the Certificate Server). |
|
Check Point does not provide support for certificate import
or export. |
|
| |
|
Certificate
Revocation Lists and Revocation Checking |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
Each certificate issued contains a pointer to its
corresponding CRL. Entrust clients and Entrust enabled applications
regularly check the CRLs. Administrators can push a CRL to the
clients to enforce, almost instantly, the revocation of a
certificate. CRLs contain less than 750 certificates. Users working
off-line get warned if a CRL has expired. Authority Revocation Lists
(ARLs) are also used similarly in cross-certified systems. |
|
Certificate revocation lists (CRLs) are published by the
certificate server and available to download from the client. Users
can revoke their own certificates. |
|
Certificate revocation lists (CRLs) are published to the
directory by Entrust/Alliance. Administrators can force the
immediate publication of a CRL. |
|
| |
|
Data
Recovery |
|
| |
|
Weight: 5 |
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
Master users can recover Security Officers from lost
passwords. Administrators can recover users from lost encryption
keys, since the encryption keys are stored on the server. The
signing keys however are stored only on the client and cannot be
recovered. The signing keys are re-issued as part of the user
profile recovery procedure. It is important to note that the user's
entire key history is recovered, not only the current
keypair. |
|
iPlanet provides data recovery through backups
only. |
|
Master users can recover Security Officers from lost
passwords. Administrators can recover users from lost encryption
keys (or passwords), since the encryption keys are stored on the
server. The signing keys however are stored only on the client and
cannot be recovered. They are re-issued as part of the user profile
recovery procedure. |
|
| |
|
Directory
Integration |
|
| |
|
Weight: 5 |
|
Weighted
Score:
64
|
|
Weighted
Score:
48
|
|
Weighted
Score:
48
|
|
| |
|
|
Entrust provides very good integration. The PeerLogic i500
Directory is part of the core package and can be installed on the
same server as the Entrust/Authority, allowing for simultaneous
automatic backups. The Entrust/Authority and the PeerLogic i500
Directory are automatically synchronized. Can use other LDAP
directories. |
|
Synchronization possible with the Directory server (included
in the package). Can use other LDAP directories. |
|
Good integration of the product with the Netscape Directory
server. The directory is synchronized with the Entrust/Alliance
Certificate Authority. Backups/restoration of the database and the
directory can, in principle, be synchronized, but it is left up to
the administrator to write the scripts. |
|
| |
|
Key
Loss or Exposure Reporting |
|
| |
|
Weight: 5 |
|
Weighted
Score:
16
|
|
Weighted
Score:
0
|
|
Weighted
Score:
0
|
|
| |
|
|
There is nothing provided for reporting by users, but
administrators can cancel keys, and audit logs will show and track
the information. |
|
iPlanet does not provide key loss or exposure
reporting. |
|
Check Point does not provide key loss or exposure
reporting. |
|
| |
|
Method
of Key Storage |
|
| |
|
Weight: 3 |
|
Weighted
Score:
12
|
|
Weighted
Score:
8
|
|
Weighted
Score:
12
|
|
| |
|
|
The server keys used for administration are stored in the
Entrust/Authority database. The user's decryption private key is
stored in the user's profile on the client computer and backed up in
the Entrust/Authority database. The user's signing private key is
stored in the user's profile only. The user's encryption public key
and verification public key are embedded in certificates. The
encryption certificate is stored in the user's profile, in the
Directory and the Entrust/Authority database. The verification
certificate is stored in the user's profile and the
Entrust/Authority database. User profile can be saved on hard drive,
diskette, or smart card. |
|
The CA signing key pair and the server SSL key pair are
stored in files on the server hard disk. They are password
protected. Backup storage is left to the administrator. The
certificates issued (including the public keys) are stored on the
server hard disk in the Informix database. Backing up the Informix
database is not documented, the private keys issued by the clients
remain on the computer where they were generated. They can be
exported to files that can be backed up e.g. on a diskette. They are
stored in a database, which is password protected. The private keys
themselves are assigned a password only if they are
exported. |
|
The server keys used for administration are stored in the
Entrust/Manager database. The user's decryption private key is
stored in the user's profile on the client computer and backed up in
the Entrust/Manager database. The user's signing private key is
stored in the user's profile only. The user's profile can be saved
to a diskette. The user's encryption public key and verification
public key are embedded in certificates. The encryption certificate
is stored in the user's profile, in the Directory and the
Entrust/Manager database. The verification certificate is store in
the user's profile and the Entrust/Manager database. |
|
| |
|
Private
Keys Stored on Server |
|
| |
|
Weight: 2 |
|
Weighted
Score:
6
|
|
Weighted
Score:
6
|
|
Weighted
Score:
8
|
|
| |
|
|
The encryption key pair history for all users, which
includes all decryption private keys and all encryption public key
certificates, is stored in the Entrust/Manager database. Private
signing keys are not backed up on the server. |
|
iPlanet provides server stored keys. |
|
The encryption key pair history for all users, which
includes all decryption private keys and all encryption public key
certificates, is stored in the Entrust/Manager database. Private
signing keys are not backed up on the server. |
|
| |
|
Renewal
of Keys and Certificates |
|
| |
|
Weight: 3 |
|
Weighted
Score:
16
|
|
Weighted
Score:
12
|
|
Weighted
Score:
4
|
|
| |
|
|
The Entrust PKI supports automatic key updates.
Entrust/Entelligence and Entrust/Authority manage the key update
protocol, which is transparent to the user. |
|
Certificate Management System enables browser based
certificate renewal via https:// with certificate based
authentication, as a way to renew user certificates across browsers.
Certificate Management System also allows for the CA, RA, and DRM
certificates to be renewed within Certificate Management System,
along with renewal / reissuance of router, VPN, and server
certificates. |
|
Renewal of keys or certificates is not yet supported, but
user is notified 1 month prior to certificate expiration. |
|
| |
|
|
|
