From the confusing proliferation of SSL VPN products of a couple of years ago, at the peak of the hype, the market has really settled down to address a well-known set of expectations, and the products we test in this month's group test all show definite signs of maturity.

There is room for improvement left, though. The market is still finding new application areas that suit the SSL model, and the products are continuously expanding their capabilities to match. Also, we see the continued trend towards consolidation at play: some of the products we were sent were really UTM devices with an SSL VPN component. The debate over best-of-breed component versus integration still rages, but it seems likely both options will continue to attract adherents for some time to come, since most customers will simply choose whichever suits their needs.

Our other group test covers security policy management, which is a difficult topic to nail down because it can mean so many different things. We specifically excluded solutions that address user (and usage) policies, since we will look at those separately in an upcoming test. But even then the entries varied widely, and the products we tested cover a number of bases. That makes choosing the best products difficult, since we have to consider each entry's strengths in its own area - all the products on test are useful if they match your needs. While this is an area with lots of room for improvement, the good news is that year-on-year, the management of complex heterogeneous security environments is getting a little less difficult.

Ubiquitous security policy management may be an unreachable goal, but it is one worth striving towards. The slew of new vulnerabilities and exploits in August and September show that attacks just keep getting faster and better, and narrowing the window of opportunity for attack is almost impossible without coordination across different systems. That sounds like an argument for UTM, but it isn't. It's an argument for better cooperation and consistency between suppliers, products, protocols and, equally importantly, among the people and processes in your organisations.

This is my last issue of SC Magazine. Over the past four years I have watched the industry develop, and have enjoyed working with our readers and technology suppliers.


If you are an independent security specialist with lab facilities, able to review technology to our strict test criteria and methodologies and write up the results to our editorial requirements, then we want to hear from you. We are particularly interested in universities with postgraduate labs and consultants with in-house testing facilities. Please contact Paul Fisher directly for more information on


Our testing team includes knowledgeable internal staff, as well as external experts who are respected industry-wide. In our Group Tests, we aim to look at a broad range of products around a common theme.

This might mean including products that do the same thing, but which are aimed at different markets - in this case, we will review them both in that context and on their own merits.

With an increasingly diverse range of products, it is not always possible to make direct comparisons to other products. Our final conclusions and ratings are subject to the judgment of the reviewer.


Our star ratings indicate how well the product has performed against each of our test criteria. These are marked as follows:

* Seriously deficient
** Fails to complete certain basic functions
*** Carries out all basic functions to a satisfactory level
**** Carries out all basic functions very well
***** Outstanding


Any product we review could win our Best Buy and Recommended awards. Best Buy is our top award and goes to those products we rate as outstanding across a range of criteria. Recommended means that the product has shone in a specific area or will suit a particular need very well.