That's a pretty tall order for one product. You may want to take a look at a combination of some of the following products, each of which has one or more of the elements you require.
A flexible Web authentication product is NetSwift iGate from SafeNet Inc. This product is a hardware appliance that sits between your Web server and your firewall. Users then need a token and a PIN to access Web-based applications. The product can control external access to your Web applications, as in an extranet, or it can also function with corporate intranets. The product is only meant for accessing Web applications, not an entire company's network, but this authentication tool would still be compatible with many of your existing applications. NetSwift iGate uses SSL for all connections but isn't an SSL VPN, which is a yet another authentication option you might want to consider.
If you're in need of an SSL-VPN tool, consider using an Aventail Corp. product as their line can be fine-tuned to allow access to only selected portions of your Web applications. You can then customize your access controls as you see fit. Aventail products can also be integrated into Active Directory, and are then compatible with Windows environments. However, because an SSL VPN enables only remote or external access, to meet your internal needs, the network will have to be combined with another product.
As for application-level firewalls, Breach Security Inc.'s BreachGate WebDefend offers application-level security for Web programs. This product uses a series of threat-detection engines to analyze and look for malicious traffic, even after it has passed through your firewalls and intrusion detection systems (IDS). The engines use a variety of techniques to match threat signatures, analyze HTTP protocol misuse and check for known Web and application attacks.
In terms of the SSO piece of your setup, a suitable lightweight product is OneSign from Imprivata Inc. This device is a hardware-based SSO product. Unlike traditional SSO products, which use software modules installed on existing servers, this is a stand-alone device. Depending on the size of your organization -- Imprivata's products are geared toward SMBs -- these highly customizable products may be what you're looking for. As new applications are developed, they can be added to the product via its Web-based interface.
However, before jumping into a range of products, it would be best to carefully evaluate your needs, your organization's size and the compatibility of these products with each other, your network and your Web servers.
For more information:
This was first published in October 2006