Information Resource Engineering
by Paul Grosse - July 1997
The huge investment that is required to implement Wide Area Networks or Value Added Networks makes the Internet a particularly attractive proposition, especially as the cost is the same irrespective of the geographical distances involved. The use of a network that is based upon an open system cannot become a valid proposition unless it is capable of maintaining the same advantages as a closed network - the main advantages being: * the stored data and network traffic on the system is not accessible from the outside; and, * the system as a whole cannot be attacked from the outside. The disadvantage is that it is particularly expensive to expand a closed network beyond one location. One further consideration is that if you already have a closed inter-site network of some description, do you know that it has not already been breached physically? To check this properly requires tracing the entire length of the connection, looking for wiretaps - microwave links are even easier to monitor.
With fast and secure inter-site communications becoming so important for the survival of companies, the cost of not implementing some sort of system could, in the long term, cost the company itself, as could implementing a flawed system. The clear answer is to use the Internet in such a way that the network itself, its stored data and the internal network traffic is protected by a firewall, and inter-network communications or communications between network and end user are encrypted (so that even if packets are intercepted, they are of no use) and authenticated (so that the recipient knows that what has been received is what was sent originally). IRE's SafeNet/Enterprise system provides a comprehensive answer - looking at some of its customers and the levels of security required by them endorses IRE's position in this sector of the market.
The SafeNet/Enterprise product range covers all of a company's requirements to set up a Virtual Private Network (VPN) using the Internet and public telephone systems to provide a working network 24 hours a day, 365 days a year for approximately half the cost. Even ISPs can be used as part of a system thus enabling a company either to take advantage of the possibilities of teleworking or to include smaller, more remote branches of its business within the network that would otherwise have been left out.
is set up essentially in three locations for any VPN such that
two of the points are the two parts of the network wishing to
communicate with each other and the third is the SafeNet/Security
Centre which is responsible for access authorisation or denial.
The SafeNet/Security Centre is the heart of the SafeNet/Enterprise VPN. Based on a reasonably powered PC (a 100MHz Pentium based machine with CD/ROM, 1.2Gb HDD (minimum), optional tape backup, 16 Mb RAM and so on with a smartcard reader/writer, running Windows NT), the SafeNet/Security Centre provides: full configuration capability for network management, security management and device control enrollment; access control in the form of six levels of Security Officer operations (ranging in levels of privilege from complete system access to only being able to make backups), smartcard production and PIN generation; monitoring and auditing the network in real time; and, registration, certification and key management.
With the SafeNet/Security Centre managing the keys that are required for devices providing data encryption, data and packet authentication and user authentication, the Security Officers have the capability to configure the centre to change remote device session keys automatically in a regime based upon any time interval from a day to a year. The random session keys that result from this process are never displayed and cannot be viewed.
SafeNet/Security Centre's key management controls network access by using User Authentication. Each device has a Master Key which is kept in a dedicated database and to access the network, a device must have a Master Key that matches the key that is stored at the SafeNet/Security Centre. This permits the central control of all of the devices as individuals should they be stolen or lost - allowing access to specific parts of the network / denying access to other parts as dictated by the control centre.
The SafeNet/Security Centre performs real time monitoring of the VPN network providing live and logged information on usage, hardware failures and security alerts. The SafeNet/Security Centre informs Security Officers of alerts and failures with audible alarms and flashing displays that require acknowledgement to be cancelled. The event log provides for a backup of all activities for up to 10,000 events on the system. This archive can be transferred to HDD or FDD and the backup also permits a separate backup for database management which can make use of FDD or an optional tape drive.
SafeNet/Trusted Services performs two essential functions: firstly, it can establish the infrastructure required to run a virtual private network immediately, thereby enabling a company to start operations without having to have established its own team of security experts first; and secondly, it can act as a backup in the event of a disaster such as fire or flood thus enabling the continuity of the service.
With the Security Centre being fundamental to the secure operation of the VPN, it makes sense to have a backup facility situated elsewhere, although it is also essential that it can be trusted. The Trusted Services management centres are built in physically secure facilities with double doors controlled with smartcards and monitored with surveillance cameras and are designed for continuous operations. They have redundant power supplies and communications, are backed up to remote sites and meet the audit requirements of SAS70.
The SafeNet/Firewall is a second generation (proxy) firewall which is intrinsically more secure although slightly slower than the third generation of firewalls. With the very nature of the network traffic handled by IRE SafeNet products, it is important that IRE has decided to opt for the most secure type of firewall rather than the latest. The firewall used by IRE is the CyberGuard firewall which has been awarded UK ITSEC E3 certification.
SafeNet/LAN Encrypting Firewall
The SafeNet/LAN Encrypting Firewall provides the system with an interface between the LAN and the Internet. Making use of encryption and authentication, the SafeNet/LAN is completely transparent to the network, providing the required automate key management, data encryption and, according to IRE, the capability of controlling unencrypted access.
The SafeNet/LAN is set up at the SafeNet/Security Centre and generally left alone. When it is decided that the configuration needs changing, this should be done by coordinating any changes with the Security and System Administrator as the SafeNet/LAN is part of a network with addresses entered into other devices - a single change possibly numerous updates to numerous other devices.
SafeNet/Dial Encrypting Modem
The SafeNet/Dial Encrypting Modem permits remote access to secure networks either directly or via a SafeNet/Security Centre. It provides DES encryption and user authentication and is designed to operate with Asynchronous or Asynchronous-to-X.25 Network Security Systems, supporting terminal to modem rated of 115.2 Kbps and modem connection rates up to 28800 baud although the unit is not BABT approved and therefore, in the UK, the SafeNet/Dial-R version should be used which acts as an interface between the user and an external modem although this actually allows the use of modems that are faster than 28800 baud.
By making use of standard Internet Service Providers (ISPs), SafeNet/Dial enables companies to take advantage of teleworking - being better for the worker in that they don't have to travel to and from work and so on - or include smaller, more remote sites in the network - building societies, mutual associations or banks in remote areas. ISPs, being competitive, will give companies a reasonable deal on cost. Teleworking usually involves only intermittent Internet usage, making working more flexible whilst retaining the required levels of security whilst remote sites requiring continuous access have lower connection overheads to justify inclusion in the network.
Apart from being used to download setup information to the SafeNet/LAN, the SafeNet/Smartcard is also used in the process of user authentication, SafeNet/Smartcard is not simply something passive that the user has and therefore spoofable, but capable of responding to a challenge by the SafeNet/Security Centre, the result of which is then used to ascertain the authenticity of the user. Without the correct smartcard and PIN, the user cannot gain access therefore two level authentication is achieved. The smartcard reader is available either in a desktop version or in a PCMCIA version for a laptop computer.
SafeNet/Soft is the software only version providing Windows compatible security software, continuous user authentication, random password generator and data encryption. It is the lowest cost security for users with limited security needs and runs transparent to the user's application software in the same way that SafeNet/Dial / SafeNet/Smartcard combinations do.
Typically, when a user wants to access a network, they insert their card into the reader slot of the SafeNet/Dial modem, click the mouse on the SafeNet/Dial PIN entry icon, enter their PIN and then start to access the LAN in the normal way. Apart form the transit times of the key requests, they are oblivious to anything else going on.
What does go on ensures the high level of security of the system. In short, the SafeNet/LAN receives the SafeNet/Dial's request, adds information identifying itself and sends it on to the SafeNet Security Centre which creates a challenge and sends that back to the SafeNet/Dial which then sends its response back to the SafeNet/Security Centre. If all checks out okay at this stage, the SafeNet/Security Centre sends a message to the SafeNet/Dial and SafeNet/LAN with the session keys encrypted with the masterkeys of the SafeNet/Dial and the SafeNet/LAN. The SafeNet/Dial then sends a message to the SafeNet/LAN and communications are established.
Complicated though this may sound, it is all logical and within the short time that it occurs, is resistant to attack. Because of the fact that everything is encrypted using keys that change frequently, it is reasonably secure from spoofing. The only attack on the VPN traffic that is left open to the hacker is attack by denial of service.
All of the above products combine to make a secure system, the main features of which are:
With the exception of SafeNet/Soft which requires Windows, and the SafeNet/Smartcard reader which plugs into a COM port on the desktop PC or PCMCIA slot on a Laptop, everything else is self contained and requires only the connections to the LAN or other networks.
|SafeNet Starter Kit Service:|
|(uses SafeNet/Trusted Services) Secure Internet VPN access for six remote users plus one secure LAN connection||$18,995||£19,945|
|SafeNet Expanded Starter Kit Service:|
|(uses SafeNet/Trusted Services) Secure Internet VPN access for thirteen remote users plus two secure LAN connections||$24,995||£26,245|
|SafeNet Starter Kit System:|
|(includes SafeNet/Security Centre) Secure Internet VPN access for six remote users and two secure LAN connection||$32,995||£34,645|
|SafeNet Expanded Starter Kit System:|
|(includes SafeNet/Security Centre) Secure Internet VPN access for thirty remote users and three secure LAN connections||$40,995||£43,045|
|Comprehensive, central Security management Centre for Firewalls, Encryption and User Tokens. Pentium Workstation with 17" Colour monitor, CD-ROM, Encryption module, ID Card Reader/Writer with 2 ID cards, Windows NT OS, SQL Server database software, Security Management Module, Event Logging, User and Product Enrolment, PIN creation and Management, ID Card creation and Management. Prices based upon number of enrolment products as follows:|
|(1 - 25)||$15,995||£16,795|
|(26 - 100)||$25,990||£27,290|
|(101 - 1000)||$30,985||£32,534|
|SafeNet/Security Centre Kit:|
|This is essentially the same as the SafeNet/Security Centre but without the PC. Its prices are worked out in the same way and are as follows:|
|(1 - 25)||$10,740||£11,278|
|(26 - 100)||$20,737||£21,774|
|(101 - 1000)||$25,733||£27,019|
|Smartcard and smartcard reader with software, continuous user authentication, random password generator and data encryption.|
|Portable secure modem, continuous user authentication, random password generator, data encryption.|
|For non-European connections includes V.34 modem (28,800bps)||$695||£730|
|for European connections (via external modem)||$515||£541|
With the increasing long term importance of inter-site communications and the high cost and inflexibility of Value Added Networks and Wide Area Networks, a company that has not already invested in such a network must choose between watching its competitors move ahead in the market place or implementing a more cost effective alternative. For those companies that have already installed dedicated lines, encryption is the only protection against hard wire taps or microwave link monitoring and when such protection is implemented, serious consideration must be given to the fact that the Internet is the widest area WAN in existence and therefore the lowest cost to run as it is already paid for by everyone who uses it.
Placing the authenticating server - SafeNet/Security Centre - in one place on the Internet has some positive points and some negative points. The main advantage is that there only needs to be one such centre for a given VPN - centralising the administration and cutting own on the cost of having to have security management and control at each site, however, such centralisation does place a particularly high importance on the security of the centre, both physically and in terms of the data that it holds. In effect, the SafeNet/Security Centre itself becomes the hackers golden key thus centralising attacks on the system. If a hacker ever managed to get inside - be it through a security loophole in a firewall or by infiltrating the personnel who work at the centre - the integrity of the whole system could be compromised.
The unique identification of any device that addresses the SafeNet/Security Centre enables the control of access for that device to any part of the network with the potential for a particular device being granted partial access - to some networks only - or, in the case of theft or abuse of a device, denied access altogether. Further the real time monitoring of the system leads to the detection of system hardware failures thus enabling quicker rectification of the situation and less discontinuity of network administration.
However, the hierarchical key system that makes the VPN so strong in terms of resistance to attack by monitoring the data is also a weakness in that changing the highest level of key will deny access to all devices. Recognising this, the only way to change the highest two levels of keys is to do so manually - writing a piece to code to do it automatically would not only make it easier to for the legitimate user to change them by accident but would also give the hacker something with which to aim an attack accurately.
With this direct approach removed from the hacker, the only method of attack left is attack by denial of services. Breaking through the firewall into the SafeNet/Security Centre and deleting the database would only require the reinstallation of the last backup and intercepting packets and changing them slightly before sending them on is only denying the service as long as this goes on - both attacks never gaining information for the hacker. This leaves the question of 'in place' attack by infiltrating the Security Officers employed to look after the SafeNet/Security Centre although this is more along the lines of industrial espionage rather than simple hacking. Even so, who is going to guard the guards themselves?
Another option is to make use of the SafeNet/Trusted Services which apart from allowing the new company to set up a VPN without having to recruit large numbers of security experts and take care of disaster management, can look after the SafeNet/Security Centre side of the process.
Any doubt about the trustworthiness of the SafeNet/Enterprise VPN can be allayed by looking at the current customers which include the FBI and the Secret Service.
With everything that happens in the VPN being covered by encryption and a hierarchical system of keys, this product range makes the Internet almost as secure as an expensive Wide Area Network with encryption, although with infinitely more flexibility and scalability and at a fraction of the cost. By implementing IRE SafeNet/Enterprise, a company becomes able to incorporate even the most remote site into its system thereby becoming truly integrated. The fact that IRE is able so provide remote users with security at various levels of cost means that a company does not need to spend inordinate amounts of money on a site that is only going to be an occasional user of the network.
The only point that may make systems administrators think twice is the cost of the system - IRE has recognised this with their SafeNet/Trusted Services company. Whether or not it is decided that SafeNet/Enterprise is on the whole too expensive depends upon the value that is assigned to your company's network traffic and its views of the importance of this in the future.
In essence: automated centralised key management; data encryption; user authentication with random single session passwords; packet authentication; address and socket service filtering; and, future proofing all come together to make Information Resource Engineering's safeNet/Enterprise a system that is definitely worthy of serious consideration.
Formed in Baltimore in 1983 by a group of data security professionals including President and Chief Executive Officer, Anthony Caputo, Information Resource Engineering started out making leased line encryptors and has subsequently diversified into selective encryption - dial-up, X.25 and SNA. In 1989, the company completed an end-to-end encryption product (an area of the market that is forecast to become the leading technology in the near future) and went public, floating its common stock on NASDAQ (code 'IREG') with an additional US$24 million capital being raised in 1993 and 1996. In 1995, IRE's revenues grew by 138% whereas the rest of the market grew by only 70% - IRE's turnover in the last year was US$14 million with US$8 million turnover in the year previous to that.
Located in the Baltimore-Washington technology corridor, the company now employs around 100 people and a further 15 internationally of which the majority serve in technical capacities. IRE has shown success in recruiting and retraining engineers and managers from organisations including General Instrument, Hewlett-Packard, Hughes Network Systems, IBM and Intel and in 1995 took over the Swiss company, Gretacoder Data Systems AG which is now a completely owned subsidiary of IRE.
Data Security is IRE's sole focus - unlike other companies which tend to treat data security as an ancillary business - it therefore does not suffer from interdepartmental conflicts over funding and resource allocation that other companies necessarily do when considering this, or any other area.
IRE's SafeNet/Enterprise product portfolio includes:
The company has delivered one of the largest User Authentication Systems in the world with the United States Treasury Department using an IRE smartcard based system to certify the payment of all non-Department of Defense government bills for the United States. IRE's customers include AT & T, Alcan, Caterpillar, Central Bank of Sweden, Chase Manhattan Bank, US Department of Treasury, Euroclear, Federal Bureau of Investigation, Federal Reserve Bank, MCI, J P Morgan & Company, and the Secret Service. The Dreyfus Corporation, Mellon Bank Corporation's mutual fund subsidiary was the first SafeNet user, using SafeNet to process electronic mutual fund transactions for its institutional clients thereby reducing communications costs through the use of the Internet.
In 1995, MCI Communications Corporation purchased more than US$10 million of IRE SafeNet Secure Internet products thereby enabling a strategic partnership between MCI and IRE that offers MCI's Internet connectivity and IRE's SafeNet products and Security Management.
Information Resources Engineering
8029 Corporate Drive
Tel: +1 410 931 7500
Fax: +1 410 931 7524
Portcullis Computer Security Limited
The Grange Barn
Tel: +44 (0)181 868 0098
Fax: +44 (0) 0181 868 0017
Copyright (c) 1997 P. A. Grosse. All Rights Reserved.
Back to the Internet Security Index
Back to the Index