Network Security Overview
Product: Strategi - BusinessLink/WEB
Modified Date:

Introduction

Individuals and corporations are implementing the Intranet/Extranet model for network communications at an alarming rate. Intranets and Extranets offer clear cost savings and ease of installation compared with older, more expensive leased line networks or WANS based on proprietary technology. Organizations can use Intranets and Extranets to distribute information more cost effectively and in a more timely manner. And, they can use them to improve collaboration among employees across the organization and with business partners.

As Intranets and Extranets are becoming more widely deployed, new security challenges have emerged. While many organizations have deployed firewalls and access control technology to improve security, these technologies leave many security issues unaddressed.

This overview will illustrate the main security risks of deploying Intranets and Extranets and how BusinessLink/WEB and Strategi work to resolve these issues.

Types of Security Risks
Goals of Security Systems
Secure Sockets Layer (SSL)
Digital Certificates
Common Security Technologies
BusinessLink Security Options
Question and Answer
Useful Security Reference Sites
Types of Security Risks

Intranet and Extranet security breaches can take a variety of forms. The following examples illustrate the possible scenarios.

  • An unauthorized person, such as a contractor or visitor, might gain access to a company's computer system.
  • An employee or supplier authorized to use the system for one purpose may use it for another. For example, an engineer might break into the HR database to obtain confidential salary information.
  • Confidential information may be intercepted as it is being sent to an authorized user. For example, an intruder may attach a network sniffing device to the network. While network sniffers are typically used for network troubleshooting and analysis purposes, they may also be used to intercept data coming over the wire.
  • Users may share documents between geographically separated offices over the Internet. Without SSL or some other means of encryption, the information is sent 'in the clear' for anyone to see as it is transmitted from one location to another.
  • Electronic mail can be intercepted in transit and its content changed without the sender or recipient realizing that the message has been modified or read by an unauthorized party.
  • Hackers may attempt to disrupt systems operation using a 'denial of service' attack. A common example is a ping flood whereby a hacker sends a ping request to the broadcast address of a machine that in turn sends the request to all machines in the same subnet. The goals of these types of attacks are to consume system resources enough to congest the network or even bring down a host.

    Although most people have heard the term 'hacker' in the media, in reality, corporate insiders- such as employees, former employees, contractors working onsite and other suppliers- are far more likely to attack their own companies computer system over an Intranet or Extranet. The figure below associates the type of attack with average loss as reported by a CSI/FBI 1998 Survey of Computer Security.


    • Goals of Security Systems

    There are a variety of techniques available to address these security issues within Intranets and Extranets. Before choosing a particuar technology, it is important to understand the full range of issues that security systems should address.

  • Authentication-- ensuring that entities sending messages, receiving messages, or accessing systems are who they say they are, and have the privelege to undertake such actions (user/password schemes and/or digital certificates).
  • Privacy-- enabling only the intended recipient to view an encrypted message (SSL and digital certificates).
  • Content Integrity-- guaranteeing that messages have not been altered by another party since they were sent (digital certificates).
  • Non-Repudiation-- establishing the source of a message so that the sender cannot later claim that they did not send the message (digital certificates).
  • Ease of Use-- ensuring that security systems can be consistently and thoroughly implemented for a wide variety of applications without unduly restricting the ability of individuals or organizations to go about their daily business.

    This last goal is frequently overlooked. Organizations must not only develop sound security measures, they must also find a way to ensure consistent compliance with them. If users find security measures cumbersome and time consuming to use, they are likely to find ways to circumvent them— thereby putting your Intranet and Extranet at risk. Organizations can ensure the consistent compliance to their security policy through:

  • Systematic application. The system should automatically enforce the security policy so that security is maintained at all times.
  • Ease of end-user deployment. The more transparent the system is, the easier it is for end-users to use—and the more likely they are to use it. Ideally, security polices should be built into the system, eliminating the need for users to read detailed manuals and follow elaborate procedures.
  • Wide acceptance across multiple applications. The same security system should work for all applications a user is likely to employ. For example, you should be able to use the same security system whether you want to secure e-mail, e-commerce, server access via a browser, or remote communications over a virtual private network.

    • Secure Sockets Layer (SSL)

    SSL Version 3, documented in an IETF draft, provides one of the most commonly available security mechanisms on the Internet. SSL stands for Secure Sockets Layer, though IETF is renaming it TLS (Transport Layer Security). Developed by Netscape, SSL is used extensively by web browsers to provide secure connections for transferring credit cards numbers and other sensitive data. An SSL-protected HTTP transfer uses port 443 (instead of HTTP normal port 80), and is identified with a special URL method - https. Thus, https://www.verisign.com/ would cause an SSL-enabled browser to open a secure SSL session to port 443 at www.verisign.com.

    SSL is based on cryptography, the encoding of data in such a way that it can be decoded only by its intended recipient, not by a third party who might be able to intercept the information in transit. The simplest way to do this is for the sender and receiver to use a secret key, which can be used along with an agreed-upon algorithm to scramble the data in such a way that only someone with the key can unscramble it. The secret key acts much like a password. One of the most well-known secret key systems is the Data Encryption Standard (DES), developed by the U.S. National Security Agency. SSL uses a secret key system called RC4, developed by RSA, Inc, to encrypt its transfers.

    The use of a secret key implies that the participants in the conversation must have selected a key and communicated it among themselves in a secure manner. However, when establishing an Internet connection, there is usually no pre-arranged key, so a means must be provided of securely generating one. This would become a chicken-and-the-egg problem (how do you communicate a secret key with a secret key to encode it?) were it not for public key cryptosystems, of which RSA is the most used.

    A public key system, usually based on mathematical principles of modulo arithmetic, uses two keys, not one. Information encrypted with one of the keys can only be decrypted with the other key, and vice versa. You cannot encrypt and then decrypt a message with only one key - the result would be gibberish. Typically, one key is published (the public key) and the other is kept secret (the private key). Now anyone can encrypt a message using the public key and transmit it across an insecure network, knowing that only the holder of the private key can decrypt it. Not only can you encrypt with the public key, but you can also encrypt with the private key. Anyone can decrypt such a message, but only the private key holder could have generated it in the first place. This gives us a means of digitally signing messages in a way that no one else (without the private key) could duplicate. Thus, public key cryptosystems provide us with both confidentiality (no one can read a message but the receiver) and authenticity (no one can write a message but the sender).

    SSL operates using these principles. When an SSL session is established, the server begins by announcing a public key to the client. No encryption is in use initially, so both parties (and any eavesdropper) can read this key, but the client can now transmit information to the server in a way that no one else could decode. The client generates 46 bytes of random data, forms them into a single very large number according to PKCS#1, encrypts them with the server's public key, and sends the result to the server. Only the server, with its private key, can decode the information to determine the 46 original bytes. This shared secret is now used to generate a set of conventional RC4 keys to encrypt the rest of the session.

    The only issue that remains is authentication. How does the client know that the server is actually what it claims to be, and not some interlopper sending its own set of public keys? The answer is provided by certificates. A certificate is a cryptographically sealed data object that includes the server's identity and public key. The certificate is signed by computing its hash value and encrypting this with an issuer's private key. If even one bit is changed in the certificate, the hash value changes, and the signature becomes invalid. If the client already possesses the issuer's public key, and trusts the issuer to verify the identity of the server, then the client can be sure that the public key in the certificate is the public key of the server. An interlopper would have to know either the private key of the server or the private key of the issuer to successfully impersonate the server.

    As it turns out, only a handful of issuers are needed. For example, VeriSign, a major U.S. issuer, issues certificates only after a background check insures both the identity of the subject, and their authority over a particular DNS name. VeriSign's public keys are hardwired into both Netscape's and Microsoft's web browsers, so a server with a VeriSign-signed certificate can be authenticated by a browser with no additional information. If the server presents a certificate not signed by VeriSign (or another recognized authority), or if the DNS name of the server doesn't match the DNS name in the certificate, a warning message is displayed, and the user may decide how to proceed.

    The client can be authenticated as well, by presenting a certificate of its own, then computing a hash of all the SSL messages that have been exchanged up to a certain point, encrypting the result with its private key, and sending this to the server. The server, which can compute the same hash value, having seen all the messages as well, can decrypt using the client's public key, which is part of the certificate, and verify that the two results are the same. Thus the client is authenticated.

    Digital Certificates

    Understanding digital certificates is central to understanding public key infrastructure systems. A digital certificate, also known as a Digital ID, is the electronic equivalent of a passport or business license. It is a credential, issued by a trusted authority, which individuals or organizations can present electronically to prove their identity or their right to access information.

    When a Certification Authority (CA) such as Thawte USA, issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues a passport, it is officially vouching for the identity of the holder, when a CA gives your business a digital certificate, it is putting its name behind your right to use your company name and Web address.

    How Digital Certificates Work

    In physical transactions, the challenges of identification, authentication, and privacy are solved with physical marks, such as seals or signatures. In electronic transactions, the equivalent of a seal must be coded into the information itself. By checking that the electronic "seal" is present and has not been broken, the recipient can confirm the identity of the message sender and ensure that the message content was not altered in transit. To create an electronic equivalent of physical security, digital certificates use advanced cryptography.

    Cryptographic systems have been used to protect valuable information for thousands of years. Traditionally, cryptographic systems have attempted to ensure security using some variant of the secret key system. Secret key systems require that both parties in a communication scheme have a copy of the same secret code or "key." When two people wanted to share information, the sender would encrypt the information using his copy of the secret key. The recipient could decrypt the message only by using her copy of the same key. If somebody intercepted the message, that person could not decipher it without the key.

    Despite their widespread use, secret key systems have several critical limitations. First, simply transmitting the secret key poses risks because the key can be intercepted in-transit by unauthorized parties. Second, if one of the sharing parties uses the key maliciously, that party can deny or repudiate, the transaction. Alternatively, the malicious party can impersonate the sender, or can use the secret key to decrypt other sensitive information. To prevent against this sort of attack, organizations must require users to have different secret keys for each party with whom they communicate. If an organization has a hundred people, literally millions of different secret keys will need to be used to accommodate all possible combinations.

    Digital certificates employ the more advanced public key cryptography system, which does not involve the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a digital certificate uses a matched pair of keys that uniquely complement each other. When a message is encrypted by one key, only the complementary key can decrypt it.

    In public key cryptography systems, when your key-pair is generated, you keep one key private. This key is called the "private key," and nobody other than you, as the rightful owner, should ever have access to it. However, the matching "public key," can be freely distributed as part of a digital certificate. You can share your digital certificate with anyone, and can even publish your certificate in directories. If someone wants to communicate with you privately, they use the public key in your digital certificate to encrypt information before sending it to you. Only you can decrypt the information, because only you have your private key. The figure below illustrates the use of digital certificates.

    Conversely, you can use your key pair to digitally sign a message. To sign a message, you simply encrypt the message with your private key. The message can be decrypted using the public key contained within your certificate. While many people have access to your certificate, only you could have signed the message, because only you have access to your private key.

    A digital certificate is a binary file. Your digital certificate contains your name and your identifying information along with your public key-- it tells correspondents that your public key belongs to you. Digital certificates generally also contain a serial number, an expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, the digital certificate contains information about the certificate authority (CA) who issued the certificate. All certificates are digitally signed using the private key of the Certificate Authority. (Generally, the Certification Authorities’ own certificate (called a root certificate) is widely deployed in software packages, allowing people to seamlessly identify legitimate certificates issued by the certification authority.) If the CA maintains good security protection of their private key, it is virtually impossible for anyone to forge a digital certificate.

    It is important to note that certificates are not only issued to individuals. Organizations, as well as entities such as servers and routers, can also be issued certificates.

    Digital Certificates Meet Your Security Objectives

    Given the ease and versatility of PKI, security technology based on Digital Certificates has been deployed widely over the past several years. These widely used security protocols include:

    • S/MIME: The Secure, Multipurpose Internet Mail Extension protocol allows for sending signed and encrypted e-mail
    • SSL: The Secure Sockets Layer protocol allows for authenticated and encrypted communication between browsers and servers, or between different servers.
    • IPSEC: The IP Security Protocol is a newly developing protocol, allowing authenticated and encrypted communication between routers, between firewalls, and between routers and firewalls. This protocol will play an important role in Extranets in the coming years.
    Common Security Technologies

    The following descriptions explain the common security technologies available today and the features they provide:

    Authenticode
    Microsoft® Authenticode™ technology, a security feature in Microsoft Internet Explorer, assures accountability and authenticity for software components on the Internet. Authenticode verifies that the software hasn't been tampered with and identifies the publisher of the software. Users can decide case-by-case basis what code to download, based on their experience with and trust in a software publisher. By signing their code, developers can build an increasingly trusting relationship with their users.

    Security Features

  • Strong 128-bit cryptographic digital signatures
  • Digital signatures provided in industry-standard PKCS #7 and #10 formats Supports X.509 version 3 digital certificates

    CryptoAPI
    CryptoAPI is an application programming interface (API) that is provided as part of Microsoft® Windows® 95, 98 and Windows NT®. It provides a standard framework that programs can use to obtain cryptographic and digital certificate services. In addition to the standard services that are provided natively by Windows NT, third-party vendors can develop and market their own Cryptographic Service Providers (CSP)-plug-in modules that provide additional cryptographic services. CryptoAPI is currently undergoing FIPS 140-1 evaluation and certification by the U.S. National Institute of Standards and Technology.

    Security Features

  • Support for public-key and shared-secret key cryptographic algorithms.
  • Support for certificate handling services.
  • Fully based on industry standards, including cryptographic standards from IETF (PKIX, S/MIME), PKCS, X.509, etc.

    Kerberos Authentication Protocol
    Kerberos is an industry-standard authentication protocol that provides high security while scaling well. At the heart of the protocol is a trusted server called a Key Distribution Center (KDC). When the user logs onto the network, the KDC verifies the user's identity and provides credentials called "tickets", one for each network service that the user wants to use. Each ticket introduces the user to the appropriate service, and optionally carries information that indicates the user's privileges for the service.

    The Kerberos protocol is the primary authentication mechanism in Microsoft® Windows NT® 5.0 operating system. In addition, Microsoft's implementation uses allowable extensions to the protocol to allow smart cards to be used during network logon. This provides the twin advantages of strengthening the authentication process and providing seamless entry into the Windows NT public key infrastructure. Microsoft's implementation of Kerberos is fully compatible with the Version 5 standard and interoperates with any other standard-compliant implementation.

    Server Gated Cryptography
    Server Gated Cryptography (SGC) is provided as part of the Microsoft® Windows 95, 98 and Windows NT® operating systems, and provides strong 128-bit cryptography for online banking and other approved uses. United States export law normally prohibits the export of strong cryptographic products; however, because the SGC technology allows its use to be restricted to only banking and other approved purposes, SGC can legally be exported and used worldwide.

    Security Features

  • Strong 128-bit encryption to protect your online banking sessions.
  • Interoperates with all leading vendors' implementation of SGC.

    Smart Cards
    A smart card is a credit card-sized device that has an embedded microprocessor, a small amount of memory, and an interface that allows it to communicate with a workstation or network. Two characteristics make smart cards especially well suited for applications in which security-sensitive or personal data is involved. First, because a smart card has both the data and the means to process it, the onboard processor can service requests from the network and return the results without divulging the sensitive data. For example, a smart card could be used to digitally sign data without divulging the user's private key. Second, because smart cards are portable, the user can carry the data with him on the smart card rather than entrusting it to network storage. An example of this scenario is using a smart card to carry personal information about the user such as medial records or digital certificates.

    Microsoft® Windows NT® 4.0, Windows® 95 and Windows 98 all support smart cards and smart card readers based on specifications establish by the Personal Computer Smart Card (PC/SC) Workgroup, an industry group of leading PC and smart card companies. Smart card solutions that are Windows-compatible can be used with Internet Explorer to authenticate a secure connection and Outlook Express or Outlook 98 for sending and receiving secure email. In Windows NT 5.0, smart cards can be used to logon to a network using an X.509 version 3 certificate stored on the smart card.

    Virtual Private Networks
    Until recently, companies that needed to share data with traveling users or outside networks had two choices: they could either let their company secrets travel across an unprotected medium like the Internet and hope that nobody was watching, or they could buy or lease their own dedicated, protected communications lines and create a so-called private network. A better solution is to create a Virtual Private Network (VPN). In a VPN, data travels over public networks, usually the Internet; the information needed to allow the data packets to be routed between the user and the corporate network are made available to the public medium, but all other information is encrypted.

    There are three primary protocols for creating VPNs:

  • Point-to-Point Tunneling Protocol (PPTP), the most popular tunneling protocol today. PPTP is provided as part of the Remote Access Services (RAS) in Microsoft® Windows NT® 4.0 and Windows® 2000 operating systems, and uses the existing Microsoft Windows encryption, user authentication, and configuration infrastructure of the Point to Point Protocol (PPP) to establish the encryption keys.
  • Layer 2 Tunneling Protocol (L2TP), a proposed Internet Engineering Task Force (IETF) standard protocol that uses public-key technology to perform user authentication and which can operate over a wider variety of communications media than PPTP. It is worth noting that L2TP cannot be used to perform encryption. L2TP will be provided in RAS beginning with Windows 2000.
  • IPSec, an IETF standard protocol that provides encryption and computer, but not user, authentication based on public-key technology. The chief advantages of IPSec are that it can be used to establish a VPN automatically in conformance with a corporate security policy, and it can be used to establish a VPN based on the machines, rather than the users, involved. IPSec is provided as part of RAS in Windows NT 4.0 and Windows 2000.

    Only two combinations of these protocols can be used to provide a secure VPN:
  • PPTP can provide a secure VPN by itself. PPTP meets the security needs of most companies, and can offer a less expensive and less complex management environment.
  • L2TP with IPSec can be used together to provide a secure VPN. L2TP+IPSEC meets the needs of companies that have advanced security requirements, although it can require a more expensive and complex management environment.

    • BusinessLink Security Options

    All BusinessLink software products employ strict security methods to ensure user authentication as well as secure data transmission. Please refer to the following descriptions of the security available for BusinessLink/REMOTE, BusinessLink/WEB, and Strategi by ADVANCED BusinessLink:

    BusinessLink/REMOTE
    The BusinessLink/REMOTE access solution works with a separate hardware component (coprocessor) attached to the iSeries 400 via twinax or LAN connection. Its primary function is to provide remote access to iSeries 400 sessions using a DOS/Windows client package.

    Standard Features

  • Users are centrally managed on the iSeries 400 and AB/Remote client software is distributed by the iSeries 400 systems administrator to the remote clients.
  • Remote access can only be accomplished using direct dialup methods thereby eliminating the need for additional network security.
  • AB/Remote users are unique. The client software can only be executed on a single PC and copying the remote software will invalidate the remote user until the iSeries 400 systems administrator takes appropriate action.
  • AB/Remote users can be configured to always sign on using a specific iSeries 400 user profile.

    Security Options
  • Due to the direct dialup nature of the client, SSL and digital certificates do not apply. Successful security procedures are in the hands of the iSeries 400 administrator. Most imporant is knowing exactly who has a remote client registration and what they will be doing with it when they access the iSeries 400.

    Security Summary
  • Client access is uniquely identified.
  • iSeries 400 administrator determines who can acess the iSeries 400.

    BusinessLink/WEB
    The BusinessLink/WEB access solution incorporates all of the features of BusinessLink/REMOTE but adds webserver functionality as well as Java client access to the iSeries 400.

    Standard Features

  • Like AB/Remote users, Java users are centrally managed on the iSeries 400.
  • AB/Remote users have the ability to connect via TCP/IP instead of dialup thereby reducing telephone costs.
  • The webserver component adds the ability to create a corporate website where browser clients can download documents or submit requests for critical information.
  • Both AB/Remote and Java users have the ability to receive iSeries 400 reports and database files.
  • Java users can be configured to always sign on using a specific iSeries 400 user profile.

    Security Options
  • Incorporation of SSL 3.0 to secure transmission over TCP/IP networks is highly recommended. This will ensure that data sent between the client and server is always encrypted.

    Security Summary
  • Client access is uniquely identified.
  • iSeries 400 administrator determines who can acess the iSeries 400.
  • Addition of SSL ensures data sent over TCP/IP networks is secure.

    Strategi
    Strategi is BusinessLink's native iSeries 400 product which features full webserver support and Java client iSeries 400 session access.

    Standard Features

  • Strategi users are centrally managed on the iSeries 400.
  • Website areas or 'zones' can be restricted to valid Strategi users by the iSeries 400 systems administrator.
  • Strategi users can be allowed access to website zones using basic authentication and still be restricted from iSeries 400 session access.
  • Strategi users can be configured to always sign on using a specific iSeries 400 user profile.
  • Strategi users can be restricted access based on TCP/IP address.

    Security Options
  • Incorporation of SSL 3.0 to secure transmission over TCP/IP networks is highly recommended. This will ensure that data sent between the client and server is always encrypted.
  • Incorporation of digital certificates will further help to guarantee the Strategi user identity. Website zones can be configured to ask for a digital certificate every time someone attempts to access a zone. Without a digital certificate, the Strategi user will not be able to proceed.

    Security Summary
  • Client access is uniquely identified.
  • iSeries 400 administrator determines who can acess the iSeries 400.
  • Addition of SSL ensures data sent over TCP/IP networks is secure.
  • Addition of digital certificates ensures client identity.

    • Question and Answer

    The following is a list of common questions that people ask regarding website security.

    Q: Why are passwords insufficient in some cases?
    A: Passwords can be subjected to brute-force attacks, cracked using common password databases, shared, stolen or inadventently surrendered to the wrong people.

    Q: How can SSL benefit my website?
    A: Aside from securing all client/server data transmissions, SSL enables the elimination of the paper trail associated with many administrative tasks. For example, users can submit required information through forms on secured websites which can be processed immediately upon receipt. Not only can the user be assured that their information is not intercepted and compromised, their requests can be processed much quicker than traditional means.

    Q: How can digital certificates benefit my website?
    A: Digital certificates can eliminate the need to maintain user name and password databases while proving the identity of the remote user.

    Q: How can I secure my email sent to other people?
    A: Personal digital certificates can be used to 'sign' the email message. When the email is received, the recipient must decrypt the email using the originator's public key. If the decryption of the email fails, the recipient know that the message has either been corrupted in transmit or not sent by the person who owns the public key used to decrypt the message. Using digital certificates with email ensures both sender identity and content integrity.

    Q: How can I secure my iSeries 400 from denial of service attacks?
    A: The most common method is using packet filtering on a firewall or router. Determine the services and ports (i.e. telnet, ftp, etc) that the iSeries 400 must provide and set up a packet filter on all ports that are not required.
    Useful Security Reference Sites

    Network security is a constantly changing technology. The only way to verify that your security policies are up to date is to keep on top of the latest security information available. The sites below will provide you with a starting point in the education process. Whenever possible, subscribe to mailing lists when security sites have this option. This will keep you informed of the newest technologies as well as alert you to recent security breaches that corporations have discovered and the steps taken to circumvent future occurrences.

    Cert Coordination Center
    At the CERT Coordination Center, they study Internet security vulnerabilities, provide incident response services to sites that have been the victims of attack, publish a variety of security alerts, research security and survivability in wide-area-networked computing, and develop information to help you improve security at your site.

    Verisign
    VeriSign, Inc., (NASDAQ: VRSN) is headquartered in Mountain View, CA and is the leading provider of Public Key Infrastructure (PKI) and digital certificate solutions used by enterprises, Web sites, and consumers to conduct secure communications and transactions over the Internet and private networks.

    RSA
    Founded in 1982 by the inventors of the RSA Public Key Cryptosystem (RSA is named after their surnames' first letters; Rivest, Shamir and Adleman.), RSA Data Security, Inc. is the world's brand name for cryptography, with more than 400 million copies of RSA encryption and authentication technologies installed and in use worldwide.

    Counterpane
    Counterpane Systems is a cryptography and computer security consulting firm. They are a virtual company based in Minneapolis, with four full-time employees and six part-time contractors. Counterpane provides expert consulting in design and analysis, implementation and testing, threat modeling, and export consulting to name a few.

    Microsoft Security Advisor
    The Microsoft security advisor site contains security information pertaining to Microsoft products as well as bulletins on new technologies and new discovery of potential security risks.

    ** End of Technical Support Bulletin **