Introduction
Computer and network security are topics that many executives and managers avoid talking about. Many feel that discussing their security implementations and policies will cause their companies to become vulnerable to attack. This lack of dialog has resulted in some executives not being fully aware of the many advances and innovations in security technology, that are enabling companies to confidently take full advantage of the benefits and capabilities of the Internet and intranets.
Ironically, computer networking security can provide a more secure solution, as well as one that is faster and less expensive than traditional solutions compared to security problems of employees photo-copying proprietary information, faxing or mailing purchase orders, or placing orders by phone.
The purpose of this white paper is to demystify and inform the executive how intranet and Internet security can easily and effectively be implemented, by providing examples of how products from Sun Microsystems and its partners are being used for these applications.
Throughout this paper, we’ve used terms such as access control, encryption, firewalls and SET. For those not familiar with some of these terms, a short glossary is provided in the appendix.
General Security Principles and Architecture
Fundamentally, security means risk management. It’s something that we personally deal with each day. We have keys for our car, for our house, and file cabinets. We have card keys that we use at offices, athletic facilities, and hotels. We place different values on the contents secured by the locks. We may choose to have multiple locks on our front door, but are content with a combination lock on an locker. Yet a safety deposit box requires two keys, possessed by two people, to access it. So without realizing it, most of us have already established an individual security policy.
The first step in defining a corporate security policy is to draft a high-level management policy statement establishing a framework and context for security within an organization. This policy needs to define what are the adequate and appropriate security measures necessary to safeguard a company’s systems, networks, transactions and data.
The next step is to start a systematic analysis of the assets of an organization, determining the value of information, or the possible damage to reputation should it be disclosed, along with possible risks. Yet this step in fact is no more difficult than the risk management that a corporation already exercises every day. Most businesses already have clearly established what information is valuable, who should have access to it, and who has responsibility for protecting it, as the following security hierarchy illustrates:
Security Hierarchy
Information such as trade secrets, vault and authorization codes, lock and key information, are clearly of a mission critical nature, whose unintended disclosure could cause severe loss to a business or operation. In addition to computer security, attention should be given to physical security, e.g. restricting the use of modems, removable media, and controlling access to devices.
Departmental information is typically data that is private to a particular department, such as payroll information in finance and medical records in personnel. There may be legal requirements for securing this information.
Company private information varies from company to company, but typically consists of information that should only be disclosed to employees and partners of a company, such as policy and procedure manuals. Of course, it’s possible to get a bit carried away with what information is considered to be private . . .
Cartoon courtesy John Klossner, © 1996, amy@airs.com
Public information is information such as product literature, brochures, and catalogs that needs to be freely available to anyone, but whose integrity needs to be assured, to prevent unauthorized alteration. This information is often provided by means of Web servers to customers and interested parties by means of the Internet.
A careful and systematic examination of risks is needed, since perceptions often differ substantially from actual risks. Often the primary risk is found to be internal. For example, system administrators often are among the lowest paid individuals in an organization, yet have access to sensitive information otherwise limited to executives. In other cases, a remote dial-in line used for debugging, could be used to gain general access to internal systems, bypassing other security safeguards. Care needs to be taken to rationally evaluate risk. It is often helpful to examine how existing situations are handled.
“The perception of risk is much higher than the actual risk. When someone calls up by phone, we are not afraid that they are impersonating a customer.”
Paul Moorhead, British Telecom
Having evaluated the value of assets and determined potential risks, an implementation strategy for protecting assets can be developed. The objective is to make obtaining the data more expensive than its value, while spending the minimum amount required to protect it. This requires careful examination of alternatives. For example, disconnecting a system from the network can be the simplest and most cost effective way to solve a network security problem. And no amount of hardware and software will substitute for establishing and implementing effective security policies and procedures. Paul Moorhead also feels that:
“Operating processes are just as important as the software used to implement security.”
Implementing a security policy has its price. The more security desired, the greater the cost required to provide it. Similarly, care needs to be taken to ensure that the added security does not unduly reduce network performance or employee productivity, or there will be considerable temptation to bypass or defeat corporate security measures.
In summary, establishing a corporate security policy involves the following:
- High-level management policy statement
- Systematic analysis of organizations assets
- Examination of risks
- Develop implementation strategy
Public / Private Key Encryption
For many business and electronic commerce applications, it is necessary to transmit information over communications lines and networks where there is the potential for data to be altered, forged or illicitly introduced. A powerful technique for securely sending information is public key encryption. Two keys exists, one public, the other private. The public key is freely distributed, and is used to encrypt the information to be sent. The private key is retained by the recipient, and is used to de-encrypt the received information. Messages encrypted using long bit-length keys are currently regarded as essentially impossible to crack.
To use public key encryption across the Internet, steps must be taken to insure the integrity of the public key and the identify of its owner. A trusted third party, called a “certificate authority,” provides an unique “digital signature” for the public key, which cannot be forged, and both identifies the owner of the key and certifies that the key has not been altered.
To achieve secure, two-way communication across the Internet, without having previously exchanged keys, the Diffie-Hellman scheme may be used. Each party obtains the public key for the other from a certificate authority, and performs a special calculation with their own private keys. The result of the algorithm will be the same for both parties, and may be used as the new secret shared key for secure communications between the two parties.
Diffie-Hellman Calculation
In 1996, Sun Microsystems introduced SKIP (Simple Key Management for Internet Protocol) and proposed it as a IETF standard. SKIP provides efficient transparent encryption of any TCP/IP protocol suite, using encryption keys that are changed by default, every 30 seconds or 500 KB. It facilitates the management of encryption keys, and the certification of public keys. SKIP supports a variety of authentication and encryption schemes, including Diffie-Hellman, RC2, RC4 and DES (data encryption standard) to provide secure communications with remote or mobile employees and customers, via their laptops, servers or workstations.
International Issues
In the past, the United States has regarded products incorporating encryption as munitions, requiring permits from the Department of State for their export. As of October 1996, the Department of Commerce will now have jurisdiction for encryption products. Products with up to 56-bit key-length encryption may be exported for two-years, starting in 1997, after which key recovery technologies must be provided.
Sun’s Leadership in Security
Sun Microsystems has several groups that are focused on bringing innovative security products to market. Many highly talented individuals are involved in the design and inspiration of these products, several of whom have international reputations: Widely recognized for his work in the mid-1970s in developing the family of techniques now known as public-key cryptography, Whitfield Diffie has written numerous articles and papers on issues pertaining to computer security. He is the recipient of an Honorary Doctorate from the Swiss Federal Institute of Technology and is regarded by many as the father of modern cryptography.
A widely known Internet computer security expert, Tsutomo Shimomura and New York Times reporter John Markoff wrote the book “Takedown,” detailing their experiences in detecting and identifying Kevin Mitnick, resulting in his successful prosecution for illegally accessing various government and private sites. (Mr. Shimomura is a consultant to Sun.)
Sun Security Products
Sun Microsystems has four primary groups with responsibilities for developing security products. The Internet Commerce Group, a division of SunLabs, was formed in 1994 to bring to market, products facilitating electronic commerce. Currently the group offers three award-winning products: SunScreen SPF-100, SunScreen EFS (encryption firewall server), and SunScreen SKIP. SPF-100 combines transparent encryption with a firewall, facilitating using the Internet to deploy secure corporate Intranets. EFS provides encryption of the data stored on a server, minimizing the possibility of internal break-ins. SKIP enables telecommuters and mobile employees to encrypt all data sent from a PC or laytop to various hosts.
SunSoft’s security group is also developing a variety of security products. While it has already released SKI (secure key-management infrastructure), facilitating the creation of public key certificates and their storage in repositories, a wide variety of other security products are under development, including support for new protocols and authentication systems.
Sun’s JavaSoft division has created the Java language as a means of writing highly portable applications. The capabilities of Java have presented unique security challenges which have been systematically addressed in the design and implementation of the language. JavaSoft has also created a set of extensions to the language called JECF (Java Electronic Commerce Framework) which facilitate the development of highly secure electronic commerce applications.
The Secure Software Engineering Group of Sun Federal provides Trusted Solaris and is working upon other trusted implementations of Sun products.
Network Security
Firewalls are a basic means for providing network security. They act like the moat around a medieval castle, by restricting information to enter and leave at carefully controlled points, and preventing unacceptable attempts at accessing resources within the firewall.
While an important use of firewalls is to enable secure Internet access to corporate networks, they are also used to restrict access to departmental private and mission critical information.
A popular firewall product is Solstice FireWall-1, licensed by SunSoft from CheckPoint Software Technologies. Widely used on Solaris systems, FireWall1 examines each connection attempting to pass through its firewall, using multiple rules defining the myriad applications, services and users allowed access to each specific internal server. It is ideal for securing and compartmentalizing intranets.
San Diego State University
San Diego State University uses a Sun UltraSparc-1 with 256 MB memory running CheckPoint FireWall-1 software to provide campus access to the Internet via a T1 communications line. Currently the University has over 9,000 nodes on campus, hundreds of web servers and three news servers.
San Diego State University Configuration
The University’s security policy is that anything not specifically allowed is denied. Access to each server on campus was determined by sending an email to all responsible faculty, administrators and staff, requesting them to fill out a Web form to obtain a firewall exception. The form lists 200 services that can be allowed for each server. After each request is incorporated into a “rule,” notifying email is sent informing the requester of the implementation of their request. To date, over 150 security rules have been implemented.
Security rules specify that connections from a particular source are allowed to connect to specific destinations, for obtaining specific services, whether or not subsequent activity should be logged, and whether this rule applies to outbound traffic as well. For example, the Chemistry Department could allow only Web and FTP (file transport protocol) access to a particular departmental server for connections originating over the Internet.
A 30-day log is kept of all denied and accepted requests. This enables the network systems manger to monitor which services are having high rates of denials, detect security problems, or advise people that a server is being changed.
Secure Payment Solutions
Electronic Commerce Merchant Server
The World Wide Web (WWW) represents a new distribution channel that rapidly growing numbers of companies are taking advantage of. Indeed, some firms are selling a sizable portion of their products by means of their Internet merchant servers.
Merchant servers typically provide a variety of electronic commerce services such as search engines, generation of product pages from catalog databases, sales analysis, automated shipping and sales tax calculation. With respect to security, merchant servers provide three functions:
- Mechanism for customers to securely order merchandise and services and specify payment method.
- Secure payment processing methods, typically via EDI, to banks and financial institutions.
- Restricting, controlling and monitoring access to the merchant server.
Netscape SSL
There are many companies offering merchant servers for electronic commerce applications. One of the most widely installed products is the Netscape Merchant System. The Netscape Merchant Server uses a protocol called SSL (Secure Sockets Layer) that allows private information such as credit cards and purchase orders, to remain private when traveling across intranets and the public Internet. SSL supports:
- Authentication Verify that a client is communicating with an intended server.
- Encryption Helps prevent data from being understood by an unintended party, and insures that data was not altered in transit.
Netscape browsers offer integrated support for SSL. All of its browsers support at least a 40-bit RC4 stream encryption algorithm designed by RSA Data Security . Netscape servers support SSL-based certificates, allowing any SSL-compatible client to verify their identify.
Mastercard/Visa SET
Another protocol that CyberCash, Microsoft, Netscape and other vendors have announced support for is Mastercard/Visa’s SET protocol. The advantage of SET is that only the card holder and acquiring bank are able to see the actual credit card number, i.e. the merchant never sees the number. This provides a higher degree of security for credit card transactions.
CyberCash Wallet
There are a number of other companies providing mechanisms allowing secure payment to occur over the Internet. One such company is CyberCash. The CyberCash Wallet provides the means for merchants to accept a range of payment options, while obtaining assurance of the customer’s identify, and that they possess a valid credit card or Cybercash digital coin belonging to them.
CyberCash Payment Authorization Process
When a customer selects a CyberCash Pay button in a Web page, their Wallet automatically opens, allowing a payment instrument to be selected. An encrypted charge payment message is sent to the merchant server, where merchant identification is added, and forwarded to a CyberCash gateway server who decrypts the message, authenticating the transaction and the validity of the merchant. If valid, the gateway server sends a message to the appropriate financial institution over a secure, private financial network, requesting charge approval. If positive, the merchant receives a digital receipt and the customer receives confirmation of their order.
Netscape LivePayment
Netscape also provides a secure payment processing product called LivePayment. Using the SSL protocol, it allows EDI connections to banks, permitting real-time credit card processing over the Internet. CyberCash and other payment vendors have stated that they will also support LivePayment.
Access to the Netscape merchant server is also controlled by features ensuring server authentication by certificates, data encryption, data integrity and user authorization. More conventional access control and monitoring is provided by means of passwords and audit logs.
First Virtual VirtualPIN
Another example of a secure payment service is offered by First Virtual Holdings. Formed in early 1994, First Virtual has been offering an Internet payment service since October 1994. Rather than rely upon technology, First Virtual has implemented a process to ensure secure transactions. Non-sensitive information travels over the Internet, and secure information such as credit card information is obtained either by telephone call or mail. When making a purchase, the buyer provides their VirtualPIN (personal identification number) and an email is sent to the buyer asking them to confirm their purchase. This process eliminates the need for encryption and allows any Internet user to immediately make use of this payment service.
CDWorld
CDworld is a family-owned, on-line discount-music retailer, who first started doing electronic commerce in March 1995. As of October 1996, the retailer offered 172,000 products, including 100,000 compact disks and 45,000 cassettes, as well as a variety of laser disks and video games. It is in the process of adding another 35,000 products to its on-line catalog.
The retailer uses a merchant server consisting of a Sun SPARCserver 1000 with 4 cpus, 256 MB RAM, and a RAID with 8 GB. It runs both Netscape Commerce Server and Secure Server, in conjunction with a Sybase DBMS. Connected to a T1 communications line, this system supports over 200,000 hits each day.
CDWorld Configuration
With respect to security, CDworld addressed two basic concerns, customer security and internal security. Customer security was addressed by means of Netscape SSL, using 40-bit RC4 encryption algorithm, allowing its use internationally.
“We’ve seen a shift in fear levels. Initially, users were very timid, and we had to provide them with the means to fax us the actual order with their credit card information. With the introduction of Cybercash, the fear level has decreased dramatically. Today, 95 percent of all of our orders are done electronically, the remaining 5 percent are a combination of fax and phone orders.” Bruce Pettyjohn, President, CDWorld, October 1996
The first step in providing internal security at CDworld was the use of firewall software from Livingston, which uses one IP address outside the firewall, and a second IP address inside the firewall. Additional security is provided by the usernames and passwords required by Netscape, Sun and Sybase software.
“Our basic internal security philosophy is to restrict the people who can access our systems to as small a number as possible.”