ECI-IoS Security Model –
This paper provides a common sense definition of the ECI TruSecc system and an overview of our solution set. In order to understand “TruSecc” the following terms are required concepts
Introduction
The ECI TruSecc PCC is a hybrid developed from the technologies of VNC, PN (private networking) and VPN
Virtual Network Computing (VNC) is a process by which a system’s desktop can not only be viewed but also engaged in an interactive session as well. The use of such a tool gives the system administrator the ability to administer and troubleshoot a system remotely. In this way, a target system on the next floor, the next building or even at an employee’s home is within reach. There are other methods available of establishing this type of remote viewing. The obvious example is Symantec’s PCAnywhere(http://www.symantec.com/pcanywhere/Consumer/).
A VPN – Virtual Private Network – is one solution to establishing long-distance and/or secured network connections. VPNs are normally implemented (deployed) by businesses or organizations rather than by individuals, but virtual networks can be reached from inside a home network. Compared to other technologies, VPNs offers several advantages, particularly benefits for wireless local area networking.
Simply put, a VPN, Virtual Private Network, is defined as a network that uses public network paths but maintains the security and protection of private networks. This private network carries controlled information, protected by various security mechanisms, between known parties. VPNs are only “virtually” private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.
The term “VPN,” or Virtual Private Network, has become almost as recklessly used in the networking industry as has “QoS” (Quality of Service) to describe a broad set of problems and “solutions,” when the objectives themselves have not been properly articulated. This confusion has resulted in a situation where the popular trade press, industry, vendors and consumers of networking technologies, generally use the term “VPN” as an offhand reference for a set of different technologies.
Associated in the past with such remote connectivity services as the (PSTN), Public Switched Telephone Network, currently VPN networks are understood as an IP-based data networking function. Before IP based networking considerable amounts of time and resources, to set up complex private networks, now commonly called Intranets. These networks were installed using costly leased line services, Frame Relay, and ATM to incorporate remote users. For the smaller sites and mobile workers on the remote end, companies supplemented their networks with remote access servers or ISDN.
The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial up networking. These savings come with a certain amount of risk, when using the public Internet as the delivery system the data. There are oints of failure that can affect a Net-based VPN than in a closed private system.
Small to medium-sized companies, who could not afford dedicated leased lines, used low-speed switched services. As the Internet became more and more accessible and bandwidth capacities grew, companies began to put their Intranets onto the web and create what are now known as Extranets to link internal and external users. However, as cost-effective and quick-to-deploy as the Internet is, there is one fundamental problem – security.
Today’s VPN solutions overcome the security factor using special tunneling protocols and complex encryption procedures, data integrity and privacy is achieved, and the new connection produces what seems to be a dedicated point-to point connection. Since these operations occur over a public network, VPNs can cost significantly less to implement than privately owned or leased services.
For an organization looking to provide a secure network infrastructure for its client base, a VPN offers two main advantages over alternative technologies: cost savings, and network scalability. To the clients accessing these networks, VPNs also bring some benefits of ease of use.
A VPN can supply network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN).
The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely on private leased lines. VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic security.
A VPN supports at least three different modes of use:
Remote access client connections
LAN-to-LAN internetworking
Controlled access within an intranet
Virtual private networks (VPNs) are generally considered to have very strong protection for data communications. What are the key VPN security technologies? Secure VPNs will provide both network authentication and encryption and are most commonly implemented using IPsec or SSL.
Using IPsec for VPN Security
IPsec has been the traditional choice for implementing VPN security on corporate networks.
Enterprise-class network appliances from companies like Cisco and Juniper implement the essential VPN server functions in hardware. Corresponding VPN client software is then used to log on to the network. IPsec operates at the layer 3 (the Network layer) of the OSI model.
Using SSL for VPN Security
SSL VPNs are an alternative to IPsec that rely on a Web browser instead of custom VPN clients to log on to the private network. By utilizing the SSL network protocols built into standard Web browsers and Web servers, SSL VPNs are intended to be cheaper to set up and maintain than IPsec VPNs. Additionally, SSL operates at a higher level than IPsec, giving administrators more options to control access to network resources. However, configuring SSL VPNs to interface with resources not normally accessed from a Web browser can be difficult.
Limitations of a VPN
VPNs are not perfect and limitations exist. Organizations should consider the issues when considering, deploying and /or using virtual private networking:
1. Reliability and performance. An internet-based VPN is not under an organization’s direct control. That solution relies on an ISP and their quality of service.
2. Require a detailed understanding of network security. Issues and careful installation / configuration are necessary to ensure sufficient protection on a public network like the Internet.
3. VPN products and solutions are not always compatible. Different vendors have not always been compatible due to issues with VPN technology standards. Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings.
Virtual.
Virtual means not real or in a different state of being. In a VPN, private communication between two or more devices is achieved through a public network the Internet. Therefore, the communication is virtually but not physically there.
Private.
Private means to keep something a secret from the general public. Although those two devices are communicating with each other in a public environment, there is no third party who can interrupt this communication or receive any data that is exchanged between them.
Network.
A network consists of two or more devices that can freely and electronically communicate with each other via cables and wire. A VPN is a network. It can transmit information over long distances effectively and efficiently.
Communications:
information exchanged, information transmitted or conveyed a verbal or written message. A process by which information is exchanged between individuals through a common system of symbols, signs, or behavior the function of pheromones in insect communication; also exchange of information. A system (as of telephones, telegraphs, or computers) for transmitting or exchanging information wireless electronic communications. A system of routes for moving , data, troops, supplies, and vehicles, personnel engaged in communicating, personnel engaged in transmitting or exchanging information. The technology of the transmission of information (as by print or telecommunication). Means of sending messages, orders, etc., including telephone, telegraph, radio, and television. Routes and transportation for moving troops and supplies from a base to an area of operations. Biology – activity by one organism that changes or has the potential to change the behavior of other organisms. The transfer of information from one cell or molecule to another, as by chemical or electrical signals.
Circuit:
Electricity. Also called electric circuit. the complete path of an electric current, including the generating apparatus, intervening resistors, or capacitors. Any well-defined segment of a complete circuit. Telecommunications. a means of transmitting communication signals or messages, usually comprising two channels for interactive communication. A usually circular line encompassing an area. The space enclosed within such a line. A course around a periphery. The complete path of an electric current including usually the source of electric energy. An assemblage of electronic elements. Hookup a two-way communication path between points (as in a computer. A neuronal pathway of the brain along which electrical and chemical signals travel.
In electronics, a circuit is a path between vtwo or more points along which an electrical current can be carried. (A circuit breaker is a device that interrupts the path when necessary to protect other devices attached to the circuit – for example, in case of a power surge.) In telecommunications, a circuit is a discrete (specific) path between two or more points along which signals can be carried. Unless otherwise qualified, a circuit is a physical path, consisting of one or more wires (or wireless paths) and possibly intermediate switching points. A network is an arrangement of circuits. In a dial-up (switched) connection, a circuit is reserved for use by one user for the duration of the calling session. In a dedicated or leased line arrangement, a circuit is reserved in advance and can only be used by the owner or renter of the circuit.
Rail:
Electronics – A conductor which is maintained at a fixed potential and to which other parts of a circuit are connected. “the anode must be connected to the positive supply rail”
Virtual circuit:
Sometimes called a logical circuit, is a path between two or more points that seems like a fixed physical path, but actually is one path out of many possible physical paths that can be arranged. A permanent virtual circuit(PVC) is a virtual circuit that provides a guaranteed connection between two or more points when needed without having to reserve or commit to a specific physical path in advance.
This allows many companies to share a common pool of circuits. This approach is used in a frame relay network and offers a committed set of resources to a telephone company customer at a lower price than if the customer leases their own circuits. A switched virtual circuit (SVC) is similar to a permanent virtual circuit, but allows users to dial in to the network of virtual circuits.
VPN:
Virtual Private Network is a generic term used to describe a what is gererally called a communication network that uses any combination of technologies to secure a connection tunnelled through an otherwise unsecured or untrusted network. Instead of using a dedicated connection, such as leased line, a “virtual” or “tunneled” connection is made between geographically dispersed users and networks over a shared or public network, like the Internet.
Data is transmitted as if it were passing through private connections. Prior to transmission packets are encapsulated (wrapped) in a new packet, with a new header. Contained in the header is routing information. This logical path that the encapsulated packets travel through is called a tunnel. When each packet reaches the tunnel endpoint, it is “decapsulated” and forwarded to its final destination. Both tunnel endpoints need to support the same tunnelling protocol.
Tunnelling protocols are operated at either layer 2 or layer 3 of the OSI model (Open Systems Interconnection). Layer-2 VPN uses the layer 2 frame such as the Ethernet while layer-3 uses layer 3 packets such as IP. Layer-3 VPN starts at layer 3, where it discards the incoming layer-2 frame and generates a new layer-2 frame at the destination. The most commonly used tunnelling protocols are IPsec, L2TP, PPTP and SSL. A packet with a private non-routable IP address can be sent inside a packet with globally unique IP address, thereby extending a private network over the Internet.
A Virtual Private Network, is defined as a network that uses public network paths but maintains the security and protection of private networks.
1) Provider-provisioned VPN: VPN service administered by service provider.
2) Secure VPN: Encryption and decryption are used.
3) Trusted VPN: Leased circuits supplied by a service provider.
4) Hybrid VPN: A mix of a secure and trusted VPN.
A VPN supports at least three different modes of use:
1) Remote access client connections
2) LAN-to-LAN internetworking
3) Controlled access within an intranet
A specially designed router or switch is then connected to each Internet access circuit to provide access from the origin networks to the VPN. The VPN devices create PVCs (Permanent Virtual Circuit- a virtual circuit that resembles a leased line because it can be dedicated to a single user) through tunnels allowing senders to encapsulate their data in IP packets that hide the underlying routing and switching infrastructure of the Internet from both the senders and receivers.
The VPN device at the sending facility takes the outgoing packet or frame and encapsulates it to move through the VPN tunnel across the Internet to the receiving end. The process of moving the packet using VPN is transparent to both the users, Internet Service Providers and the Internet as a whole. When the packet arrives on the receiving end, another device will strip off the VPN frame and deliver the original packet to the destination network.
VPNs require a detailed understanding of network security issues and careful installation / configuration to ensure sufficient protection on a public network like the Internet.
2. The reliability and performance of an Internet-based VPN is not under an organization’s direct control. Instead, the solution relies on an ISP and their quality of service.
3. Historically, VPN products and solutions from different vendors have not always been compatible due to issues with VPN technology standards. Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings.
The security configuration has to be protected 100% against tampering from the user, as it is impossible to ensure the security of a home users pc, if you can not be certain it keeps the configuration you give it.
It must enable your IT-staff, to ensure the anti-virus definitions, IDS signatures etc. are kept up to date – by enabling them to manage it from the company network.
It must have the ability to disconnect the VPN-tunnel – and preferrably disconnect the network entirely, if any incidents occur
.
It must as a minimum, ensure that all the relevant security software are running and correctly configured, while the VPN-tunnel is open. Optimally, it should protect the pc at all times, so the user can thrust his pc at all times, and to avoid locally accessible company ocuments and the likes, from exposure while the VPN-tunnel is closed.
It should be remotely configurable, by your IT-staff. Centralized management is much more effective when dealing with remote users pc’s (otherwise they would have to bring the pc to the office for each needed change – and if the need arises for a quick configuration change, while the user and his pc is away on travel, you have a problem)