Electronic Commerce Stimulates Total Network Security Approach

February 1999
By Clarence A. Robinson, Jr.

World markets ride on web-based productivity tools with inherent, ubiquitous secure enterprise aspects.

Protecting electronic commerce on the Internet is a very secretive and unforgiving business. Robust security, however, is pivotal to its phenomenal expansion as networks surge toward a $200 billion market within the next two years. This demand for vigorous network refuge is creating a $6 billion worldwide security industry market, growing at a rate of more than 50 percent a year.

Security is the overriding concern as worldwide industry exploits Internet applications to increase productivity and competitiveness, shifting mission-critical functions to networks. Analysts believe that adopting new network security technologies and practices at a rapid pace is the sine qua non for leveraging today’s wired world. Standards-based interoperable products are necessary to protect networks from security risks inside and outside an organization, they claim.

The Internet is a hostile place for sensitive information. In this on-line environment, designing, maintaining and enhancing network security is much more complex than simply buying and installing commercially available point protection products. To gain confidence and realize the full revenue potential of the Internet and applications investments, companies are quickly moving to flexible, modular and scalable network security.

Both government agencies and commercial industry demand integrated and interoperable solutions, core technologies, services and partner programs to guarantee effective network security. Complete network security solutions span firewalls, identification, authentication, authorization, web productivity and extranet web access and authorization.

Increasingly, organizations are also seeking network support and integration services that encompass security assessment, testing, policy development and training. Many of these security options include external and internal intrusion testing and analysis. Security experts skilled in hacking techniques are often set against legitimate security industry hackers and crackers to detect flaws that might attract their nefarious counterparts.

Secure Computing Corporation, San Jose, California, is one company specializing in a full line of standards-based products and services for security-sensitive networks. This company’s emphasis on integrated and interoperable solutions makes it, in terms of revenue and market share, one of the leading vendors of firewalls to the federal government. With its SecureZone system, the company is delivering its next-generation of firewalls using role-based access control and policy management.

According to industry analysts, this firm leads the market in web filtering technology, a category that Secure Computing created. Ranking second in authentication solutions, the company is also rated in third place in the combined authentication and encryption market. The organization’s technologies are critical for financial, telecommuting and other network applications. Market analysts recognize the firm’s rapid progress, citing it as a visionary security vendor based on cost control, new products and integration.

From its early days of developing pioneering technology for the National Security Agency (NSA), Secure Computing has evolved into a company with product advances that extend to all aspects of Internet security. The company’s worldwide presence involves financial transactions, telecommunications, aerospace and manufacturing. Secure Computing is consciously decreasing its involvement in government contracts, shifting toward higher margin commercial product and service revenues. A growing number of Fortune 1000 corporations, which rarely permit identification, use a range of the company’s products.

Business trends show that 70.7 percent of Secure Computing’s approximately $70 million revenues in 1998 were mostly from commercial products and services. Government contracts accounted for only 29.3 percent. By comparison, in 1995, government contracts provided 53.2 percent of revenue, while commercial business accounted for only 46.8 percent. Nevertheless, the company’s overall government market share is 28 percent, mostly in firewall security. The Defense Department’s business share is 35 percent.

According to Dr. J. Thomas Haigh, the company recognized early on the global need for integrated solutions capable of addressing broad network security and productivity concerns. He is the firm’s vice president and chief technologist. This market vision enabled Secure Computing to transition in 1997 from perimeter-focused point products to integrated and interoperable solutions, he emphasizes.

Secure Computing invests more than 8 percent a year in company research and development activities. It still participates in government technology development efforts through organizations such as the Defense Advanced Research Projects Agency (DARPA), while retaining the intellectual property rights, Haigh points out. Successful research eventually flows back to government applications in the form of commercial products.

The company is under DARPA’s information system office contract for its information assurance program. Among the firm’s work is development of a single sign-on capability, “so that a user logs onto a network only once. The system then takes care of that user, shepherding the individual wherever that person needs to travel within the network. This approach avoids successive log-ons and the need to continually provide new passwords,” Haigh explains. “This technology has been successfully demonstrated for DARPA and is expected to find use in a new company authentication product,” he notes.

DARPA and the company are also working on development of role-based access control policy. Instead of defining the policy for each individual user within the organization, the user’s role, or roles, determine the user’s access, Haigh confirms. In this effort, lightweight directory access protocol and X.500 protocols and services are used to provide a large server-to-server directory distributed over multiple servers. An obvious advantage is that users listed in a corporate directory gain access to various systems such as applications servers and firewalls based on their specific roles. When someone leaves, the name is simply removed from the corporate directory, saving time.

Secure Computing continues to provide its security products such as firewalls to government agencies and supports a variety of federal programs. Seven months ago, as an example, NSA awarded the company an alternate defense message system (DMS) guard, or ADG, development contract. This contract calls for the firm to add specialized DMS functions to one of its products, the Sidewinder firewall.

The company’s trademark Type Enforcement technology developed for classified government agencies is incorporated in the commercially available SecureZone and Sidewinder firewalls. Type Enforcement secures the underlying firewall operating system and protects network services by segmenting them into individual domains. Each domain is granted permission to access specific file types and other domains. Each domain provides a self-contained, discrete layer of protection that cannot be altered.

During 1996, Secure Computing acquired several security-oriented companies to complement its own product and service offerings. The companies included Webster Network Strategies, a Naples, Florida, developer of web monitoring and filtering software; Border Network Technologies, Toronto, Canada, a network software developer; and Enigma Logic, a Concord, California-based manufacturer of network authentication software.

After acquiring and integrating the three companies, Secure Computing, in 1998, continued its transformation from a firewall company into an Internet security company. A common research and development strategy is now in place, with teams across the company working to develop new products, Haigh explains. A single, unified sales organization, including widespread international resellers, is trained to handle firewalls, filters and authentication systems as an integrated enterprisewide portfolio to address customer requirements, he adds.

Haigh observes that his corporation, which originated as a small branch of Honeywell that was developing the principles of modern data security, spun off in 1989 to develop core network security for NSA and other government agencies and departments. Many of the major features of the company’s best-selling Sidewinder application gateway firewall server also have been subsumed within the newer SecureZone product, he asserts.

The widely used Sidewinder, with versions still being updated, employs SecureOS, type enforcement and strikeback functions to deliver robust power. This product’s versatility helps enforce complex security policies and stringent security thresholds, Haigh contends. The Sidewinder’s use of SecureOS permits highly granular control over message filtering as well as centralized management of distributed Sidewinder firewalls.

In just the past year, the government bought 50 Sidewinder firewalls, mostly for the U.S. Air Force, which is standardizing on this firewall system for worldwide operations. The company’s latest version is the Sidewinder security server 4.0, with increased robustness, automatic failover and integration of the next-generation security functions. Failover provides a hot standby to take over if anything happens to the primary system, removing the firewall as a single point of failure in the network.

Sidewinder 4.0 integrates the latest virtual private network standards for Internet protocol security encryption—data encryption standard (DES), 3DES and rivest cypher (RC)4-128 and Internet key exchange (IKE) public key management and X.509 certificates. An automated interface provides digital user certificates to authorities. This feature reduces cost and improves security when extending the local area network to remote sites and in integrating remote users more tightly with the network.

Haigh adds that the newer SecureZone not only delivers robust security, but also offers revolutionary ease of use and lower ownership costs for those requiring a high level of network security. SecureZone’s intuitive visual interface simplifies all aspects of security administration, while its own SecureOS patented type enforcement and strikeback functions ensure a highly secure environment, he maintains.

The company, Haigh insists, set out to develop SecureZone’s management interface as a very visual asset by working closely with a human factors engineer from Carnegie Mellon University, Pittsburgh, Pennsylvania. This engineer, Brad Myers, examined the user interfaces of other firewalls, including competitors’ products, to determine how a firewall management interface should be configured. “We designed the user interface first, then designed the data structures within the firewall to fit the user interface, making the data structures very compatible with the interface,” he relates.

A new family of network security solutions, SecureZone not only delivers a visual interface, but also simplifies and speeds policy administration of access control, entities of trust and virtual private networks. Haigh continues that this is the first application gateway firewall with embedded virtual private network interfaces and integrated X.509 digital certificate management. He predicts that, as with SecureZone, major firewall changes will occur over the next few years.

“These firewall changes are already taking place in two areas: management and virtual private networks. The idea is to be able to use a public network such as the Internet as your own private network. This means encrypting the data that transfer from a point on an internal network across the Internet to another point on the internal network where it is decrypted,” Haigh illustrates. “One of these points could be a remote user with a laptop, extending an organization’s secure network to other parts of the world.

“Rather than maintaining a long list of access controls, with SecureZone we define access control rules that are implemented in Java so they are fully transportable. And the rules are much more visual than with other products,” Haigh states. “We also had Myers work with the company’s authentication division to build a similar user interface for the SafeWord server.”

SafeWord is a family of strong authentication products that provides server software, hard and soft tokens for secured access to networks. This technology also provides built-in replication to enable load balancing, real-time mirroring and recovery. The one-time encrypted password protection runs on a wide choice of platforms.

“The obvious implication is that we are moving toward pulling the management of all our products together under one roof, with an integrated management system,” he reveals. “We expect to have this capability in the marketplace during the first half of 1999.” Haigh continues that much of the technology in both the Sidewinder and SecureZone firewalls is based on original government work, “which has found its way into company products.”

Among other company products is SecureWire, considered by Haigh to be the first commercially available business solution that combines the capabilities of intranet and extranet technologies to share internal web data with external users such as partners, customers, suppliers and agencies. This product enables organizations to grant authorized access to specific servers or universal resource locators (URLs) on the internal network while denying access to all other data.

SmartFilter is another product that provides URL monitoring to block or discourage employee exposure to nonbusiness web sites. With weekly updates, the SmartFilter offers a comprehensive database of URLs. The company also provides a BorderWare, one of the best-selling application gateway firewall servers. This system combines turnkey plug-and-play installation, hardened network perimeter defenses and secure, cost-effective remote connection options.

Secure Computing’s Firewall for NT is, the company believes, the only commercially available application gateway product designed for Microsoft BackOffice. This firewall is a native NT server with cost-effective application and easy-to-use security features.

“With misconfiguration of a perimeter security system, you are toast,” Haigh declares. “The company’s new intuitive visual and graphic management user interface makes it easier to avoid disastrous human errors.” Haigh believes that the company’s total network approach to security allows users to open up networks in a controlled fashion to achieve the enterprise mission more effectively.

 

Security Professionals Chase Network Penetration Modes

As costs of creating, sharing and storing information decline, simplifying security complexity is premium.

When they speak, it is generally in hushed tones. Their businesslike appearance often belies their craft, and many prefer to communicate through their fingers, which fly over computer keyboards. A generation of former hackers and security experts are being paid by corporations and agencies to apply their hard-won skills to help organizations find network vulnerabilities and prepare to overcome attacks. This approach is all part of integrated network protection.

A growing number of corporations are calling on teams of network experts to provide the knowledge of public, government and underground security communities. Some of the most security-conscious organizations in the world are focusing on all aspects of protection to avoid surprise and compromise.

Jeff Moss, Secure Computing Corporation’s director of security assessment services, operates in one of the company’s most sensitive arenas. Based in Roseville, Minnesota, his group routinely conducts intrusion testing by simulating attacks on customer networks to determine vulnerabilities. As part of network support and integration services, Moss brings his underground computer bulletin board’s “Dark Tangent” hacker persona to bear for the benefit of customers—government and commercial organizations alike. He is also an organizer of the Las Vegas-based annual Def Con conference, which brings hackers and Federal Bureau of Investigation agents together.

With 40 dedicated engineers and consultants, the 28-year-old Moss and his group seek to discover just how many ways exist to punch holes in a network’s security systems. They have even gone so far in intrusion testing as to change from Dockers and jeans, donning somber business attire to enter a bank. Posing as auditors, a Secure Computing team hides out until after the bank closes, when they penetrate executive offices. By installing keystroke loggers to detect passwords, they are later able to compromise a number of the financial institution’s networks.

Secure Computing’s array of custom and packaged services helps organizations understand and address their full network security needs. Professional services augment an organization’s expertise in testing, evaluating and designing network security measures and practices. For example, penetration testing services employ nondestructive, ethical hacking techniques and proprietary tools to search out vulnerabilities. The concept is to expose networks to intrusion threats from within and beyond the network perimeter.

The company’s SecureSupport addresses product and solution life-cycle needs, from installation and configuration to integration of continuing technical support. Education and training ranges from security awareness for management and employees to developing self-sufficiency on key concepts, technologies and products. The evolution from perimeter-focused point security to distributed and integrated security requires new solutions, Moss observes.

Among these solutions are site assessment and physical security. The Moss group deals with testing and intrusion by simulating attacks against internal and external networks to detect vulnerabilities, he explains. Whenever security problems are detected, corrections and reconfigurations, including the architecture, help make the network more secure, he emphasizes. “Part of this assessment involves business processes to make sure that the logic involved enhances security, or at the very least, maintains it.”

Moss allows that his group interacts with a variety of products such as firewalls and routers that are in use by the customer. “We are pretty neutral where our own company’s products are concerned. We know about them and their capabilities, but we have no mandate to try to sell Secure Computing’s products,” he notes. “What we do is to be the best possible security group in providing services that give a customer the most realistic view of potential threats.”

Most customers are involved in establishing or maintaining an electronic commerce system. They want to know how to build such a system to provide protection and overcome likely threats. “When a network connects to the Internet it is exposed to greater risks,” Moss states. “However, if the user knows and understands the risks, they can be managed and that is where we come in. Just having Internet connectivity does not immediately make the network vulnerable, but you must avoid active contact, or, if you cannot, you must actively filter for viruses and check e-mail attachments.”

Involved in both government and commercial security work, the majority of those in Moss’ group hold either national trust or secret clearances. There are 17 professional services group consultants who have received certification by the International Information Systems Security Certification Consortium (ISC2). The organization’s professional designation is awarded to those who pass rigorous examinations that encompass all major elements of the industry’s widely accepted and recognized information systems security common body of knowledge.

Moss allows that there is a high cost to security, but it can more than pay off by avoiding pitfalls, he stresses. As more companies embark on electronic commerce to stimulate market growth, some type of partner-to-partner information sharing is inevitable. This concept brings a growing recognition of the value of network security.

Among the professional services available from Secure Computing are external intrusion testing and analysis; internal intrusion testing and analysis as well as mimicking an attack by a malicious employee; and telephone-line scanning by automatically dialing every known client telephone number to check modem responses. Social engineering is another security-related service through which attempts are made to gather confidential information using the same conventional and unconventional techniques as recruiters, hackers or industrial spies.

Moss’ group also provides executive briefings, technical briefings, security architecture services, user information security training and site security assessment. Other functions involve security policy development, firewall evaluation and configuration. The company also offers an intrusion package and an assessment package, bundling and pricing services for in-depth security reviews.

Moss explains that most of the security issues, perhaps 80 percent, are easily detected by his group. The remaining 20 percent can become time consuming and thus costly. “To avoid this situation, we accomplish realistic threat modeling to determine the core information—the corporate jewels that must be protected. If providing this core protection involves a large infrastructure, it may be simpler to move that information to a smaller area and then protect it rather than protect everything,” Moss claims.

He suggests that products that are becoming more intelligent can connect with other products to share security information. This is increasing the ease of management, allowing a security administrator to sit at a single remote console and change policy, user rights, access and protocols. This condition enables Secure Computing to exploit recent developments in security for local and wide area networks through increased Internet, intranet, extranet and remote access by protecting information systems from external threats.