Security Management Station

Transcription

1 Security Management Station Technical whitepaper 2015 Network Encryption English

2 Network security today ranks high on the list of any // Network security Network Security today ranks high on the list s concerns Almost all of a s relevant information is exchanged in electronic form via networks Since the network technology used may assist attackers in many ways, these networks don't generally guarantee security or confidentiality, for a company For this reason, security has to be added to the firm networks The corporate security manager can fulfill the pure security requirement by integrating additional security devices into the existing network, whereby the management of these devices is an important consideration A central, easy-to-handle management station is a main prerequisite to fulfill the security requirements The idea behind local management is that the corporate security manager can manage each component individually, thus he has the highest flexibility with control over each flag in the components The second approach is the security management approach, in which the idea is that the corporate security manager has a higher-level overview of the whole system and does not have to spend too much time with component details Both approaches have their pros and cons The security management approach, however, offers the following advantages: in general, a company wants or has to use a VPN system as an additional mechanism, Concerning the management of security components the corporate security manager generally has the choice between two different approaches The first one is the local management approach the handling of the mechanism will be as easy as possible, the results are secure and understandable for the company staff Whitepaper Security Management Station 2015

3 he security of your data is our mission - Cybersecurity with a personal touch // Table of content // Security Management Station (SMS) 4 The CryptoGuard VPN product line 4 // Key features and benefits 5 // Graphical Presentation 5 // Role Management 5 // Organizational units 5 // Easy integration 5 // Connections independent of security components 5 // Nodes and Network as objects 5 // Protocol Profiles 5 // Key management 5 // Logbooks 5 // Batch Jobs 5 // Redundancy 5 // Remote management 5 // Conclusion 5 // Abbreviations 5 // Short profile 5 // Contact data 5 Whitepaper Security Management Station 2015

4 The SMS is a tool to realize central and connection oriented // Security Management Station (SMS) The Security Management Station (SMS) developed by Compumatica secure networks is such a tool to realize central and connectionoriented security management It follows the centralized management approach and gives a high-level overview of the entire security system within a company It handles all details automatically in the background However, the corporate security manager can still examine and analyze details of the security devices This is also possible for each security device of the CryptoGuard VPN system The CryptoGuard VPN product line The SMS is part of the CryptoGuard VPN and CryptoWall security system, which additionally contains the CryptoGuard VPN device and the CryptoGuard VPN Client Furthermore, the SMS can also manage the CryptoBastion, an application level gateway s VPN system (eg, the specific security devices and security policies) and about the network in general (eg network nodes, gateways and connections) is stored in the database of the SMS The securityrelevant information (eg, master or system keys) is stored encrypted, making it impossible to extract them from the database in a readable form If the corporate security manager combines the two security systems CryptoGuard VPN and CryptoBastion under one management system he will be able to create powerful network security solutions for his company Whitepaper Security Management Station

5 Display the network topology in a graphical // Key features and benefits The network information stored within the SMS is used to display the network topology in a graphical form This display immediately gives an overview of the network topology and the corporate security manager can use it as a powerful tool for the security administration The administrator can define secure connections independently of the network environment, using only the end-to-end communication devices To expand the security philosophy of the SMS to the users, the concept of a user role is integrated The security administrator can define different roles for the SMS users, eg, editor or auditor Each role is allowed to carry out a defined set of functions These functional groups also have to be defined by the corporate security manager Using the role mechanism, he can define, eg, an editor role which is allowed to enter and store the new network components, their parameters and nothing more The auditing of these new network components and the definition of their connections can be carried out by a user in a different role, eg the security supervisor Companies should always see their security management systems in combination with a network management system; in the last instance such security devices are simply another kind of network device The SMS, eg, has the ability to forward security alerts as SNMP traps to a network management station If the corporate security manager wants to perform a later offline analysis, he can have a look at the security alerts, received from the CryptoGuard VPN devices, which are collected by the SMS and stored in the security alert logbook database The corporate security manager can set up a logbook database according to his preferences and requirements The SMS supports different kinds of logbook databases There are logbook databases for the CryptoGuard VPN security alerts, for the CryptoGuard VPN security records and for all user activities at the SMS If the corporate security manager wants to analyze these logbook databases, a detailed history of all activities and security-relevant events in the CryptoGuard VPN security system is possible In connection with the security alerts generated by the CryptoGuard VPN devices, the security administrator is informed in real time about violations of his security policy Whitepaper Security Management Station

6 Easy definition of The SMS offers the following features and benefits: Easy integration into existing network topology - CryptoGuard VPN black box principle - SMS integration as a single network component - Inter-domain communication by using shared key material - Automatic generation of configuration files for CryptoGuards and CryptoBastions - According to the Compumatica VPN security policy dden except for the Back-up / restore mechanism - The Backup includes the configuration data of the whole security system Secured communication between SMS and security components - Compumatica proprietary authentication protocol based on ITSEC/E3 high certified method - Customer specific S-Boxes are loadable Downward compatible to the beginning - Reliable compatibility to CryptoGuards and CryptoBastions of the first generation with a history of about 10 years Easy definition of secured connections - After creation of topology no knowledge of security components necessary - Just connection endpoints and security policy necessary - Support of templates by using service/ protocol/ time profiles to simplify the creation of the security policy - Simple method of enabling / disabling of connections and protocol profiles - As connection mode the proprietary CG VPN mode and IPsec are available Logging functionality - Logging of tasks performed at SMS (functions, errors, login/logout) as preservation of evidence Excellent key management - Automatic generation of connection key files used by CryptoGuards - Exchange of connection keys: Beside the key management mode IKEv1 also IKEv2 is supported within IPSEC - Beside the authentication method RSA also ECDSA (Elliptic Curve Digital Signature Algorithm) is supported within IPsec and IKEv2 - Generation of CG VPN mode keys ((A)DES, 3DES, AES) - Generation of IPsec keys (MD5, SHA- 1, DES, 3DES, BLOWFISH, CAST-128, AES, ) - RA/CA/PKI included to generate X509v3 certificates eg for using in IPsec connections with RSA signatures as authentication method Whitepaper Security Management Station

7 SMS owned user access control and role - PKI: - Besides RSA also ECDSA certificates are supported - Support of proprietary elliptical curves (EC) - Distribution of the CRL to several LDAP servers - Mark CA certificates as, - Mark certificates near the expiration date - Import of PKCS#12 (Certificate and Private Key container) - Smartcard functionality Centralized security management - Centralized point of security management and single points of trust - Automatically and centralized configuration of CryptoGuards and Cryptobastions - According to the Compumatica VPN security policy: Managing CryptoGuards and Cryptowalls are managed by the push method GUI based security management - User-friendly design - Visualization of network technology - Visualization of connections and all of the security devices involved - Powerful search functionality by user defined criteria - Multi language support: Currently English and German available - Print functionality - HTML based Online help SMS owned user access control and role administration - Application based user access control - Administration of organizational units - User roles to split responsibilities Centralized and user-friendly management of CryptoGuards - Configuration by means of diving generation, transmission and activation of configuration files - Certificate Signing Request (CSR) - CRL (Certificate Revocation list) and OCSP (Online Certificate Status Protocol) support concerning certificate validation within IPsec - Perform integrity check - Retrieving and visualization of statistic information - View SA list in case of IPsec - Perform Selftest - Get Log book - Exchange of connection keys: Beside the key management mode IKEv1 also IKEv2 is supported within IPsec - Software upload - White list of version check concerning software upload - Import/Export of certificates Centralized and user-friendly management of Cryptobastions - means of dividing generation and transmission of configuration data - Perform Intergrity check - Select operation mode (Runlevel) - Get Log Book - Retrieving and visualization of statistic information Whitepaper Security Management Station

8 Database Centralized and user-friendly management of network components - Single network component, Server, IPsec Client, network - Import/Export of network components Alert functionality - Reception of spontaneous messages of CryptoGuards and CryptoWalls and storage in database - Forwarding of spontaneous messages of CryptoGuards and CompuWalls as SNMP-Trap, or GSM-SMS SNMP interface - SMS acts as SNMP proxy agent - Support of SNMPv3 - SNMP-Trap - SNMP-Get (Status, Selftest, Statistic, - MIB available Administration of batch orders CryptoGuard - Exchange of Connection keys: Beside the Key management mode IKEv2 also IKEv2 is supported within IPsec - Time synchronization between SMS and CryptoGuard - Software upload - Get Log book CryptoBastion: - Get Log book - Integrity check - System: Backup Redundancy mechanism - Active redundancy system of CryptoGuards by using the Spanning Tree Protocol (STP) - Passive redundancy system of CryptoGuards - Geo-Redundancy Unix Based security management - SUN SunOS (eg Solaris 10 up to SMS version 500xx) - PC Linux (eg SuSE 93) - Possibility of secured remote administration Database Management System (DBMS) - Access of Perl scripts to DBMS via ODBC - Job Scheduler - ASE XP Server - Virtual DBA: The virtual DBA includes database maintenance tasks that are essential concerning database performance and data security Using ASE Job Scheduler and ASE XP Server (extended procedures) the virtual DBA supporters amongst others the features Geo-redundancy: If one or more slave SMS exist, the dumps are replicated and loaded onto the slave SMS; this is one more step to improve database security Whitepaper Security Management Station

9 The graphical presentation of a network topology is the heart o // Graphical Presentation The graphical presentation of a network topology is the heart of the SMS All relevant network and security components are displayed This allows obtaining a quick overview of the network and security topology The reference point of the topology is moveable and can be set at any point in the network The network topology can therefore be seen from different points of view, depending on which security structure the corporate security manager needs Figure 1 is an example for a graphical presentation of a headquarters with two branch offices, all communicating via the internet The reference point of the topology is the The he -Gateway The two branch offices are connected to the via the CryptoGuard VPN devices -A- -B- Figure 1 Whitepaper Security Management Station

10 The system administrator must // Role Management As mentioned earlier, the corporate security manager is able to define different users at the SMS For each SMS user he has to define a role When installing the SMS five roles already have been predefined: SMS Administrator SMS Auditor SMS Editor SMS Observer SMS Operator The corporate security manager can extend these roles or develop new roles according to his requirements The system administrator must define the roles and is able to assign any functionality to a role It is also possible for him to define a role equal to his own, ie, to define an additional role Since this role is very powerful it should be protected by a password This mechanism offers many possibilities One example of what can be realized with the role mechanism is the Two roles are defined The first is allowed to define the data, eg the security policy, the second is allowed to activate this data Thus both roles (four eyes) are needed to define and activate a new security policy for s communication The role definition consists of a name and an assigned set of functions permitted the role There is one SMS user, however, who needs no role definition: the SMS system administrator He is comparable to a UNIX account Whitepaper Security Management Station

11 All components of a defined area will be assigned to a well- // Organizational units Organizational units will help to define the independent logical security units within the SMS and are a main part of the central, structured security approach They can be defined for all types of organizational units, eg headquarters, financial departments or branch offices All components of a defined area will be assigned to a well-defined branch Organizational units appear to the user as independent security areas Different units are only connected to each other if the administrator defines interfaces between them Thus each unit can be seen as an individual and independent logical security system Whitepaper Security Management Station

12 The installation location is independent of the other security // Easy integration Independent of the already existing hardware the corporate security manager can integrate the SMS into a network as easily as any other workstation The installation location is independent of the other security components, eg, CryptoGuard VPN devices The communication between the SMS and the CryptoGuard VPN devices (and also, if installed in the network, the CryptoBastion) is secured by strong authentication and encryption, and is independent of the secure communication between the CryptoGuard VPN devices Figure 2 shows a network after integration of the SMS and several CryptoGuard VPN devices Figure 2 Whitepaper Security Management Station

13 The SMS automatically checks the security policy and discovers possible // Connections independent of security components The definition of the security policy entity for the communication between insecure network components (eg, workstations, hosts or networks) is independent of the network security components involved (eg, CryptoGuard VPN devices) The SMS generates from this information the security policy rules for all involved security components (eg CryptoGuard VPN devices) 3 shows an example for the definition of such a security policy entity The SMS automatically checks the security policy and discovers possible inconsistencies The corporate security manager only has to define the end point of the communication (eg, and the security policy for the communication between these points (eg, only allow encrypted HTTP and SQL traffic) Figure 3 Whitepaper Security Management Station

14 Node objects can as well represent individual devices as // Nodes and Network as objects Consistent with the high-level approach to central security management, one thing that must be done is to define a model of the network components (nodes and networks) within the SMS The SMS handles these network components as objects with attributes Later, only these objects will be used to define the security policy (eg, an encrypted connection between net x and node a) Node objects can as well represent individual devices as entire networks Using the object mechanism, the corporate security manager can integrate large numbers of nodes into one network object to simplify the security structure 4 shows a list of network and node objects with definitions and notes Figure 4 Whitepaper Security Management Station

15 The security manager can define the security // Protocol Profiles The corporate security manager can define the security policy (involving, eg, the allowed protocols and a specification of encrypted or plain connections) with as shown in figure 3 The security policy definition can use these profiles to set up all needed communications between the SMS and a CryptoBastion Protocol profiles are an additional mechanism to assist in the high-level view approach With protocol profiles the corporate security manager is able to see more at the application than at the protocol level (eg, the profile in figure 5 collects each protocol needed to configure a CryptoBastion) Figure 5 Whitepaper Security Management Station

16 Key management is highly important within a security // Key management Key management is highly important within a security system A strong key management represents a major aspect for each security system After this step, which is called of the CryptoGuard VPN, the SMS and the CryptoGuard VPN device are able to establish a secure session via the network (eg, Internet) This was kept in mind during the design of the key management for the CryptoGuard VPN system A PKI (Public Key Infrastructure) represents the whole of all components that are necessary to generate, manage, distribute and revoke digital certificates The corporate security manager can manage the distribution of new keys by the SMS during normal daily business automatically or manually Automatically means that the SMS changes the keys in a CryptoGuard VPN device at a defined date and time independently of any instructions Keys for the entire system are generated and stored on the SMS The pseudo-random number generator used for key generation and the key storage fulfill high security requirements The primary CryptoGuard VPN device keys (the CryptoGuard VPN master keys), which will be used for the later encrypted communication between the SMS and the CryptoGuard VPN device, are transferred during the first contact between the SMS and the CryptoGuard VPN device The corporate security manager only needs to specify the date, time and CryptoGuard VPN devices Manually means that he has to start the key change for each CryptoGuard VPN device on his own The newest version of the SMS supports as well smartcard functionality This means an easy and comfortable way for the user to personalize on the SMS Advantages of the Key Management: This key transfer is done per smartcard in a very flexible way For CryptoGuard VPN devices without smartcard functionality the key transfer has to be done in a secure environment, using a serial link between the SMS and the CryptoGuard VPN device Secure Key generator and key storage Automatic or manual key distribution Smartcard functionality Whitepaper Security Management Station

17 The security manager can export all logbook entries in a standard // Logbooks The SMS supports a management activity logbook and two security device logbooks Each function activated at the SMS generates a logbook entry at the management activity logbook The management activity logbook shows which user activated which functionality, and when It logs the history of the entire security system for the later analysis The corporate security manager can configure the CryptoGuard VPN devices to send security alerts in real time to the SMS, which receives them, displays a message on the screen, and stores the security alert in the security alert logbook for later analysis The administrator can also configure the SMS to additionally send an SNMP trap to a defined network management system Individual security alerts are stored for each CryptoGuard VPN device The second security device logbook is the security record logbook Each CryptoGuard VPN device has its own logbook, storing security records defined by the SMS As the logbook size in the CryptoGuard VPN devices is limited, the corporate security manager should save the security records periodically to external media This is done by transferring the security records from the CryptoGuard VPN to the SMS On the SMS, the received security records are stored in the security record logbook The security records are stored individually for each CryptoGuard VPN device The corporate security manager can export all logbook entries in standard export format for use with third party analysis tools and is thus able to keep the whole offline analysis as flexible as possible Advantages of the logbooks: History for later analysis Security alerts Whitepaper Security Management Station

18 Automatic distribution // Batch Jobs If the corporate security manager has a great work load and eg wants to start many activities at a defined date and time, batch jobs are an instrument to distribute the work load, distributing new connection keys to all CryptoGuard VPN devices on Friday at 10:00 PM and activating these keys on Saturday at 1:00 AM The corporate security manager can automate such activities using batch jobs He only has to define them once and they will be carried out at the defined date/time Additional examples for batch jobs are: Periodic reading of the CryptoGuard VPN logbooks Periodic backups of the SMS database Automatic distribution of software updates Whitepaper Security Management Station

19 Integrate two or more devices in parallel into one system to increase the availability of the // Redundancy Since the SMS itself is the central possibility to manage the CryptoGuard VPN security system it is advisable to have a redundant SMS for large networks requiring high availability CryptoGuard VPN, CryptoGuard VPN Client and CryptoBastion have redundancy mechanisms with support of third party components independent of that of the SMS New feature: Geo-Redundancy to support the configuration of the security system from different SMS locations and to manage the Backup and Restore mechanism from the master to the slave SMS (the replication of the databases will be done by several DBMS mechanisms like Virtual DBA) It is possible to integrate two or more devices in parallel into one system to increase the availability of the network The route is checked regularly; this allows to recognize if an active CryptoGuard VPN device (called 'Master') failed and if so, to remove it from the system In that case, a second by then passive CryptoGuard VPN of the redundancy system (called 'Slave') becomes the active one Whitepaper Security Management Station

20 Remote management functionality is // Remote management The corporate security manager may have a need for managing the SMS remotely; for this remote management functionality is included Remote management is realized using the standard X-Window system of the SMS operating system by tunneling it in an encrypted Secure Shell (SSH) session to a remote client Whitepaper Security Management Station

21 The SMS solution turn out to be an ideal way to manage // Conclusion In times of more and more severe attacks on computers and computer networks managers should especially keep in mind the damages emerging from these attacks and consequently attach great importance to network security In order to protect their confidential data many organizations are seeking for a comprehensive, reliable and easy to handle opportunity Its uncomplicated integration as well as its numerous functionalities offer a perfect base for the setup of a stable and reliable corporate safety policy For information concerning the further parts of the CryptoGuard VPN security system and the system in general we refer to our other White Papers For companies that have a great need for a security management enabling a centralized and comfortable administration the Security Management Station solution provided by Compumatica secure networks turns out to be an ideal way to manage their security concerns Whitepaper Security Management Station

22 The security of your data is our mission - Cybersecurity with // Abbreviations IETF Internet Engineering Task Force: Organization that defines the standards used in the Internet LAN Local Area Network: Any physical network technology that spans short distances (up to a few thousand meters) IKE IPsec KGL Internet Key Exchange: A protocol defining how to exchange keys for IPsec communications IP security: A standard which defines various security services for traffic at the IP layer Same as KGLAN SLES SuSE Linux Enterprise Server SMS Security Management Station VPN Virtual Private Network: Method of communicating via a public network using encryption, so that only participants that share the necessary keys are able to communicate KGLAN KryptoGuard LAN: Former name of the CryptoGuard VPN product WAN Wide Area Network: Any physical network technology that spans large distances Whitepaper Security Management Station

23 The security of your data is our mission - Cybersecurity with // Short profile Compumatica secure networks based in Germany and the Netherlands is a fully independent private company with main task securing IP traffic of its customers Compumatica develops, produces and implements high level security solutions for all types of IP networks and all types of customers Customers can be small organizations with just a few countrywide connections up to international enterprises with world-wide networks Compumatica staff and products meet high standards of reliability and quality The products are based on systems that are approved, or even certified, according to the strict regulations of the BSI (in Germany) and the NLNCSA (in the Netherlands) Every single product goes through a quality assurance phase in which it is subject to a long-term test All Compumatica products are backward compatible for more than ten years Herewith we guarantee our customers investment protection In the area of mobile communication our range is completed by a comprehensive Secure Mobile Concept that secures voice and SMS and which may be adapted to the individual requirements and needs of the customers Our customers are well-known top 500 enterprises as well as government agencies and public organizations in different countries which protect their critical data with the aid of Compumatica systems As world-wide approved producer and system integrator Compumatica secure networks provides complete IT security solutions for networks of each size The security of your data is our mission Cybersecurity with a personal touch Our product range also includes devices from our daughter vantronix secure systems which contain a unique combination of IPv4-IPv6 gateway, router, firewall, network based anti-spam as well as Load Balancer based on OpenBSD vantronix is a HP AllianceOne partner The whole software range is therefore available on HP systems Whitepaper Security Management Station

24 The security of your data is our mission - Cybersecurity with // Contact data The Netherlands Compumatica secure networks BV Oude Udenseweg PDUden The Netherlands Phone: +31 (0) Fax: +31 (0) wwwcompumaticacom info@compumaticacom Germany Compumatica secure networks GmbH Monnetstraße Würselen Germany Phone: +49(0) Fax: +49(0) wwwcompumaticacom info@compumaticacom Whitepaper Security Management Station