Total Security Solution System: @SECUREVISION Essential Security for Net Businesses



Similar documents
Secure System Solution and Security Technology

Interstage Application Server V7.0 Single Sign-on Operator's Guide

Fujitsu Enterprise Security Architecture

Strong Authentication for Secure VPN Access

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Fujitsu s Approach to Cloud-related Information Security

Hitachi to Expand Finger Vein Authentication System Business on a Global Basis

Authentication Levels. White Paper April 23, 2014

Document ID. Cyber security for substation automation products and systems

The Information Security Problem

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Using Entrust certificates with VPN

Recommended IP Telephony Architecture

A brief on Two-Factor Authentication

Executive Summary P 1. ActivIdentity

Information Security Basic Concepts

Longmai Mobile PKI Solution

Firewall Environments. Name

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

CTS2134 Introduction to Networking. Module Network Security

Architecture Overview

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Industrial Security Solutions

The BiGuard SSL VPN Appliances

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

ISO COMPLIANCE WITH OBSERVEIT

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

INTRUSION DETECTION SYSTEMS and Network Security

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Common Remote Service Platform (crsp) Security Concept

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

SSL VPN Technology White Paper

IBM Client Security Solutions. Client Security User's Guide

Vidder PrecisionAccess

Management Standards for Information Security Measures for the Central Government Computer Systems

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Entrust IdentityGuard Comprehensive

Cornerstones of Security

Directory and File Transfer Services. Chapter 7

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Technical Standards for Information Security Measures for the Central Government Computer Systems

Network Security Guidelines. e-governance

Remote Access Security

Exam 1 - CSIS 3755 Information Assurance

HOTPin Integration Guide: DirectAccess

Introduction to Cyber Security / Information Security

Extranet Access Management Web Access Control for New Business Services

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Getting a Secure Intranet

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

Chapter 1: Introduction

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

The Convergence of IT Security and Physical Access Control

How To Protect Your Network From Attack

How To Pass A Credit Course At Florida State College At Jacksonville

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Certification Practice Statement

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Security Architectures for Cloud Computing

Information Security

Network Security Administrator

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

IT Security. Securing Your Business Investments

MCITP MCITP: Enterprise Administrator on Windows Server 2008 (5 Modules)

IPCOM S Series Functions Overview

Copyright: WhosOnLocation Limited

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

IT Architecture Review. ISACA Conference Fall 2003

Best Practices for Securing Your Enterprise:

Transcription:

UDC 621.395.74:681.32.004.4 Total Security Solution System: @SECUREVISION Essential Security for Net Businesses VTakashi Ohgo (Manuscript received September 24, 2000) The numerous cases of cracking into government agency Web pages since the end of January 2000 have brought the necessity for Web site security very close to home. Success in business requires an effective means for preventing unauthorized or illegal accesses. Besides making its access authorization system even stronger, Fujitsu has introduced @SECUREVISION, a total security solution for supporting corporate security that can be flexibly tailored to specific customer needs. 1. Necessity for a secure environment Because of technology (e.g., IP protocol), corporate networks are expected to experience a big expansion in the 21st century, regardless of a company s industry or its type of business. Examples include extranet conversion of corporate information systems, direct transactions with individual consumers utilizing browsers, and SFA implementation for building marketing systems fully supplied with information. Security is a vital issue that must be addressed in this age of global IP networks. However, because the term security is so broad and the introduction of security systems does not directly contribute to convenience or effectiveness, not to mention business profits, it is often apt to be neglected. Even though many companies recognize the need for security, many do nothing about it because the effects of the investment are invisible. Information systems are constantly being threatened by attacks in such forms as cracking into Web pages via networks, SPAM mail, note 1) and programs known as viruses. security to combat such threats must utilize solutions that feature a good balance between the technical and operational aspects. The recent illegal accesses to Japanese government agency Web pages, denial of service (DoS) attacks on search sites, computer viruses such as LOVELETTER, and ISO standardization of security measures have caused a significant change in the security environment, as evidenced by the action now being taken by many organizations. Now that the threat of the Y2K problem is behind us and signs of economic recovery are appearing, particularly in the IT area, the year 2000 marks the beginning of full-scale efforts at network security. Although Fujitsu has been offering security solutions to its customers primarily through our Secure Systems Promotion Section, beginning in February 2000, we aim to further reinforce our organizational structure, particularly to ensure system security that meets the requirements of an connection environment. note 1) SPAM mail: Electronic mail sent to a recipient regardless of whether the recipient requested it and whose purpose is commercial and/or to annoy. 218 FUJITSU Sci. Tech. J.,36,2,pp.218-225(December 2000)

2. Features of @SECUREVISION Fujitsu unveiled @SECUREVISION in May 1998 as an integrated security solution system to support network computing security. Since then, we have been significantly upgrading the product and its services by adding such features as PC note 2) Security Solution, which uses a smart card and other personal authentication technology (explained in detail later). In September 2000, we unveiled an enhanced version of the system by adding to and enhancing the services, for example, by acquiring the authentications of ISO/BS and observing and auditing network security. The features of @SECUREVISION are explained below. 1) Complete provisions for planning, configuring, and operating a system based on a specific security policy With the requirements of the IP age becoming increasingly complex, it is now very important to select and operate products that use security technologies based on a good security policy. @SECUREVISION offers a total solution to security, spanning all aspects from the formulation of a company-wide security policy to the building and operation of a secure system. 2) Integrated security management functions The products and services incorporated in @SECUREVISION conform to international standards and are integrated to have excellent interconnectivity with other companies, even companies in other countries. Furthermore, they also have interoperability features such as total management of security servers and unified authentication. 3) Services and supports with specialized organizations and experts Security services such as consulting, security server configuration, and 24-hour/365-day note 2) Smart card: An IC card having an embedded IC chip in which data can be stored as well as functions for authentication based on the user s personal identification number (PIN) and calculation function. 1. Personal computer security 4. Integrated corporate information security 3. Remote access security Corporate system Head office 2. Barrier segment security Public line/isdn Figure 1 Examples of security solutions. Authentication station (JCS, etc.) VPN Other companies Branch Bank Consumer 5. EC/EDI security monitoring are provided to customers by security experts in specialized organizations within the Fujitsu Group. They support not only planning, configuration, and system operation, but also help customers acquire the ISO15408 and ISO17799 (BS7799) security authentications. 3. Overview of @SECUREVISION As already described, the term security has an extremely broad meaning. @SECUREVISION is therefore divided into five parts to enable Fujitsu to meet the precise needs of each user (Figure 1). The main parts and services of @SECUREVISION are described below. There are two important facets of the enhanced version, which was unveiled in August 1999. The first facet concerns personal identity authentication, which is a very important security measure that verifies the identity of the user. Providing a high degree of security with conventional systems using only personal IDs and passwords has proved difficult at best. In response, we offer the PC security solution shown in Figure 2. This solution combines our recently developed Smart Card Authentication software for high-reliability, high-expandability personal authentication with a fingerprint recognition device. The use of smart cards eliminates the trouble of having to memorize multiple passwords. It also FUJITSU Sci. Tech. J.,36, 2,(December 2000) 219

1. Enhancing login security through smart cards (ID/password) WWW server Encrypted e-mail communication Smart card Printer 3. Encrypted computer data Bio-authentication 2. Use of personal characteristics data (fingerprint, handwriting, etc.) SECURE PC CARD Secure MO Figure 2 PC security enhanced PC security and protection of resources. Branch 3. Secure network through VPN Firewall 1. DMZ (demilitarized zone) provides a passive shield against external netwoks Proxy Reverse proxy function 4. Safe use of outsourced middleware 2. Enhanced reliability Company Public WWW DB/TeamWARE DB DMZ Data replication DB/TeamWARE Figure 3 Barrier segment security prevention of unauthorized access from outside the system. prevents impersonation resulting from the theft of passwords and IDs as well as tapping into networks. The initial features of the sophisticated PKI environment unique to @SECUREVISION include the storing of digital certificates note 3) in smart cards to facilitate access by the user, mail encryption, and single sign-on. note 4) These features also facilitate expansion of the security measures. The second facet is the addition of Netshelter, a hardware/software single-unit dedicated security device, to the Barrier Segment Security solution for preventing unauthorized access note 5) (Figure 3). When the is used, VPN and firewall functions can easily be installed. 4. Smart card authentication Smart Card Authentication is a PC authentication package that uses smart cards (Figure 4). As well as providing a method for logging on to a Windows system, a single smart card also enables construction of high-level security systems as explained below. 1) Windows logon Records the user ID and password on the smart card to enable user authentication. 2) WWW browser user authentication and encrypted communication Uses the digital certificates in the smart card to facilitate client authentication (SSL v.3.0 note 6) ) and encrypted communication via Explorer and Netscape Communicator. 3) Electronic mail encryption and digital signatures Uses digital certificates in the smart card for S/MIME mail encryption, user authentication, and the prevention of cracking with Outlook Express and Netscape Messenger. 4) Upgraded personal computer security The smart cards have a function for locking note 3) note 4) Digital certificate: Part of the secret key or public key used for encryption in a public key encryption system by which the authentication station determines whether the public key of a communicating party is the registered public key of the party that the communicating party claims to be. Also called a public key certificate. Single sign-on: A mechanism by which a user performs a single authentication procedure and is then note 5) note 6) given access to all systems for which the user has access authority. VPN (Virtual Private Network): A technology or network for the implementation of virtual dedicated line networks utilizing encryption, user authentication, etc., on a public network. Also called a virtual restricted area network. SSL (Secure Socket Layer): A mechanism for maintaining data security when using a Web browser, etc. Proposed by Netscape Communications of the U.S. 220 FUJITSU Sci. Tech. J.,36, 2,(December 2000)

Encrypted mail digital signature User authentication Encrypted communication Outlook Express WWW server NT server Explorer Local authentication Screen saver lock Remote authentication ID/password authentication Application Server User Domain name ID/password Public key/secret key Figure 4 Smart card authentication. 1. Security monitoring 4. Data encryption function Operation management server Public WWW DMZ Firewall Directory In-house CA WWW WWW Card-incorporated code processor 2. Integrated user authentication Company 3. PKI security base Figure 5 Integrated corporate information security. and unlocking screen savers and a function that enables the specification of the operations that individual users are allowed to perform. 5. Sophisticated PKI environment The PKI environment, shown together with the Integrated Corporate Information Security solution in Figure 5, is closely linked to smart cards and has been a special feature of @SECUREVISION since it was first released. The PKI environment consists of a CA server which issues public key identity certificates, InfoCA for Enterprise PKI Manager, InfoCA Key Protection FUJITSU Sci. Tech. J.,36, 2,(December 2000) 221

Option, a directory server that stores certificates and other user information, and InfoDirectory and Enterprise PKI Manager, which manage certificates. These elements not only provide for encrypted communication, identity authentication, and the prevention of cracking and impersonation, but they also provide centralized management of user information such as IDs, passwords, and certificates and single sign-on through SystemWalker/getAccess. Previous systems had problems with the management of the certificates and secret keys of users stored in the client s personal computer. With this system, each user carries his or her own smart card, making it possible for many people to use the same client PC. This has also enabled dependable, precise authentication for mobile computing. Recently, many insurance and agent systems, manufacturing transaction terminals, and shared school terminals have been installed. Also, open networks are becoming increasingly utilized to make declarations and apply for licenses under such themes as Electronic Government, which is a part of the Millennium Project. 6. Barrier segment products matched with application size Our barrier segment products prevent unauthorized access at the front line. Of these products, the firewall plays the most important role. A wide range of firewalls can be selected depending on the size of the application, ranging from a hardware/software single unit type to personal computer server and UNIX server types (Figure 6). NetShelter, a single-unit dedicated security device provided with enhancements, is available in two types: NetShelter/VPN, which provides VPN functions; and NetShelter/FW, which has both VPN and firewall functions. Because NetShelter does not require an operating system installation and has simple parameter settings, it makes it easy to build a secure system. Because Safegate, NetShelter/FW, and Net- Shelter/VPN all employ the Safegate architecture using the firewall management software, Safegate Central Control, management can be conducted in the same way as for the personal computer server and UNIX server types of Safegate. Installing a Safegate client also enables VPN Safegate NetShelter/VPN NetShelter/FW Branch Sales office Branch Safegate client Mobile terminal Headquarters InfoProxy TeamWARE Office SymfoWARE Safegate WindowsNT /UNIX Duplication Safegate centralized control Figure 6 Barrier segment products for a wide range of applications. 222 FUJITSU Sci. Tech. J.,36, 2,(December 2000)

Planning Construction Operation Security Consulting Consulting for corporate security policy planning Security level enhancement consulting Security certification achievement consulting ISO15408 certification achievement consulting ISO17799 (BS7799) certification achievement consulting System security design Secure network configuration Authentication method (OTP, certificates) Access control Communication methods Encryption Log monitoring method Secure System Construction Security server construction DNS Mail server Public server Firewall PKI system construction CA server RA server Directory server Smart card system construction Smart card design Data entry JCSI certificate issuance Security Monitoring Illegal access monitoring Virus monitoring Security Operation Support Security operation support Security accident recovery support Security auditing Pseudo attack test Security auditing Security Outsourcing Figure 7 @SECUREVISION service system. communication between mobile clients. Safegate is the first Fujitsu security product to obtain ISO15408 certification. 7. Information security service InfoSecure The @SECUREVISION service system is shown in Figure 7. For the upstream processes of system configuration, @SECUREVISION uses the InfoSecure service for formulating information security policy based on international standards (ISO/IEC 15408, Guidelines for the Management of IT Security, A Code of Practice for Information Security Management, etc.). The achievement of adequate security requires a clarification of the company s security policy and also requires product selection, system construction, operation, and monitoring in accordance with this policy. Recently, Fujitsu surveyed 350 companies regarding their current information security provisions. The results were analyzed and classified into nine categories (organization, operation management, education, etc.). We found that none of the averages for the nine categories met international standards (Figure 8). To implement InfoSecure, a security policy Auditing 9 8 Organization 7 PC/WS data management 6 Server (host) data management Organization 1 10 9 Operation 8 2 7 6 5 4 3 Education 2 3 1 0 4 Physical management 5 User management International standards 350-company average Figure 8 Analysis of current information security systems. is drawn up and the client s current problems are analyzed through the following procedure: Simple evaluation of information security Consultation on formulation of information security policy Consultation on reinforcing information security support Then, within a short space of time, we propose system improvements that will fulfill the minimum requirements for information security, which could even be regarded as part of a FUJITSU Sci. Tech. J.,36, 2,(December 2000) 223

Firewall Wall Customer's system Web DNS DMZ Mail Atack option Security audit option Fujitsu security partners' network Figure 9 New security service. Centralized monitoring Fujitsu security partners' network Monthly report Emergency measures Fujitsu network monitoring center Basic services 24-hour, 365-day Emergency response Monthly report Centralized management company s responsibility to society. Fujitsu also actively supports the implementation of the most effective information security solutions for the least amount of investment. Furthermore, we added new services in September 2000 called ISO15408 certification achievement consulting and ISO17799 (BS7799) certification achievement consulting. These are based on the results of configuring and operating banking systems, making data centers conform to security standards, and experiences gained from the first overseas acquisition of authentication for the Safegate firewall. In our ISO15408 certification achievement consulting service, we give consultations on making a system conform to ISO15408 and help customers obtain the authentication of the Communications-Electronics Security Group (CESG), which is an important British authentication organization. Customers can quickly obtain the authentication because the estimations are made in Japan. In the ISO17799 (BS7799) certification achievement consulting service, we provide consultations on the various phases of a system s lifecycle, for example, system organization, training, and operation, and consultations for acquiring CESG authentication. These two services help customers obtain a certificate from a respected authentication organization and therefore can improve their corporate image and show to their own customers that their security can be trusted. 8. Brand new security service The most conspicuous point of the enhancement of September 2000 is the addition of a brand new security service (Figure 9). In this service, using the, security specialists monitor customers systems round the clock from the Fujitsu Network Monitoring Center to ensure that the wisest security measures are being taken. If there is an emergency, the center immediately calls the customer and the security experts of Fujitsu Security Partners Network take appropriate measures to cope with the situation. Fujitsu Security Partners Network is a professional group that provides high-grade customized services. When the service was started in September, 44 companies of the Fujitsu group participated. In addition, this new service has many other advantages, for example, it can monitor not only the barrier segment but also an intranet, there are no initial costs for the standard service, the standard service includes an insurance policy for damage compensation, and audit/operation advice options are available. As described at the beginning of this paper, security to protect against unauthorized and illegal accesses has become a big theme for company systems. However, developing countermeasures against the increasingly sophisticated tools being used for illegal access, searching for and monitoring security holes, and providing 24-hour monitoring has become a huge burden on the systems divisions of companies. Therefore, Fujitsu s new security service supports corporate security to provide total safety and reliance. The new service is partly based on the knowledge Fujitsu gained by analyzing the security aspects of 3000 company systems, 2000 configurations, and 24-hour monitoring for 200 systems. 224 FUJITSU Sci. Tech. J.,36, 2,(December 2000)

Takashi Ohgo received the B.A. degree from the Department of English of Obirin University, Tokyo, Japan in 1987. He joined Fujitsu Keihin Systems Engineering Ltd., Yokohama, Japan in 1987, where he was engaged in development of UNIX packaging software, construction of large-scale business systems using UNIX servers, and support business. He transferred to Fujitsu Ltd., Kawasaki, Japan in 1998, where he has been working on the support of security technologies. He is a member of Firewall Defenders and the Japan Network Security Association. E-mail: OHGO.Takashi@jp.fujitsu.com FUJITSU Sci. Tech. J.,36, 2,(December 2000) 225

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information