Information Module Title

1
Managed Security and VPN Services the Next
Opportunity for ASPs
June 2000 Intel Korea
2
Internet Security for an E-Business World
Internet
Suppliers
Branch Office
LAN
WAN
Customers
Telecommuters
Intranet
3
Internet Security for an e-Business World

• e-Business market is in a high growth curve
• With new opportunity comes new risks
• External security breaches
• Internal security breaches
• IPSec protects confidential data on the LAN
• Encrypts, authenticates maintains data
  integrity
• Protects from both internal and external threats
  
• IPSec impacts system performance
• Performance intensive
• Requires security adapters to maintain system
  performance
• Prepare now for deployment of e-Business security
• Deploy only IPSec hardware-capable adapters

Router/ Firewall
Client
Server
110100100101
1101001001010010110011100100
11010010010
11010010
4
e-Business The new economy
IT must focus on protecting its assets!
With new opportunity comes new risk!
Risk of protecting companys confidential assets
Risk of protecting client/customer data
Personal/career risk
Corporate Offices
So thats how you use a sniffer!
Suppliers
Confidentialtransactions
Clients
Field salesagent
5
e-Business The new economy
How bad is the security problem?

• Financial losses due to computer security
  breaches mounted to over 100 million for the
  third straight year(Source 1999 CSI/FBI
  Computer Crime and Security Survey)
• 51 acknowledged suffering financial losses
• 26 reported theft of proprietary information
• 163 respondents reported losses totaling 124
  million
• Electronic Security measures are fast becoming a
  given that cannot be ignored!

6
e-Business External Threats
Remote Office OR Corporate Partners
Desktops

• Todays External Protection
• Firewalls and intrusion detection software are
  designed to protect access to the network and
  its resources.

Tunnel Gateway/Server
Router/ Firewall
Corporate Network
Router/ Firewall
but is it enough?
Tunnel Gateway/Server
Desktops
7
e-Business Internal Threats

• Customers view external networksecurity as the
  biggest concern(Wirthlin Worldwide 10/99
  report)
• Internal threats occur more frequently(1999 IDC
  report European market)
• 100 experienced security breaches
• 90 of were internal
• 50 were malicious in nature
• Unauthorized access by insiders is on the rise
  (1999 CSI/FBI Crime Security Survey)
• Rose for the third year in a row to 55
• Likely sources of attack
• Web sites for sniffer-like tools flourish

Likely Sources of Attack
Disgruntled Employees
86
Independent Hackers
74
U.S. Competitors
53
Foreign Corporation
30
Foreign Government
21
Source 1999 CSI/FBI Computer Crime Security
Survey
It only takes one hostile employee to compromise
an entire organization
8
Building a Trusted NetworkIPSec A core building
block
Assures data confidentiality thru encryption
Protects against internal and external security
threats
Applicationindependent
Maintains data integrity
Complements existing security strategies
Authenticates data source/origin
Standards-based
Anti-replay detects rejects replayed packets
IPSec protects over-the-wire transactions
communications
9
IPSec requires system performance

• Advanced encryption consumes significant
  processing
• Choose a processing strategy that meets your
  needs
• High-performance processor and software
  encryption
• NIC solution with HW IPSec acceleration

10
Network Security Breach
11
Setting IP Security Policy
3DES IP Security Policy
Client (Respond Only)
12
Same Data Access with IPSec
13
Successful Encryption
14
High CPU Utilization, Low Performance
IPSec Encryptionthrough Software
15
Low CPU Utilization, High Performance
IPSec Encryptionw/ hardware acceleration using
the Intel PRO/100 S
16
Intels New Family of Adapters Featuring IPSec
Security Acceleration

• SecurityProtects valuable data on the LAN while
  maximizing performance and reducing host CPU
  utilization
• Network encryption co-processor
• IPSec standard support using DES and 3DES
• ManageabilityLowers network support costs with
  advanced management capabilities
• WfM 2.0, Pre-installed Intel Boot Agent enables
  WOL, DMI WEBM/CIM instrumentation, Intel
  PROSet utility
• CompatibilityReduces network complexity
• Intel SingleDriver technology
• All major desktop and server operating systems
  supported
• Server PerformanceAdvanced features alleviate
  server bottlenecks while maximizing performance

Available now
Available now
17
REMOTE ACCESS APPLICATIONS
Telecommuter
Individual Remote Access
Road Warrior
Day-Extender
Group Remote Access (LAN-to-LAN)
Supplier or Partner Location
Branch Office
Customer Site
18
INDIVIDUAL REMOTE ACCESS ALTERNATIVES
Local Connection
Long Distance Connection
Local Connection
HQ
CPE
19
Group Remote Access Alternatives
20
What is VPN?
A VPN (Virtual Private Network) is a technology
that connects individuals and systems over an IP
backbone or the Internet

• VPNs reduce costs by eliminating expensive leased
  lines and costly long distance toll charges
• Communications are protected through encryption
  and authentication technology
• Virtual presence on the local area network (LAN)
  is established with tunneling technology

21
Which Remote Access Alternative is Best?
USE DIAL-UP DIRECT TO A RAS FOR
USE OUTSOURCENETWORKING FOR
USE VIRTUAL PRIVATE NETWORKING FOR

• Fully or partially meshed networks
• IP-only networks
• Linking trading partners
• Road Warrior and site-to-site access
• International connectivity
• Flexible and rapid implementation

• Hub and spoke networks
• Multi-protocol networks
• Closed user groups
• Communications within a single country
• No additional IP access allowed/required

• Local telecommuters
• On-line transaction applications
• Flexible and rapid implementation
• As a back-up for outsource networks and VPN

22
The Upside of VPN

• One piece of gear
• One pipe
• One network
• Many applications

23
Benefits of VPN

• Reduced costs
• Eliminate long distance toll charges
• Reduce leased line charges
• High performance
• Every call is a local call
• The Internet is a robust public data
  infrastructure
• Increased security
• Better than traditional dial up and frame
  networks
• Unparalleled flexibility
• Any internet connection
• Any access technology (Cable, xDSL, etc)

24
Benefits of Combining VPN with a Direct Dial RAS

• VPN over the Internet is the low cost winner for
  long distance connectivity
• Direct Dial over the Telephone Network is the
  most reliable and affordable solution for local
  access
• Integrated Direct Dial and VPN solutions can also
  improve performance, security and reliability
• Direct dial provides a back up to VPN
• VPN supplements local direct dial capacity
• Common security and single authentication methods
  help implement a unified security policy

25
What is Security?

• The goal of security is to protect the computer
  system (or network) from unauthorized access and
  observation
• Encryption technology is to ensure the
  confidentiality of data sent ie. protect against
  unauthorized observation
• Authentication technology is used to protect
  against unauthorized access.
• digital certificates
• biometrics

26
Security EncryptionPrevent others from viewing
the information

• Encryption ensures the privacy and
• integrity of transmitted data
• Level of security is dependent on
• Strength of the underlying algorithm
• Key length
• Frequency of key change
• Shiva recommends the use of
• DES (Data Encryption Standard)
• Hardware based solutions provide better
  cost/performance
• 168 Bit Keys (3DES)
• Frequent and automated changing of keys

27
A GENERAL MODEL OF ENCRYPTION
Transformation Function
F
Plain Text
Cipher Text
Key
Two general types of cryptographic
systems Asymmetric or public key
encryption Symmetric or secret key encryption
28
ASYMMETRIC CRYPTOGRAPHY

• Used to establish connections
• Key pairs (public / private)
• Data encrypted with the public key can only be
  decrypted by the private key
• Relatively slow
• Keys relatively long (up to 2048 bits)
• Key space 22048
• Example
• Pretty Good Protection (PGP)
• Rivest, Shamir, Adelman (RSA)

29
SYMMETRIC CRYPTOGRAPHY

• Used for information moving through the
  connection
• Single shared key
• The same key is used to encrypt and decrypt
• Relatively fast
• Keys relatively short (up to 168 bits)
• Key space 2168
• Example
• Data Encryption Standard (DES)
• RC4, RC5

30
DATA ENCRYPTION STANDARD (DES)

• US Data Encryption Standard (DES)
• Variants
• 56-Bit DES
• Single key good protection
• 112-Bit (Triple-pass DES)
• Two keys, three passes better protection
• 168-Bit (3DES)
• Three independent keys three passes
  (encrypt-decrypt-encrypt)
• Best protection
• Caveats
• Encryption algorithms need to be safe from brute
  force attack because of the increasing speed of
  modern computers
• Need frequent and automated key exchanges
• Compute intensive requires hardware acceleration
  on server side
• US export and International import restrictions

31
KEY MANAGEMENT

• Key management controls the distribution and use
  of encryption keys
• Asymmetric algorithms reveal the public key and
  conceal the private key
• Public keys are exchanged
• Private keys are secured
• Symmetric algorithms require a secure key
  exchange mechanism
• Key secrecy must be maintained during key
  exchange

32
VPN AUTHENTICATION SERVICES

• Ensure the identity and authority of the VPN
  participants
• Choices include
• Technologies passwords, challenge phrase, hard
  and soft tokens with one-time passwords, and
  X.509 digital certificates
• Products NT Domains, NDS, RADIUS, SDI,
  Entrust, Shiva CA
• A VPN solution should allow you to select the
  authentication method that matches your needs
• Recommend the use of digital certificates
• X.509 digital certificates are de facto standard
• Better authentication than passwords and tokens
• Identify individuals and systems
• Client and system operate even when certificate
  authority is unreachable

Such trademarks belong to their respective
companies
33
WHAT ARE CERTIFICATES?

• Certificates are digital documents attesting to
  the binding of a public key to an individual or
  other entity
• Certificates allow verification of the claim that
  a specific public key does in fact belong to a
  specific individual
• Certificates contain
• A public key and a name
• Expiration date
• Name of the certifying authority that issued the
  certificate
• A serial number
• Other information
• Most importantly, certificates contain the
  digital signature of the certificate issuer

34
Security AuthenticationProve who I am

• Authentication guarantees the identity and
  authority of the VPN participants
• Choices include
• technologies passwords, challenge phrase,
  security tokens and X.509 digital certificates
• products NT Domains, NDS, RADIUS, SDI, Entrust,
  Shiva CA
• Shiva recommends the use of digital certificates
• X.509 digital certificates are de facto standard
• Implementations include Entrust and Shiva
  certificate authorities
• Better authentication than passwords and tokens
• Identify individuals and systems

35
Security Firewall

• Integrated firewall capabilities enhance the
  flexibility and security of a VPN solution
• Integrated firewall capabilities
• Control traffic flow in and out of the corporate
  network
• Limit access of VPN tunnel traffic to specific
  resources
• Provide a stand-alone solution for branch office
  applications

36
Associated VPN Components
FIREWALL - Integrated firewall capabilities
enhance the flexibilityand security of a VPN
solution ROUTING - Integrated routing
capabilities make a VPN solution more flexible
and easier to integrate into existing networking
environments MANAGEMENT - An efficient and
flexible management capability reduces the total
cost of ownership of a VPN solution PERFORMANCE
- VPN performance impacts overall costs and
end-user productivity
37
TunnelingEncapsulate your information
Definition Tunnels are a method of transmitting
private data over public networks Tunnels employ
a technique called encapsulation Secure tunnels
are tunnels that guarantee the privacy and
integrity of the transmitted data and the
authenticity of the parties communicating Standar
ds Alternatives Layer 2 PPTP, L2F, L2TP (Remote
Access Only, Not Secure) Layer 3 IPSec (Remote
Access and LAN-to-LAN, Strong Security
Simultaneous Access to the WWW and VPN
Tunnel) Tunneling Benefits route un-routed
networks across the Internet hides network
topology and application information
38
TunnelingHow tunneling works
39
Security TunnelingHow does tunneling work?
Encapsulation
40
Key Components of a Virtual Private Network
Solution

• Primary Components
• Encryption
• Tunneling
• Authentication
• Associated VPN Components
• Firewall
• Routing
• Performance
• Standards Support

Confidentiality Authentication Integrity
41
SSL Acceleration

• Hardware Power for e-Commerce

42
SSL Degrades Server Performance ...
CPU Utilization goes up to 100
Router
A single web server can service many clients and
process many HTTP connections per second.
But e-Commerce HTTPS connections require this
single CPU to perform decryption and encryption.
Just a few HTTPS connections per second will
utilize 100 of the CPU, and all the clients will
suffer.
43
The Solution - Director Restores Performance
Server never processes HTTPS
Router
Director
Server
A single Director is installed before the server.
Now as HTTPS connections flow through the
Director they are converted into HTTP for the
server.
The server only processes HTTP requests. Now all
the clients are happy again!
44
HTTPS Connection in Action
Client performs TCP handshake with Director at
port 443
Client and Director perform SSL handshake
Client
Director
Server
TCP
Director performs TCP handshake with destination
server at port 80
443
Client sends encrypted GET URL request
SSL
Director decrypts GET URL request and forwards
cleartext to server
TCP
80
GET URL
Server begins to send reply to Director
GET URL
Director encrypts return data and forwards
ciphertext to client
DATA
DATA
Server closes connection with TCP handshake
Director closes connection with TCP handshake
Up to 600 cps