[3351] in Kerberos
BEST PRODUCTS FOR OPEN SYSTEMS SECURITY
daemon@ATHENA.MIT.EDU (Jonathan Bines)
Tue May 31 04:05:00 1994
To: kerberos@MIT.EDU
Date: 31 May 1994 02:43:04 -0400
From: jonbines@panix.com (Jonathan Bines)
A while back, I asked for input on Best Products for Open Systems Security
as part of my research for a report on this topic in my newsletter, the
Best Practices Report. Alas, I can't provide a summary of responses,
because nobody responded to either of my two queries (except a couple of
people who requested summaries...). However, in the interests of stirring
the pot a bit, here's some of what I've found in the course of my
investigation. Perhaps it will incline some of you to share your own
experiences.
THE IMPORTANCE OF POLICY
First off, there was universal agreement that without a comprehensive,
well-thought-out security policy, based on a thorough analysis of your
computing and organizational environment, no amount of technology was
going to give you adequate security. An article in the May issue of the
Best Practices Report discussed the areas where security can fail,
including:
* Inadequate employee education and training
* Vague or inadequately-defined responsibilities
* Uncontrolled or inadequately-controlled access to information
* Inadequate backup and storage management policies
* Inadequate physical security
* Inadequate controls against viruses
* Exposure of employees and outsiders to unnecessary temptation
* Inadequate definition and restriction of privileges
In addition to addressing all of these concerns, managers need to assess
the value of their data to determine the necessary level of protection.
Managers also agreed that without the support of top management, a
security policy is probably doomed to failure. The topic of developing a
security policy was also addressed in the May issue of BPR, from a broad,
organizational perspective. In the next issue, we'll be discussing the
technologies that are are available for open systems security. Here's an
overview of what we've found so far:
THE TECHNOLOGY:
Of course, a security policy is only as good as your ability to
implement/enforce it. And while a great deal of this enforcement comes
down to people and politics in your organization, technology also has an
important role to play. Here are some of the products that people
mentioned as worthwhile in implementing network security in open
enviornments:
A. SECURITY MANAGEMENT
Security Management involves going out on the network to ensure that your
policies are being followed. It includes checking to ensure that users
have valid, up-to-date passwords, that user privileges are correctly
assigned, that users log off properly, etc. The two market leaders for
this technology are Raxco's Security Toolkit and SecureMax from
OpenVision. Both of these products have received good reports from users,
who say that they greatly simplify their management tasks. Raxco's
product gets additional praise for its comprehensive reporting
capabilities. OpenVision has strong -- SecureMax and Security
Detective--for the OpenVMS environment. CA Unicenter also provides
extensive security features, although it is only available as part of the
complete CA solution and involves changing the OS kernel. Fisher
International provides the Watchdog suite of data security products for
PC-LANs. Mergent offers a similar function which a couple of people said
is somewhat less functional than the Fisher product.
B. USER AUTHENTICATION/IDENTIFICATION
This is the gatekeeper to to your environment--ensuring that the person
logging on is authorized to log on, and that they are who they claim to
be.
One problem many large sites are facing is the need of users to carry
around 40 different passwords to access each different
environment/resource in an organization--various solutions seek "single-
sign-on" across the entire computing environment, although I've yet to
hear of a successful example of this in practice (except in very limited
environments) Products available for Access Control include
-Security Dynamics offers SecurID, which employs a credit-card-sized
(two-card thickness) number generator which users carry with them.
They log in using their PIN plus the number on the SecurID card. Thus,
if the card is lost, it's of no use to anyone without the PIN
-Dallas Semiconductor offers "Dallas Sign On," based on its "Button"
technology--a button-sized authenticator which connects to a port on the
computer for "bring-something, know-something" authentication. They
are looking at including encryption technology inside the button.
-Enigma Logic provides SafeWord software which communicate with ID
verification technologies such as smart cards, handheld tokens, and some
biometric technologies. Enigma Logic offers a token which includes the
PIN in the token--without knowing the PIN, the user can't activate the
token to get the authentication number.
-Mergent International provides Single Sign-On/Data Access Control
(SSO/Dacs) for DOS and OS/2 compatibles, ostenstibly providing
single-sign-on to workstation, network and mainframe environments.
-IBM released a new version of NetSP, a single sign-on product
providing a third-party security server that controls userID and user
access to applications.
-Fifth Generation Systems provides Secure Access Facility for Enterprise
(SAFE), a PC-based product that creates a "security kernel" on each PC
conatining relevant security information (encrypted). SAFE handles the
negotiation of access to network resources. Fischer's Watchdog product
offers similar functionality.
-BoKS, distributed by SECURIX, Inc. in the US, provides flexible access
control, including the ability to define access control to complement
security policy (for example, limiting the time period when a user can
access the system, or the hosts he/she can access). Authentication is
through passwords.
-Firewalls represent the point of entry to a computing environment from
the Internet--so that only a single computer talks directly to the Net.
Firewall vendors include: Raptor Eagle, Enigma Logic, Trusted
Information Systems, ANS Interlock
-A number of products provide remote access security, for users logging
into systems from remote locations. Typical schemes include software or
hardware that "dials back" the user, combined with other authentication
methods. Los Altos Technologies' TermServ is an example of a software-
based remote access product--in addition to modem security, it provides
detailed reporting for capacity planning and management.
C. PRIVILEGE DEFINITION
Kerberos is the premier product for defining and maintaining levels of
user privilege. The software provides authentication of a user to various
resources in a computing environment. Developed at MIT, various
implementations are currently available, including a number of commercial
implementations. Difficulties with Kerberos include the lack of support
from key applications, continued reliance on passwords (it is not an user
identification/authentication product) complexity of implementation (and
problems with scalability), and lack of interoperability among competing
versions (DCE vs. MIT, for example). Commercial Kerberos providers
include CyberSAFE (formerly Open Computing Security Group), and Cygnus
Network Security.
D. DATA INTEGRITY PRODUCTS
Data integrity products include backup and storage management products (If
you haven't read the summary of Best Backup Product for Open Systems, I'm
happy to send it to you), encryption products, and virus protection
products--making sure data is not lost or compromised on the system or in
transit. Despite user complaints that encryption should be linked to the
token device used for user identification/authentication, no company is
currently providing this capability. Many security management products
also provide some data integrity functionality-- virus control,
primarily--and utilities such as the Norton suite are available as well.
Now then. If you have experience with any of these products, or know of
others which should be included in my report, I'd really appreciate
hearing about them. A summary of all responses will be posted.
Complete confidentiality is guaranteed.
[Article posted to several relevant groups--sorry for any duplication]
--
Jon Bines (jonbines@panix.com) ^ If you're not part of the solution, ^
NSM Best Practices Rept. ^ you're part of the precipitate. ^
203 1st Ave #1 NY NY 10003 ^ ^
Phone/Fax 212-254-7064 ^ -Steven Wright ^
