Isolation Systems: InfoCrypt Enterprise

by Paul Grosse - July 1997

Introduction

Wide Area Networks (WANs) and Value Added Networks (VANs) provide only part of the solution to the systems administrator wishing to link together networks on different sites - they are expensive to install and maintain (cost being a function of distance) and offer little when the time comes to expand or redefine the network - their unguarded length also makes them vulnerable to physical breach. The Internet, on the other hand, is global in scale, already exists and the cost of using it is a function of connection time rather than distance, the only real problem is that it is completely open.

The issues arising from openness - vulnerability of systems connected to; and security and integrity of company traffic over the open network - are addressed by implementing firewalls to protect private networks and by creating an encrypted tunnel of network traffic through the open system. With its high specification and reasonable pricing, Isolation Systems' InfoCrypt series of products addresses the problems of scalability and cost of installation whilst extending a given networks' capabilities by creating a flexible, secure environment in which remote users (either geographically remote sites, or employees on the move or at home) are able to access the secure network - retrieving e-mail and so on - through their normal ISP. Companies that ignore the move away from WANs and VANs toward the Internet are destined to watch their competitors take the lead.

Products

VPN security across an open system is maintained by using strong encryption - packets being encrypted before going out of the private network and then decrypted at the other end. Encrypted packets entering the receiving private network must first satisfy a number of criteria and then be able to be decrypted. Consequently, if the encryption employed is strong enough and the keys selected are protected from disclosure, this type of protection can be very powerful indeed. The InfoCrypt VPN solution implements IPSEC standard VPN technology or interoperability with other VPN networking products.

In the InfoCrypt series, initially, RSA asymmetric encryption is used for authentication (via standard X.509 digital certificates) and exchanging keys - its powerful, although relatively slow encryption (up to 2048 bit keys) being extremely useful for small quantities of data - then the faster secret key DES is used for encrypting the bulk of the data once the connection has been established - using DES, triple pas DES with double or triple length keys. DES encryption and decryption is performed using a dedicated Application Specific Integrated Circuit (ASIC) chip to do all of the hard work thus providing a higher rate of traffic than software only solutions.

The fact that most file formats start off with the same patterns of data constitutes a weakness that enhances the hacker's chances of successfully finding an encryption key. Also, large amounts of space can form identical encrypted blocks that can be spotted easily as an additional aid to unauthorised decryption. Isolation Systems uses Outer Cipher Block Chaining (Outer-CBC) which uses a random spoiler (salting each block) or initialisation vector so that identical blocks of plain text (or similarly structured headers of files) will not encrypt to the same cipher text.

The architecture of the InfoCrypt series is modular in design so that it is able to grow with the requirements of the network.

InfoCrypt Enterprise:

The InfoCrypt Enterprise is the heart of the system - sitting at the gateway between the private and public networks it is both a firewall and a VPN server, able to handle 1024 simultaneous cryptographically separated virtual networks. For encryption, it normally uses an ASIC chip - providing processing rates of 10Mbps encrypted and 45Mbps in the clear - although there are versions available where the ASIC chip has been replaced by software resulting in a black box costing around two thirds of the price but will handle only 10Mbps.

Rather than running on UNIX or NT - both operating systems appearing regularly in the security vulnerability bulletins - InfoCrypt Enterprise runs on a secure, real-time operating system that is designed for the job thus removing potential hooks that hackers would use to break into the system. As a result, the operating system does not require 'hardening' at the time of installation as it would with a number of other firewalls on the market. The security architecture is based upon the principle that 'actions which are not specifically permitted are denied'.

InfoCrypt Enterprise is configurable through a command line console port, encrypted telnet, InfoCrypt Manager which provides a centralised GUI enabling the configuration of multiple encryptors from one point on the network and SNMP - once configured, it does not require day-to-day administration. Unlike other VPNs where keys are entered manually, the Enterprise implements a completely automated key management system that noes not require any intervention after initial configuration. The advantages to automatic key management are: that once keys are set up, nobody gets to see them thus eliminating one weakness; and, as a network grows, the system copes automatically - manual key entry and management becomes an increasing burden with the tendency to compromise security by increasing the life time of keys in order to reduce the management overhead.

Further to automatic key management, choice of levels of encryption (or in the clear) can be selected based on source and destination IP addresses - some routes, such as from a branch office to a customer, can be left in the clear, others encrypted according to the sensitivity of the traffic. Each source/destination subnet pair having its own key so that no unauthorised parties (or people on other subnet pairs within the same network) can view the or tamper with the data.

Full Network Address Translation (NAT) is implemented for all inbound and outbound packets thus concealing the topology of the internal network completely. NAT also allows the utilisation of of unrouted IP addresses within the network for added security and ease of assigning IP addresses to internal hosts - InfoCrypt Enterprise's NAT being implemented according to IETF RFC 1631. InfoCrypt Enterprise uses NAT to make it appear that all outbound requests appear to originate from the InfoCrypt Enterprise itself. All inbound packets are tracked - including SYN and RESET packets, packet sequencing numbers and TCP flags - to ensure that that are valid responses to outbound requests. In this way sniffing and spoofing are kept at bay although it must be appreciated that the internal network is still vulnerable to attacks from untrusted URLs via malicious JAVA, ActiveX and any of the other embedded languages within the justified content of such traffic.

InfoCrypt Manager:

InfoCrypt Manager is the Windows 95 and Windows NT GUI for InfoCrypt Enterprise enabling the Security Officer to add, modify and distribute security profiles across the entire network. The configuration of subnet pairs can be performed from a single machine with users being added or deleted easily, supporting up to 1024 encryptors on a network.

Using the InfoCrypt Manager, the whole system can be monitored in terms of logging of events and alarms. Realising that SNMP is not a secure protocol (there being little point in providing a secure, highly encrypted network only to allow hackers in through the back door of a weak management protocol to reconfigure the system), it is used for monitoring purposes only, allowing the network management group to monitor the status of the encryptors using standard networking tools such as Hewlett-Packard's OpenView. The security administration is handled separately thus allowing the two different jobs to be run by different groups of people if required.

At around a third of the price of the Enterprise and giving a powerful GUI instead of a command line console port, encrypted telnet, or SNMP it is good value for administrators that are not familiar with the other configuration methods.

InfoCrypt Certificate Authority:

Designed to run under Windows 95 and Windows NT, InfoCrypt Certificate Authority is responsible for the certification and management of all InfoCrypt products, supplying positive identification of encryptors and remote users by using industry standard X.509 digital certificates. Using RSA public key encryption, these certificates are practically impossible to forge.

It automatically creates, certifies, renews, revokes and deletes digital certificates based on cryptoperiods and network changes without limit to the number of certificates it can generate.

InfoCrypt Certificate Authority interfaces with all InfoCrypt products and uses an 'intuitive' GUI making the job of security administration easier.

InfoCrypt Desktop:

InfoCrypt Desktop is a Windows 95 or Windows NT software providing desktop to desktop security within a LAN or WAN. As it operates at the network layer, it is completely transparent to the user and will work with any application.

It works essentially the same as the InfoCrypt Enterprise, encrypting and decrypting packets based upon the source and destination addresses, selecting encryption algorithms and key lengths on a link by link basis.

In addition, it supports the InfoCrypt Extreme PCI card to increase encryption / decryption throughput up to LAN speeds and, because this can be used on remote or mobile sites where physical security may not be up to the same standards as those at head office, it supports the InfoCrypt Secure Token.

InfoCrypt Server:

InfoCrypt Server is the complete software version of the InfoCrypt Enterprise, working in exactly the same way but on a Windows NT Server. Like the InfoCrypt Desktop, and for the same reasons, it also supports the InfoCrypt Extreme PCI card and the InfoCrypt Secure Token.

It can coexist with other NT applications and networking products including Microsoft Proxy and Microsoft BackOffice.

InfoCrypt Secure Token and InfoCrypt Secure Token Drive:

InfoCrypt Secure Token is a standard, removable PCMCIA card designed to meet FIPS-140-1 level 2 criteria, storing and performing all private key operations thus keeping the private key secure from direct attack. Being removable, it enables the user to keep the sensitive information away form their workstation and prevent unauthorised access to the network.

Manufactured by Chrysalis-ITS, it complies with a number of military and international specifications relating to mechanical shock, vibration and electrostatic discharge.

Being standard PCMCIA, it can be inserted into any laptop computer supporting PCMCIA - for desktop and laptops that don't support PCMCIA, there is a InfoCrypt Secure Token Drive which simply plugs into a port on the back of the machine.

InfoCrypt Extreme PCI:

InfoCrypt Extreme PCI is a standard PCI bus card that has on it the ASIC chip that is used in the InfoCrypt Enterprise. Compatible with host CPUs including the Intel Pentium range, common BIOSs including AMI, Award and Phoenix and various chip sets including Intel Triton, SIS, VIA and Opti, it is unlikely that there will be many configurations that are likely to use the InfoCrypt products requiring an Extreme PCI card that will turn out not to support it.

Platforms

• InfoCrypt Enterprise: * Topologies: IEEE 802 Ethernet (10 Mbps) - 10 BaseT, 100 BaseT; V.35; RS-232. * Protocols: IP, ARP, ICMP; TCP, UDP; SNMP MIB 1 and MIB 2; HDLC; Frame Relay; Synchronous PPP.
• InfoCrypt Manager: * Software: Microsoft Windows NT 4.0 or Windows 95. * Hardware: Pentium 90; 5 MB of available Hard-disc space; and, 8 MB of RAM. * Protocols: TCP/IP network.
• InfoCrypt Certificate Authority: * Software: Microsoft Windows NT 4.0 or Windows 95. * Hardware: Pentium 90; 5 MB of available Hard-disc space; and, 8 MB of RAM. * Protocols: TCP/IP network.
• InfoCrypt Desktop: * Software: Microsoft Windows NT Workstation version 4.0 or Windows 95. * Hardware: 486/33 MHz or higher, or Pentium or Pentium PRO processor; 5 MB of available Hard-disc space; 16 MB of RAM; CD-ROM drive; and, VGA, SGVA or video graphics adapter compatible with Windows NT Workstation 4.0
• InfoCrypt Server: * Software: Microsoft Windows NT Server version 4.0. * Hardware: 486/33 MHz or higher, or Pentium or Pentium PRO processor; 5 MB of available Hard-disc space; 16 MB of RAM; CD-ROM drive; and, VGA, SGVA or video graphics adapter compatible with Windows NT Server 4.0
• InfoCrypt Secure Token: * Software: InfoCrypt Server or Desktop; Microsoft Windows NT 4.0 (Server or Workstation) or Windows 95 (dependent upon associated InfoCrypt product). * Hardware: 486/33 MHz or higher, or Pentium or Pentium PRO processor; 5 MB of available Hard-disc space; 16 MB of RAM; CD-ROM drive; VGA, SGVA or video graphics adapter compatible with Windows NT Server 4.0; and, PCMCIA card reader release 2.1 or better.
• InfoCrypt Secure Token Drive: For a desktop without a PCMCIA reader: requires COM port.
• InfoCrypt Extreme PCI: Hardware: PCI bus in any PC.

Pricing

InfoCrypt Enterprise for US and Export:
		10Mbps Ethernet/Ethernet	$5,400
		10Mbps Ethernet/Serial, 100Mbps Ethernet/Ethernet & Ethernet/Serial	$6,200
InfoCrypt Enterprise 10Mbps Software Encryption:
		Ethernet/Ethernet	$3,750
		Ethernet/Serial	$4,700
InfoCrypt Manager:			$2,400
InfoCrypt Certificate Authority:			$2,400
InfoCrypt Desktop:			$181
		10 Users	$1,450
		25 Users	$2,700
		50 Users	$3,600
		250 Users	$11,000
		1000 Users	$18,000
InfoCrypt Server:			$1,999
InfoCrypt Secure Token:			$360
InfoCrypt Secure Token Drive:			$360
InfoCrypt Extreme PCI:			$1,650

Opinion

It is clear that the way forward with distributed networks is to make use of the Internet's flexibility, scale and robustness - it was designed with a military intention behind it in that it should still be able to work if a number of nodes are knocked out, something that was tested and proved in the case of the Kobe earthquake. The basic requirements of a network through which data can be passed without fear of modification, knowing that it was sent by the person who should have sent it, are met easily with this system which has evolved over almost two decades until it has got to a stage where Isolation Systems has launched it as a commercial package.

It would be nice to send all data by asymmetric encryption, using X.509 certificates to authenticate users but the processing overhead does not allow this to happen at LAN speeds even with ASIC technology. So, the small quantities of extremely important data are sent using this method whilst the rest of the data is encrypted using the fast and well understood DES technology. The automatic management of keys using cryptoperiods keeps the laborious job of assigning keys well away from human hands which, as we all know, will try to find ways of reducing the burden, often by increasing the length of the cryptoperiods - such action resulting in greater time for hackers to break keys and compromise security.

One of the important factors that anyone wishing to invest in VPN technology will be looking at is the scalability of the system. With the encryption being handled in the Enterprise by an ASIC or software and on a PCI card or software for the Desktop and Server, there are plenty of options to consider - likewise with the Secure Token, being applicable to a number of the products, providing an extra level of security.

Another factor under consideration is that of quality. The Secure Token is manufactured by Chrysalis-ITS. It complies with: military specifications relating to mechanical shock MIL-STD-202F, Method 213B (test condition A); and, vibration MIL-STD-202F, Method 204D (test condition B); and, international standard ISO 7816-1 regarding electrostatic discharge. The rest of the system is made by Sidus Systems Inc which is a manufacturer of high end personal computer systems and workstations which operates two ISO 9002 class manufacturing facilities: one in Toronto Ontario; and the other in Austin, Texas.

Strengths

• Automated generation of encryption keys which are then sent using powerful RSA public key encryption (United States export restrictions permitting). The manual generation of keys leads to corner cutting as a system grows - this eliminates that.
• The Secure Token used to store and perform all of the private key operations means that if the machine that is used to connect to the network is stolen, actual access is not stolen as well (assuming that the PCMCIA card is taken out when the machine is left unattended).
• The hardware is manufactured to stringent quality standards - DIN / ISO / ASA 9002. These standards offer tracability to the manufacturer so if some fault is reported, the production trail can be traced right back to the raw materials if necessary so that appropriate action can be taken to correct the problem and prevent it from happening again in the future. Such quality systems have been used in the car industry for decades and lead to very reliable products.

Weaknesses

• The Server and Manager can co-exist with other Windows NT applications leading to possible vulnerabilities. Whilst the Enterprise runs on its own and is almost immune to attack, the Manager which is used to configure it will run on an operating system that can have other applications running - anything from trusted networking products to games. There are also a number of well publicised vulnerabilities concerning Windows NT and anyone concerned about security who is running Windows NT should keep up to date with the current state of affairs.
• Users have a tendency to put PCMCIA cards with the machines themselves instead of keeping them separate. Such practice (akin to keeping a cheque book and cheque card together) should be stamped out at the beginning otherwise PCMCIA card protection is of no use.
• The centralisation of security in VPNs by the necessary use of the Certificate Authority makes the certificate authority itself the hacker's golden key and therefore a centralised target for attack. Consideration must be given to the physical protection of the network and this centre in particular as well as any vulnerabilities regarding the people who run it.

Conclusions

Making use of the Internet as an extended company network allows remote sites and home workers network access at a reasonable cost - companies that fail to take advantage of this do so at their own risk. This way of working is predicted to take off in the next few years and companies that have had a chance to establish their technology in the way that Isolation Systems has - with the military, government agencies and financial institutions - are well placed to provide the products that are needed to make a secure and trusted environment.

This line of products fits together very well and with the system working transparently, the user has no security to put up with other than that that is already in existence on his / her machine.

With quality being right, the price of this system so reasonable and the system itself being so scalable and flexible, anyone would be unwise not to give it serious consideration.

Company Profile

Founded in 1979 by Patrick Bird, Isolation Systems focused on custom solutions for very security conscious government agencies, financial institutions and the military. In the summer of 1996, it packaged the technology that it had developed into commercial, off-the-shelf products that it has targeted at the Internet.

Located in Toronto, Ontario, and with sales offices throughout the United States, the company now employs around thirty people with the majority of them working in research and development and engineering. Isolation Systems has performed well recently with revenue from its security products producing over 300% growth in the last two years. Isolation Systems' customers include: Bank of Montreal; Computer Sciences Corporation; E-Connect; Foreign Affairs - Government of Canada; IBM Argentina; iSTAR Internet Inc.; Scientific Applications International Corporation; Sea Change Corporation; Sidus Systems Inc.; Technolabs; Toronto Dominion Bank; Toronto Hydro; UUNET Canada; and, Yorkton Securities, with a number of these reselling Isolation Systems' InfoCrypt products to enhance their own services.

In March 1997, Isolation systems announced that Sidus Systems Inc will manufacture the InfoCrypt product range (in facilities complying with ISO 9002 (DIN/ASA 9002)) and distribute it in Canada. In May 1997, Isolation Systems announced a strategic partnership with Chrysalis-ITS Inc which now incorporates its Luna Token technology into the InfoCrypt series as Secure Token - a PCMCIA card with details of private keys - providing remote users with the option of an extra layer of protection.

With currently around four out of every five companies reluctant to use the Internet because of the perceived limitations of security, companies providing tested secure Virtual Private Networks with good specifications at reasonable prices are in a strong position in a sector of the market that will be expanding quickly by the end of the decade. Isolation Systems network security background, the established technology and competitive pricing of its InfoCrypt range indicates that it should go from strength to strength.

In Canada:
Isolation Systems Ltd
2 Eva Road
Suite 220
Toronto
Ontario
M9C 2A8
Canada
Tel: 1-888-ENCRYPT
Tel: +1 (416) 622 7500
Fax: +1 (416) 622 7577

In the US:
Isolation Systems Inc
8300 Boone Boulevard
Suite 500
Vienna
Virginia
22180
USA
Tel: +1 (703) 761 6757
Fax: +1 (703) 848 4586

Isolation Systems Inc
255 Park Avenue
10th Floor
Worcester
Massachusetts
01609
USA
Tel: +1 (703) 797 3082
Fax: +1 (703) 797 3088
Email: sales@isolation.com
WWW: http://www.isolation.com/

Copyright (c) 1997 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index