In-Depth

An Evolution in B-to-B Security: Integrating PKI with VPNs for Advanced Internet Communications

Is this the year for Public Key Infrastructure (PKI) or Virtual Private Networks (VPNs) that incorporate PKI technology? There have been discussions in the market for a few years now about the emergence of these two critical security technologies for widespread business communications. While these technologies have been successfully implemented, they have yet to fully realize the high deployment figures previously anticipated. The open architecture of the Internet has created both a powerful network for information exchange and a rich, open highway for hackers and other security threats. IT professionals are faced with the dilemma of trying to harness the open environment of the Internet as a secure backbone for productive and cost-effective business transactions. Enter the technology of PKI and VPNs. The combination of VPNs and PKI creates a powerful communications solution for businesses that need to transact data in a sophisticated b-to-b network environment. However, according to a recent Information Week Research Global Information Security Study – conducted by PricewaterhouseCoopers – 70 percent of U.S. companies say they don’t use any type of two-factor authentication. If this is to be the year of integrating PKI with VPN for productive and secure b-to-b transactions, organizations need to consider critical business and technology issues before taking on the challenge of implementing such a sophisticated secure-communications solution.

Advanced Security Needed for B-to-B

IDC forecasts that the b-to-b e-commerce market will expand from $111 billion in 1999 to $1.3 trillion in 2003. Before organizations can take advantage of the booming b-to-b market, they must secure their applications to conduct and/or expand business over the Internet. B-to-b e-commerce demands a higher degree of trust than business-to-consumer (b-to-c). If confidential information about a corporation fell into the wrong hands, it could have devastating effects on that corporation’s competitive stance and create a high possibility of upsetting the market, in general. Financial information, new product plans, source code, new research technology soon to be released, patent type and novel ideas are all examples of very sensitive data that require a high degree of security. From a financial standpoint, these transactions are usually in the millions of dollars – be it monetary dollars, stocks, bonds, or other securities movements or investments. It is this information that necessitates a higher level of security.

As the business world evolves to incorporate increasingly sophisticated b-to-b transactions, more companies are putting a greater piece of their business on the Internet – making the adoption of PKI and VPNs an important and necessary step forward in securing communications over public networks.

PKI and VPNs: The Key to Secure B-to-B

PKI refers to the technology, infrastructure and management practices needed to enable the effective use of public-key encryption and/or digital signatures in distributed applications or in larger scale implementations. PKI has emerged as the dominant security framework or infrastructure supporting the main concerns required for b-to-b e-commerce. Businesses must rely on this flexible and interoperable infrastructure to conduct trusted online business.

PKI is designed to protect information assets through:

• Authentication – validates the identity of parties in communications and transactions.

• Confidentiality – ensures that information can not be viewed.

• Data integrity and tamper detection – provides message authentication.

• Non-Repudiation – ensures that transactions, once committed, are legally valid and irrevocable.

• Availability – ensures that transactions or communications can be executed reliably upon demand.

VPNs maintain privacy through the use of an encrypted tunneling protocol and security procedures to secure communications over public networks, such as the Internet. Because VPNs make use of the public telecommunications infrastructure, it is a cost-effective solution that enables secure communications for the mobile workforce.

VPNs are a critical element of the PKI infrastructure that b-to-b communications will deploy – extending the advanced security infrastructure provided by PKI to a controlled and protected network environment. VPNs represent the best secure conduit by which PKI can be cost-effectively deployed in b-to-b communications over the Internet. While costly leased and dedicated lines are secure and effectively used with PKI, they are not realistic for widespread use in e-business.

So, What’s the Problem?

Today, the technology is in place to effectively integrate PKI and VPNs. However, the successful implementation of this powerful security solution is limited by the logistics of management and business decisions. One can always make strides to improve the technology to make it faster and more secure. However, it is the disparity that often exists between business objectives and chosen security solutions that seems to derail the next steps in taking the implementation from the pilot stage to full deployment.

The first priority of all organizations is to be successful, productive, and to make money for the stockholders and the organization/corporation. Studies and statistics show that businesses will settle for "good enough" security. Implementing a security solution that slows down business transactions because of a time-consuming installation process is often considered a higher risk than losing to competitors or not being first to market.

The misconception about security technology, in general, is that the market wants security. While security is important, it is only one critical element to the success of businesses in today’s b-to-b environment. If the security strategy and business goals do not align, it becomes painfully difficult for IT security professionals to make critical technology decisions for implementing an effective PKI-enabled VPN. For example, how should the administrator distribute certificates and private keys? Will these keys and certificates be self-generated by the end users, or will the organization’s administrators create and deploy all end user cryptographic credentials? What form factors for credential storage will be utilized? Will they be smart cards, encrypted credentials on a desktop, or encrypted credentials stored on a server and then downloaded upon successful user authentication? Will the organization be its own Certificate Authority (CA) and follow the Entrust/Microsoft/Netscape models or will they outsource the VeriSign model? These questions and more can be difficult for organizations to understand and answer, nevermind implement. Without fully understanding your business methodology, first, the resulting solution could be costly, cumbersome to users and insecure.

Defining the Solution

While a VPN solution that utilizes PKI offers the highest level of e-business security, it may not be necessary for every organization or company. Each organization must assess what their businesses needs are before they undertake the energy, time and resources to implement a PKI-enabled VPN. Some questions to ask are, what level of security is appropriate? Is your business already using Secure Socket Layer (SSL) – a simplistic form of PKI - for business transactions? This indicates that security is integral to productivity. But, is this the right level? Have you realistically weighed risk versus security? Is your business looking to expand the network? When you introduce new technologies, such as DSL and cable modems to enable fast connections for remotely working employees, you are introducing new risks to the corporate network infrastructure.

Selecting the Solution

Businesses need to invest some time to properly evaluate the plethora of PKI and VPN offerings, or they will find themselves without a working solution. The following are key security factors to consider in navigating the PKI/VPN landscape.

Avoid Interoperability Issues. Build upon your existing network. Your PKI-enabled VPN solution should pride itself on being built to standards. One important protocol to base a VPN solution on is the IPSecurity (IPSec) standard. Your VPN solution should be certified as IPSec-compliant. The International Computer Security Association (ICSA) and VPN Consortium (VPNC) are two third-party organizations that certify VPN solutions that you can rely on.

Most vendors are committed to building their products to standard. But, this hasn’t solved the interoperability issue. A common misconception about interoperability is the idea that a lack of standards causes slow deployment and interoperability issues. This is not true. Vendors agree on the spirit of and terminology for PKI and VPN standards. However, these standards leave room for interpretation. It is this interpretation that is creating interoperability issues. There are correct standards in place, and most VPNs and PKI are, in general, being built upon them. This is the foundation. Whether companies choose to follow them or how they interpret these standards is another issue. One way to minimize interoperability issues is to search for a VPN solution that comes from a vendor that is already part of your network infrastructure (i.e., your router, firewall or other security appliance vendors). Vendors that integrate VPN solutions into their product offerings have already rigorously tested and proved out most interoperability issues – which offers a big advantage over purchasing a VPN solution and then trying to incorporate it into an existing infrastructure. This can cause finger-pointing among vendors who have interpreted standards differently, and who are also unwilling to alter their methodology. This can leave you, along with your VPN vendor, the burden of trying to fix these interoperability issues – which adds additional expense and time to the process.

Centrally Manage Your Solution. VPN configuration should not be left to the end user. The PKI-enabled VPN you decide to purchase and integrate should be designed as an administrative tool. It needs to be easily controlled, configured, implemented and managed by the individuals who are your corporate security experts and responsible for network security. Utilizing a VPN solution that your network infrastructure vendors have already incorporated into their products and tested enables the network administrator to build upon a familiar network environment, creating a solution that is easier to manage, and, in-turn, more transparent to the end user.

It is also important that you make sure your solution supports the Certificate Revocation List (CRL) or an equivalent function, such as OCSP. The CRL is a publicly available list of certificates that have been revoked. This list ensures that revoked certificates are not misused. One issue that still needs to be resolved is the interoperability of CRLs with various certificate authorities, so that they can be shared among different vendor implementations. While total interoperability does not exist, it is imperative that your CRL is supported and interoperates with your CA.

Cost. There has been much discussion about costs per seat of a PKI solution, initial deployment, and ongoing management. One of the biggest issues raised is the cost of certificates from CAs, which can be as high as $100 per user. Couple this with the option of storing these certificate credentials on smart card form factor, and you just added an additional cost of anywhere between $50-$100 depending upon the type of smart card, crypto card or memory size used. Included in this cost would be your choice of a smart card reader, be it serial or PCMCIA. The pricing and packaging varies from PKI vendor to PKI vendor, and it also depends upon whether you decide to deploy your own PKI schema or outsource the service. Cost remains a big hurdle even though the proposed result can show a cost-effective, flexible and scalable solution. However, many are still cringing over the initial expense coupled with unknown management and deployment concerns.

While cost will always be a concern with any new technology, you can minimize any long-term expenses by carefully selecting the vendors you work with. Not all VPN or PKI solutions are created equal. Who is standing behind them? In these situations, you are buying the skill set, the trust and the services of the company. While cost is an important factor in selecting a vendor, you must give equal consideration to other issues, such as vendor reputation, stability, understanding who the vendor’s business partners are, and business model. You also should examine the vendor’s sales model. Does the vendor sell directly to end users or through original equipment manufacturers (OEMs)? Many OEMs, such as router, firewall, server and security appliance vendors, will bundle the VPN solution at no cost. All of these factors should be taken into account in making an informed vendor and solution decision.

Looking Forward

For secure b-to-b transactions, PKI should be viewed as an enabling technology that can be integrated into the network infrastructure as a foundation to build your secure business applications. The concept or technology in general is not that difficult to comprehend. The harder piece is effectively implementing PKI around your VPN. How do you handle deployment of keys, secure distribution of certificates and certificate revocation lists? The technology is available, but the success of the implementation is directly related to developing a cohesive security strategy that corresponds with your business goals.

Bill Pozerycki is the Director of Product Management at SafeNet Inc. (formerly IRE) in Baltimore, a provider of Virtual Private Network (VPN) technology and solutions for secure business communications. He can be reached at bpoz@safenet-inc.com.

The Untold Cost of Viruses -- Corporate Credibility by Graham Cluley

If you read most of the media reports about the latest virus to hit the headlines, you will probably believe that the worst a virus can do is destroy your data. But, is this really a disaster? After all, most companies make backups of their important data and if hard disks get wiped – although inconvenient – they can be recovered. In this way, viruses can disrupt business (potential high costs in itself), but at least the business can usually be brought back to life – given time.

A much greater danger in my view (and one which is seldom considered by anti-virus vendors and system administrators alike) is the damage a virus can cause your company’s credibility and reputation. If viruses successfully damage this, it may be impossible to recover totally.

There are several types of viruses that have specific influence on how an organization may be perceived, and which are capable of affecting its credibility amongst its peers, the stock market and its customers.

These are viruses that can take your spreadsheets and Word documents and make occasional and very subtle changes to them. They may simply shuffle numbers around, or multiply every 15th number by 0.95. Whereas, a virus that destroys data files can be quickly spotted, a virus that makes very small changes to the content of a file may go unnoticed for weeks, if not months.

Imagine you were publishing financial information and data about your company, and it had been corrupted in this way. Such data corruption may not be noticed for months – and when it finally is you may need to make an embarrassing retraction that could affect how investors view your organization.

Then, there are viruses that for want of a better term I will call "binary blabbers." These are viruses that can forward confidential information from your computer to your fellow colleagues, competitors and the general public via your e-mail system. The last thing you want if you are plotting the overthrow of your arch enemy competitor, is for a virus to forward your master plan to your intended victim! Who needs industrial espionage when a virus can damage your organization’s confidentiality this way?

Viruses, such as Happy99, notice whenever you send an e-mail or make a usenet posting, and send themselves at the same time. If you search on Dejanews, you will find hundreds of companies who have accidentally spread this virus. How do you know? Because their virus infected postings are there for anybody to see with clear details of who sent it and when. It is very hard for companies to deny they have spread a virus in this way. You can imagine the damage this can do to a company’s reputation.

Finally, there are those companies who have simply not kept their anti-virus software up to date, or not followed safe computing practices, and sent customers a virus directly. For instance, in August 1999, Fuji Bank sent a document to investment partners regarding its forthcoming merger with the Industrial Bank of Japan and Dai Ichi Kangyo Bank. However, when investors opened the document Fuji Bank had sent them a message box popped up informing them they were "big stupid jerks."

If you sent a virus to one of your largest customers would you ever be able to recover your reputation? It can be seen that the costs of recovering your credibility as a company due to a virus can be much greater than simply restoring destroyed data from a backup.

So, what can be done? Clearly up-to-date good anti-virus software is a must, but it isn’t a 100 percent solution. Companies should consider implementing "safe hex" procedures and rules to further reduce their chances of being hit by a virus. The good news is that these rules and procedures can be put in place without giving any money to anti-virus companies.

1. Stop using DOCs. Instead use pure Rich Text Format for your Word documents, because that doesn’t support the macro language. There is a caveat to this advice. Some macro viruses intercept File SaveAs RTF and save a file with a .RTF extension that actually contains a DOC format file! So, it needs to be true Rich Text Format. Tell the people that you deal with that you would rather they sent you RTF or CSV files, rather than DOC or XLS.

2. Change your CMOS bootup sequence so that rather than booting from drive A: if you leave a floppy in your machine, you boot by default from drive C: instead. This should stop all pure boot sector viruses (like Form, AntiEXE, AntiCMOS, Monkey, Parity Boot, etc.) from infecting you. If you do occasionally need to boot from a floppy disk, the CMOS can be quickly switched back.

3. Don’t run/open unsolicited executables/documents/spreadsheets/etc. Adopt a paranoid attitude; if you don’t know something to be virus-free, assume it is not virus-free. Have a strict policy in your organization that downloading executables and documents from the Net is not acceptable, and that anything that runs in your organization has to be virus-checked and approved first.

4. You might benefit from a hoax policy you could deploy amongst your staff. Consider a hoax policy like this: "You shall not forward any virus warnings of any kind to anyone other than [insert name of the department or staff member who looks after anti-virus issues]. It doesn’t matter if the virus warnings have come from an anti-virus vendor or been confirmed by any large computer company or your best friend. All virus warnings should be sent to [insert name], and [insert name] alone. It is [insert name’s] job to send round all virus warnings, and a virus warning which comes from any other source should be ignored."

5. If you don’t need Windows Scripting Host, turn it off. This will permanently protect your computer from attacks, such as those carried out by the Love Bug and the Life Stages worm. Instructions on how to turn it off are detailed at www.sophos.com/support/faqs/wsh.html.

6. If you use floppy disks, write-protect them before inserting them into other users’ computers. Viruses are incapable of circumventing hardware protection. Some people are surprised to hear that boot sector viruses (which only transmit via floppy) are still so commonly encountered. It is likely the increased use of laptops has meant that floppy disk viruses are far from dead.

7. Keep an eye on Microsoft’s security bulletins. These can warn of new security loopholes and issues with Microsoft’s software. You can subscribe at their Web site at www.microsoft.com/security.

8. Subscribe to an e-mail alert service that warns you about new, in-the-wild, viruses. Most anti-virus companies provide this kind of service. Sophos offers access to a free mailing list at www.sophos.com/virusinfo/notifications.

9. Block unwanted file types at the e-mail gateway. Recently, there has been an increase in viruses using file types, such as VBS and SHS, to spread. It is unlikely your company ever needs to receive files of these types from outside. In these cases, Sophos recommends blocking all of them at the e-mail gateway – whether they are virus-infected or not. Furthermore, some viruses try to "hide" their true executable nature by using "double extensions." Sophos recommends blocking any file that has "double extensions" from entering the organization.

The above steps can dramatically reduce your chances of virus infection. If you are concerned about how viruses could damage the reputation of your company, consider putting them in place. Remember that the best way to deal with viruses is before they strike. Take preventative action now to reduce the risk in the future.

Graham Cluley is Director of Corporate Communications at Sophos Anti-Virus (Abingdon, England).

Must Read Articles