View
30
Download
2
Category
Preview:
Citation preview
SecurityInfrastructure
Mobile/DesktopSecurity
NetworkSecurity
E-CommerceEnabler
Internet
Security
Network SecuritySecure Communication in Virtual Enterprises with Encryption, Digital Signature and Firewall
Dipl.-Ing. Norbert Pohlmann
Chief Marketing Director
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Contents
Security needs for Concurrent Multidisciplinary Engineering
Security Concepts
Encryption (Black-Box-Solution)
Digital Signature
Firewall-System
Combined Solutions
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Concurrent MultidisciplinaryEngineering
Design Centre
CAD/CAM OfficeTest Facility
Industry
ServerWorkstation
ServerWorkstation
ServerWorkstation
ServerWorkstation
internationalnetwork
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Security Needs forConcurrent Multidisciplinary Engineering (1)
confidentiality
know-how protection
competitors try to gain access to the development results
non-repudiation
to secure that the right information are received to be worked with
responsilbility for the result (wrong results may cause tremendous damages)
integrity of data
no manipulation during transmission
no virus - infection
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Security Needs forConcurrent Multidisciplinary Engineering (2)
access control
strangers should not have access to the computers or networks to be protected
access-right management
only authorised people should have access to the computer
authentication
only communication protocols and services which are permitted should be used
logging
security relevant events can be logged and analysed
events can be logged and thus be used as evidence
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Encryption with the help of a Black-Box Solution(Security System with Packet Filter)
Design Centre
CAD/CAM OfficeTest Facility
Industry
ServerWorkstation
ServerWorkstation
ServerWorkstation
ServerWorkstation
insecurenetwork
KryptoGuard KryptoGuard
KryptoGuard KryptoGuard
- confidentiality (connection oriented)- authentication- access control- logging
SecurityManagement
secured area
SMS
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Security Services which are provided with this kind of Black-Box Solution
confidentiality of data (setting up VPNs)
it is impossible to read data in plaintext
authentication
implicit by means of encryption
explicit by means of authentication mechanisms
access control
only logical connections, which are permitted, can be set up
strangers cannot have access to end system
access-right management
only communication protocols and services which are permitted, can be used
logging
security relevant events can be logged and analysed
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Security System with Packet Filtering
advantages
black box solution
transparant security
easy to integrate
no change of application necessary
independent of computer system and operating system
supports all kinds of communications:
session oriented (Telnet etc.)
store and forward (e-mail)
combines easy handling with clearly defined responsibilities
disadvantages
key management
either one organisation (normaly the company which pays) has to take over responsibility
or all have to employ the same product (Problem presently: no standard or trustworthy infrastructure is available)
no non-repudiation
has to be realised via other mechanisms
no control on application level
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Digital Signature and Object Encryption
Design Centre
CAD/CAM OfficeTest Facility
Industry
Server
Server
Server
Server
internationalnetwork
SG
SG SG
E-MailFTAMEDIFACT
- Digital Signature- confidentiality (object oriented)
Trust Center
SG
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Signature Function
confidentialdocument
documentin plaintext
securityinformation
one wayhash function
signature of A
certificat of A
private keyof user A
PIN
smart card
user A
cryptographiccheck-sum
public keyalgorithm
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Certification Authorities
...
...
...
Certificates of publickeys for all computer
systems(e.g. directory service)
Certification Authority(Trust Center)
User 1 User 2 User n WS 1
Server
WS 2 WS n
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Digital Signature and Object Encryption
advantages
integrated into application
legaly recognised signature (as a signature under a document)
secures only what needs to be secured (selection possible)
requirements:
secure, trustworthy infrastructure
supplied by Signature Law (in Germany)
disadvantages
no access control
no access-right management
not combinable with session-oriented communication
as envelope and manual signature
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Firewall System
Design Centre
CAD/CAM OfficeTest Facility
Industry
ServerWorkstation
ServerWorkstation
ServerWorkstation
ServerWorkstation
internationalnetwork
Application
Gateway
KryptoGuard
KryptoGuard
Firewall Firewall
Firewall Firewall
- access control - network level - user level- access right management- control on application level- separation of insecure services- logging and audit- preservation of evidence- concealment of the internal network structure
Application
Gateway
KryptoGuard
KryptoGuard
Application
Gateway
KryptoGuard
KryptoGuard
Application
Gateway
KryptoGuard
KryptoGuard
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Risks in public networks:
What are the problems?
High-tech spies steal someone’s know-how and sell it profitably to competitors.
Hackers intrude into the local networks of public authorities and companies and manipulate data or smuggle in wrong information.
Netsurfers paralyze the whole computer system of a company and cause economic damages amounting to millions.
A public network is not a “one-way street”
insecurenetwork
network to beprotected
WS
WSWS
WS WS
WS
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Objectives of a Firewall System
access control on network level
access control on user level
access-right management
control on application level
separation of insecure services
logging and audit
preservation of evidence
concealment of the internal network structure
Integration of a Firewall System
insecurenetwork
network to beprotected
WSWS
WS WS
WS
WS
Firewall system
Common Point of Trust
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Structure of an active Firewall element
logbook
communication data
authenticationmodule
processing modulefor security relevant
events
result of analysis
set of rules
network to beprotected
insecurenetwork
Integration module
decisionmodule
warn
ing
Firewall security modules
analysis module
security relevantevent
SecurityManagement
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Firewall System
advantages
every organisation is responsible for its own security
no unauthorised access to the computer to be protected
access-right management
preservation of evidence
independant of terminals and operating system
disadvantages
integrity of data and confidentiality have to be realised via other means
no non-repudiation
as firewall
and doorman
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Combinations
Design Centre
CAD/CAM OfficeTest Facility
Industry
Server
Server
Server
Server
SG SG
SG SG
Trust-Center
Application
Gateway
KryptoGuard
KryptoGuard
Application
Gateway
KryptoGuard
KryptoGuard
Application
Gateway
KryptoGuard
KryptoGuard
Application
Gateway
KryptoGuard
KryptoGuard
internationalnetwork
- Digital Signature - confidentiality (object oriented)
- confidentiality (connection oriented)- authentication- access control- logging
- access control - network level - user level- access right management- control on application level- separation of insecure services- logging and audit- preservation of evidence- concealment of the internal network structure
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Summary
Solutions for the realisation of secure Concurrent Multidisciplinary Engineering are available
Combination of different concepts fulfills all security needs
Organisations with its own responsibility are able to act independently
When using SmardCards they can be employed for digitale signature as well as for authentication with the Firewall system
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Why Security?
Information society: fundamental changes
Increasing number of work processes are done via IT-systemsnetworks
network a new object for attackers
Increasing value of information stored on IT-systems
The value of complete documentation of R&D units can easily exceed millions $
Secure and reliable paymend and transactions via insecure networks (e.g. Internet)
Lack of appropriate moral
U
tima
co S
afe
wa
re A
G0
9.0
7.2
016
Why Security?
Requirements for security
selfprotection against espionage necessary
legal regulations have to be fulfilled
Recommended