Download 3 - Fujitsu

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Information privacy law wikipedia , lookup

Proxy server wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cross-site scripting wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
White Paper Stealth Connect Solution
White Paper
FUJITSU Security Solution
SURIENT SCS(Stealth Connect Solution)
The new Stealth Connect Solution means authorised users are able to log into the data centre over a secure
Virtual Private Network (VPN). For would-be attackers, the data centre is not accessible and so cannot be
attacked.
Contents
Introduction
Objective
Base technologies
Components of the solution
General mode of operation
High availability
Page 1 of 5
1
2
3
3
4
5
http://ts.fujitsu.com/Security
White Paper Stealth Connect Solution
Introduction
Mobility and connectivity are of crucial importance for successful business workflow. Managers often take business trips, and every day exchange
sensitive data over WLANs, integrated UMTS or any network available. This is the reason why data protection is steadily gaining in significance.
Have you ever considered what could happen if your critical business data fell into the wrong hands?
The comprehensive IT security approach, developed by Fujitsu as part of the “Digital Sovereignty” research and development project, goes far
beyond existing models. For data and processes requiring particular protection, it offers levels of security thus far not attained – from end device
and transport channel right up to the data centre.
The developers and engineers at Fujitsu have identified the potential vulnerabilities in end devices, transport channels and data centres, and
devised new technical and organisational measures to be able to plug them. The “Digital Sovereignty” project is pursuing an objective of
generating secure application environments based upon existing and so potentially insecure infrastructures, and to guarantee the highest
degree of security – all without any trade-off as regards ease of use and performance.
As part of the overall “Digital Sovereignty” project, Fujitsu includes a diversity of individual measures and incorporates them into a coherent
overall concept.
The first modules available:
 Managed Rack Solution (MRS) – physical access protection for server racks with biometric authentication
 Sealed Rack Solution (SRS) – highly secure server rack providing protection against physical access and electronic attacks
 Encrypted Boot Solution (EBS) – automated boot process of servers with encrypted hard drives
 Stealth Connect Solution (SCS) – secure VPN solution for authorised users
 Sealed Application Solution (SAS) – end-to-end secure client with encrypted communication
 Secure Middleware Technology (SeMi) – technology for secure communication between computers
Secret Services,
Organised Crime,
Industrial Espionage
Digital Sovereignty
Data Centre
HTTPS/SSL
Data Centre
Basis of digital sovereignty
Digital Sovereignty
Data Centre
Figure 1: Continuous security with the “Digital Sovereignty” innovation from Fujitsu
The Stealth Connect Solution is explained in more detail below.
Objective
An external attacker looking to access data centre information usually starts by “scanning” the servers using detailed port scans to locate
potential points of attack. When a server (or a service running on it) responds to the queries, the vulnerabilities of this service can be located
and exploited. This is the way attackers normally gain unauthorised access into systems, enabling them to tap into and manipulate information.
On the other hand, authorised users for which a connection is provided can establish a link as usual – such as to a web service or via a Virtual
Private Network. On the Stealth Data Center however, the VPN port of the server process is disabled, and an attacker receives no reply to a port
scan, and so also no information on where a point of attack may be located.
The current implementation supports the set-up of VPNs (Virtual Private Networks) from any locations (changing IP addresses). VPNs enable the
set-up of a secure, encrypted link over which any other services of a company can be used.
The use of Open Source and the disclosure of program source code to our customers, for example, enable high levels of transparency and
verifiability of the solution.
Page 2 of 5
http://ts.fujitsu.com/Security
White Paper Stealth Connect Solution
Base technologies
Below are the most important base technologies used in the implementation:
 The Debian Linux distribution is used as the secure and hardened base operating system for the Stealth Connect Solution
 Communication of the Secure Middleware over closed ports is used as the basis for the secure establishing of links on the Stealth Connect
Solution. Secure Middleware is described in a separate white paper.
 The set-up of a VPN is currently implemented. This supports strong encryption (configurable) and Perfect Forward Secrecy.
 The set-up of a VPN link is initiated via protocols nested within each other. Cracking one of the protocols used does not therefore result in
enabling of the VPN. This also affects the set-up of the VPN itself.
The following methods and tools are currently supported and being used for encryption and signature:
 OpenVPN
 GNU Privacy Guard (GnuPG)
 SSH
Components of the solution
The solution is made up of the following components:
 Decentralised Stealth Connect Box, which establishes a specific VPN to the central office from a remote office (for example) for all the PCs in
that office. As an alternative, a Windows software client (Stealth Connect Client) will be available in the future (possibly also other operating
systems - depending on customer requirement).
 Central Stealth Connect Appliance, which protects the head office network located behind it from attacks, and realises a complete port inhibit
of the VPN server for attacks from the Internet. The Stealth Connect Appliance itself comprises an internal router, an internal relay server and
the actual VPN server.
 Defined procedure for integration into the company network
 Optional integration and security services
Head Office
Stealth Connect
Appliance
Internet,
Intranet
Stealth Connect
Box
Stealth Connect
Box
Stealth
Connect
Client
Office 1
Office 2
Figure 2: Components of the solution
Page 3 of 5
http://ts.fujitsu.com/Security
White Paper Stealth Connect Solution
Relay
Server
2
Stealth
Connect
Appliance
Router
1
Backup
Server 2
Administration
Network
Server 1
Monitoring Network
General mode of operation
The Stealth Connect Solution protects the establishing of links for continuous communication (session). It thereby prevents an attacker from
gaining any usable access to communication. Before, the attacker is blocked by a packet filter – so no open port is available to attempt an
attack on the VPN. This objective is also achieved when an attacker is located behind the same NAT as a normal user. Utilisation of a Zero Day
1
Exploit and a Man-in-the-Middle also means attacks are severely hampered.
(VPN)
Server
3
Internet,
Intranet
NAT
Key:
Stealth Connect
Box
No open ports
Client 3
1 port open
Temporarily opened IP addresses / ports
Client 1
Client 2
Figure 3: General mode of operation of the Stealth Connect Solution
Main sequence of events:
1) Client 1 sends a request to establish a VPN to the Stealth Connect Appliance. The Stealth Connect Appliance receives this request and actions
it internally. It forwards the information internally to the relay server, which checks the relevant authorisation. The relay server generates a
random port number, P, and sends it to Client 1.
2) The relay server uses the Secure Middleware to send the information and authorisations received from the client, including random port P, to
the VPN server. The authorisations are checked again in this step.
3) Client 1 authenticates itself with the VPN server using port P (temporarily opened for it), and establishes the VPN. Then the communication
relation for this IP address is restricted to this specific client (Client 1). Other non-authenticated clients behind the same NAT can therefore
not realise any further connection set-ups. Existing links of authenticated clients are not affected.
Client 2 (such as in an office environment or work group) can also access the VPN server via the Stealth Connect Box, whilst Client 3 has no
access to the Appliance Server. Other clients not located behind the NAT shown receive no information whatsoever (”open ports”) from the VPN
server during a login attempt (by Client 1 for example).
1
Zero-day exploit is the name given to an exploit used before a patch is available as a countermeasure. Developers therefore have no time (zero-day) to improve
the software such that the exploit becomes ineffective.
Page 4 of 5
http://ts.fujitsu.com/Security
White Paper Stealth Connect Solution
High availability
Critical components such as the Stealth Connect Appliance can be configured with single or multi-level redundancy. If required, the Stealth
Connect Box can easily be replaced with an identical component.
Server 1
Relay
Server
1
Stealth
Connect
Appliance 1
2
Router
Server 2
(VPN)
Server
1
(VPN)
Server
2
3
3
Relay
Server
2
2
Stealth
Connect
Appliance 2
Router
1
1
Internet,
Intranet
NAT
Key:
Stealth
Connect Box
No open ports
Client 3
1 port open
Temporarily opened IP addresses / ports
Client 1
Client 2
Figure 4: Redundancy with two Stealth Connect Appliances
Main sequence of events when a link is established with redundant Stealth Connect Appliance:
 Client 1 randomly selects one of the Stealth Connect Appliances and attempts to establish the VPN.
 If this is not possible, the process is repeated on the other Stealth Connect Appliance.
Contact:
FUJITSU
Fujitsu Technology Solutions GmbH
Mies-van-der-Rohe-Strasse 8, 80807 Munich, Germany
Phone: +49 (0)1805 372-900*
Email: [email protected]
Website: http://www.fujitsu.com/fts/surient
2016-10-18 CEMEA&I DE
© 2016 Fujitsu Technology Solutions GmbH
Fujitsu and the Fujitsu logo are trade names and/or registered trademarks of Fujitsu Ltd. in Japan and
other countries. All rights reserved, in particular industrial property and similar rights. Subject to changes
pertaining to technical details and availability. No liability is assumed or guarantee provided for how
complete, up-to-date or correct the information and figures specified are. Designations depicted may be
brand names and/or copyrights, the use of which by third parties for their own purposes may infringe the
rights of the bearers.
* (14 cents/min. per call; prices for calls from the mobile network are set
at 42 cents/min.)
Calls from the mobile network are set at 42
Page 5 of 5
cents/minute)
http://ts.fujitsu.com/Security
Related documents
Stealth Marketing - Pace University ePortfolio
Stealth Marketing - Pace University ePortfolio
Stealth marketing
Stealth marketing
Mullvad Barnprogram
Mullvad Barnprogram
Student Prepared Summary of Readings.
Student Prepared Summary of Readings.
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
Wk1- FrontalStealth
Wk1- FrontalStealth
What is a VPN? A VPN (Virtual Private Network) is a private
What is a VPN? A VPN (Virtual Private Network) is a private
Networking in Linux
Networking in Linux
Virtual Private Network(VPN)
Virtual Private Network(VPN)
XP Road Warrior Connection
XP Road Warrior Connection