Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information privacy law wikipedia , lookup
Proxy server wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cross-site scripting wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
White Paper Stealth Connect Solution White Paper FUJITSU Security Solution SURIENT SCS(Stealth Connect Solution) The new Stealth Connect Solution means authorised users are able to log into the data centre over a secure Virtual Private Network (VPN). For would-be attackers, the data centre is not accessible and so cannot be attacked. Contents Introduction Objective Base technologies Components of the solution General mode of operation High availability Page 1 of 5 1 2 3 3 4 5 http://ts.fujitsu.com/Security White Paper Stealth Connect Solution Introduction Mobility and connectivity are of crucial importance for successful business workflow. Managers often take business trips, and every day exchange sensitive data over WLANs, integrated UMTS or any network available. This is the reason why data protection is steadily gaining in significance. Have you ever considered what could happen if your critical business data fell into the wrong hands? The comprehensive IT security approach, developed by Fujitsu as part of the “Digital Sovereignty” research and development project, goes far beyond existing models. For data and processes requiring particular protection, it offers levels of security thus far not attained – from end device and transport channel right up to the data centre. The developers and engineers at Fujitsu have identified the potential vulnerabilities in end devices, transport channels and data centres, and devised new technical and organisational measures to be able to plug them. The “Digital Sovereignty” project is pursuing an objective of generating secure application environments based upon existing and so potentially insecure infrastructures, and to guarantee the highest degree of security – all without any trade-off as regards ease of use and performance. As part of the overall “Digital Sovereignty” project, Fujitsu includes a diversity of individual measures and incorporates them into a coherent overall concept. The first modules available: Managed Rack Solution (MRS) – physical access protection for server racks with biometric authentication Sealed Rack Solution (SRS) – highly secure server rack providing protection against physical access and electronic attacks Encrypted Boot Solution (EBS) – automated boot process of servers with encrypted hard drives Stealth Connect Solution (SCS) – secure VPN solution for authorised users Sealed Application Solution (SAS) – end-to-end secure client with encrypted communication Secure Middleware Technology (SeMi) – technology for secure communication between computers Secret Services, Organised Crime, Industrial Espionage Digital Sovereignty Data Centre HTTPS/SSL Data Centre Basis of digital sovereignty Digital Sovereignty Data Centre Figure 1: Continuous security with the “Digital Sovereignty” innovation from Fujitsu The Stealth Connect Solution is explained in more detail below. Objective An external attacker looking to access data centre information usually starts by “scanning” the servers using detailed port scans to locate potential points of attack. When a server (or a service running on it) responds to the queries, the vulnerabilities of this service can be located and exploited. This is the way attackers normally gain unauthorised access into systems, enabling them to tap into and manipulate information. On the other hand, authorised users for which a connection is provided can establish a link as usual – such as to a web service or via a Virtual Private Network. On the Stealth Data Center however, the VPN port of the server process is disabled, and an attacker receives no reply to a port scan, and so also no information on where a point of attack may be located. The current implementation supports the set-up of VPNs (Virtual Private Networks) from any locations (changing IP addresses). VPNs enable the set-up of a secure, encrypted link over which any other services of a company can be used. The use of Open Source and the disclosure of program source code to our customers, for example, enable high levels of transparency and verifiability of the solution. Page 2 of 5 http://ts.fujitsu.com/Security White Paper Stealth Connect Solution Base technologies Below are the most important base technologies used in the implementation: The Debian Linux distribution is used as the secure and hardened base operating system for the Stealth Connect Solution Communication of the Secure Middleware over closed ports is used as the basis for the secure establishing of links on the Stealth Connect Solution. Secure Middleware is described in a separate white paper. The set-up of a VPN is currently implemented. This supports strong encryption (configurable) and Perfect Forward Secrecy. The set-up of a VPN link is initiated via protocols nested within each other. Cracking one of the protocols used does not therefore result in enabling of the VPN. This also affects the set-up of the VPN itself. The following methods and tools are currently supported and being used for encryption and signature: OpenVPN GNU Privacy Guard (GnuPG) SSH Components of the solution The solution is made up of the following components: Decentralised Stealth Connect Box, which establishes a specific VPN to the central office from a remote office (for example) for all the PCs in that office. As an alternative, a Windows software client (Stealth Connect Client) will be available in the future (possibly also other operating systems - depending on customer requirement). Central Stealth Connect Appliance, which protects the head office network located behind it from attacks, and realises a complete port inhibit of the VPN server for attacks from the Internet. The Stealth Connect Appliance itself comprises an internal router, an internal relay server and the actual VPN server. Defined procedure for integration into the company network Optional integration and security services Head Office Stealth Connect Appliance Internet, Intranet Stealth Connect Box Stealth Connect Box Stealth Connect Client Office 1 Office 2 Figure 2: Components of the solution Page 3 of 5 http://ts.fujitsu.com/Security White Paper Stealth Connect Solution Relay Server 2 Stealth Connect Appliance Router 1 Backup Server 2 Administration Network Server 1 Monitoring Network General mode of operation The Stealth Connect Solution protects the establishing of links for continuous communication (session). It thereby prevents an attacker from gaining any usable access to communication. Before, the attacker is blocked by a packet filter – so no open port is available to attempt an attack on the VPN. This objective is also achieved when an attacker is located behind the same NAT as a normal user. Utilisation of a Zero Day 1 Exploit and a Man-in-the-Middle also means attacks are severely hampered. (VPN) Server 3 Internet, Intranet NAT Key: Stealth Connect Box No open ports Client 3 1 port open Temporarily opened IP addresses / ports Client 1 Client 2 Figure 3: General mode of operation of the Stealth Connect Solution Main sequence of events: 1) Client 1 sends a request to establish a VPN to the Stealth Connect Appliance. The Stealth Connect Appliance receives this request and actions it internally. It forwards the information internally to the relay server, which checks the relevant authorisation. The relay server generates a random port number, P, and sends it to Client 1. 2) The relay server uses the Secure Middleware to send the information and authorisations received from the client, including random port P, to the VPN server. The authorisations are checked again in this step. 3) Client 1 authenticates itself with the VPN server using port P (temporarily opened for it), and establishes the VPN. Then the communication relation for this IP address is restricted to this specific client (Client 1). Other non-authenticated clients behind the same NAT can therefore not realise any further connection set-ups. Existing links of authenticated clients are not affected. Client 2 (such as in an office environment or work group) can also access the VPN server via the Stealth Connect Box, whilst Client 3 has no access to the Appliance Server. Other clients not located behind the NAT shown receive no information whatsoever (”open ports”) from the VPN server during a login attempt (by Client 1 for example). 1 Zero-day exploit is the name given to an exploit used before a patch is available as a countermeasure. Developers therefore have no time (zero-day) to improve the software such that the exploit becomes ineffective. Page 4 of 5 http://ts.fujitsu.com/Security White Paper Stealth Connect Solution High availability Critical components such as the Stealth Connect Appliance can be configured with single or multi-level redundancy. If required, the Stealth Connect Box can easily be replaced with an identical component. Server 1 Relay Server 1 Stealth Connect Appliance 1 2 Router Server 2 (VPN) Server 1 (VPN) Server 2 3 3 Relay Server 2 2 Stealth Connect Appliance 2 Router 1 1 Internet, Intranet NAT Key: Stealth Connect Box No open ports Client 3 1 port open Temporarily opened IP addresses / ports Client 1 Client 2 Figure 4: Redundancy with two Stealth Connect Appliances Main sequence of events when a link is established with redundant Stealth Connect Appliance: Client 1 randomly selects one of the Stealth Connect Appliances and attempts to establish the VPN. If this is not possible, the process is repeated on the other Stealth Connect Appliance. Contact: FUJITSU Fujitsu Technology Solutions GmbH Mies-van-der-Rohe-Strasse 8, 80807 Munich, Germany Phone: +49 (0)1805 372-900* Email: [email protected] Website: http://www.fujitsu.com/fts/surient 2016-10-18 CEMEA&I DE © 2016 Fujitsu Technology Solutions GmbH Fujitsu and the Fujitsu logo are trade names and/or registered trademarks of Fujitsu Ltd. in Japan and other countries. All rights reserved, in particular industrial property and similar rights. Subject to changes pertaining to technical details and availability. No liability is assumed or guarantee provided for how complete, up-to-date or correct the information and figures specified are. Designations depicted may be brand names and/or copyrights, the use of which by third parties for their own purposes may infringe the rights of the bearers. * (14 cents/min. per call; prices for calls from the mobile network are set at 42 cents/min.) Calls from the mobile network are set at 42 Page 5 of 5 cents/minute) http://ts.fujitsu.com/Security