| HITACHI HOME | UP | SEARCH |

Groupmax Basic Technology to Support SOHO Environment

The recent rapidly changing enterprise management environment urgently requires the strengthening of competitiveness and the creation of new business. Taking full advantage of an open network computing environment, that is used at any time, anywhere and by anyone, various information systems have been built, speeding management by sharing information, changing the work environment as with satellite offices and home offices (SOHO) and mobile computing, and providing highly value-added services such as Internet banking.
Conversely, the frequency and level of security violations by invalid access, virus infections, and invasions of privacy due to tapping have been increasing, and there is potential for more problems.

Considering this background, this paper lists security violations and possible countermeasures and describes the Groupmax technical approach in the SOHO environment.

Security violations

The SOHO environment or a mobilecomputing environment is based on the premise of an open network, that is, the Internet or a public network. In this environment, there might be security violations such as invasions from the outside, leakage to the outside, tapping, tampering and snooping.

Invasion and leakage

There is a danger that outside users might invade server machines or that inside users might leak confidential data.

Tapping

There is a hazard that a third person might tap into the data being transmitted in an open network.

Tampering and snooping

Tapped data is liable to be tampered with, or unauthorized persons might use the data for invalid access.

Virus infection

Data you receive from the outside might include a dangerous program or might be virus infected.

Protection against security violations

Invasion and leakage

A system's contact point to the outside should be centralized.

Tapping

All transmitted data should be encrypted to prevent it from being used by unauthorized users even if the data is tapped.

Tampering

All data should be checked to confirm that it hasn't been tampered with during transmission.

Snooping

Users need some form of authentification to know whether they are communicating with the person they intend.

Virus infection

All data from the outside must be filtered using virus-protection software to make sure the data contains no dangerous programs or is infected.

Technical approach to implement the protection

To protect a system from the above security intrusions, the following explains the methods and system operations using a firewall, Virtual Private Network (VPN), encryption and public key certificate.

METHODS

Firewall (Gauntlet firewall)

Setting up a firewall centrally manages IN/OUT information and access control.
Based on packet filtering, the application gateway facility provides access control that is conscious of the data structure and protocol. The network address translation facility (for translating global addresses and internal private addresses) hides the internal address form outside users and prevents invasions from the outside.
You can also virus-check the data that pass through the firewall.

Virtual Private Network (VPN) (VPN for Gauntlet) (Secure Socket)

You can secure and maintain a safe communication route in the Internet by encrypting or sealing the protocol.

Encryption (Security library) (Secure Socket)

Encryption is classified into the conventional encryption system and the public key cryptosystem.
The conventional encryption system requires the same key for encryption and decryption. The sender and the receiver must have the same key beforehand.
Public key cryptosystem uses a pair of keys: the public key and a private key. The sender creates a pair of keys and holds the private key; then the sender distributes the public key to the communication partner. The sender encrypts the data using the private key and the receiver decrypts the data using the public key.

Public key certificate (Authenticated server/ Authenticated client) (Security library) (Secure Socket)

A public key certificate is electronic data that certificates the relationship of the public key and the owner of the key.
Combining the receiver's certificate, the sender's certificate and private key information, you can authenticate your communication partner and prevent unauthorized users from tampering with your communications. No certificate can be forged because it has been digitally signed by the certificate authority (CA).

Digital signature (Security library)

To check whether data has been tampered with during transmission, the sender signs a digital signature and the receiver checks that signature.
The sender calculates a hash value form the data to be sent, encrypts the hash value using a private key, and sends the encrypted hash value along with the data.
The receiver calculates the hash value from the received message, decrypts the encrypted hash value using the sender's public key, and compares the decrypted hash value with the calculated hash value. If the values are the same, the receiver can be sure that the message has not been tampered with.

User authentication (Security library) (Secure Socket)

By exchanging certificates with your communication partner, you can identify the partner. By using the public key included in the certificate and your own private key, you encrypt the authentication information, which differs every time, and exchange it to authenticate the partner.

SYSTEM OPERATION

Trying to promote security protection for each system or each application may establish uneven levels of security, besides increasing your operation costs. Centralizing security operations is vital in reducing operation costs and standardizing security protection levels.

User control (Hitachi Directory Server Version 2)

The directory service technology integrates the information for system operation and retrieves and references that information speedily. Internet Engineering Task Force (IETF) standardized a directory service known as Lightweight Directory Access Protocol (LDAP). You can reduce management costs by using a directory to manage the public key certificate used in your security operations, and the user information such as mail addresses.

Single sign-on

Using certificates and directory services enables you to build a single sign-on environment where users need not enter their passwords each time they use applications.
A single login manager enables you to build a single sign-on environment which includes applications that do not necessarily correspond to a certificate.
By combining IC cards with these facilities, you can build a stronger and more usable user authentication system.