MSG: Security Prime

Customers lease a Security Prime router to be used as a firewall at their site. The Security Prime router is configured and managed by our staff under the direction of the customer's security officer.

Security Prime integrates a combination of static and dynamic firewall packet filters designed to meet each site's specific needs.

In addition, site security officers can specify access profiles for individuals which can be tailored to meet particular requirements. These users might be remote offices, traveling employees, or strategic partners.

These user access profiles define the firewall's behavior as it applies to a given user. This firewall is applied to the router when the user needs to access the site and only after the user has been properly authenticated. This authentication is performed by smart cards using sophisticated cryptographic techniques.

After the user is finished accessing the corporate LAN through the dynamic firewalls in the router, the firewalls are automatically restored to the prior full security configuration. This happens with no manual intervention by the support staff or the corporate LAN security administrator.

Security Prime is managed by the Managed Services Group (formerly the Security Planning and Response Team). Team members are available to address security needs of customers and have been specifically trained to assist sites in establishing security configurations.

Security Prime Router

The Security Prime router is a GlobeTrotter 62 developed by Nx Networks, Inc., a leading supplier of Internetworking hardware.

The router provides support for static packet filtering as well as dynamic filtering firewalls and individual user firewall profiles. These techniques allow sites to tailor access to individual requirements and considerations.

User Authentication Tokens: Access Control Cards

Before a user profile can be invoked, the user must prove that he/she is who he/she claims to be. This process is called authentication and is done with the use of a Security Prime access control card.

The access control cards are produced by the CRYPTOCard Corporation. They use a cryptographic challenge-response system based on the Data Encryption Standard (DES).

DES is a private key system which uses a single key for encrypting and decrypting information. DES transforms 64 bit blocks of information by using a single 128 bit key for encryption and decryption.

A different key is used for each pair of users who exchange private messages. In this instance, a user and the authentication server hold the same key and each user holds a different key from any other user.

The card is a credit-card size calculator-style microcomputer with key pad and liquid crystal display. The card can provide a cryptographic response to a machine-generated challenge. The card is PIN protected to prevent use by an unauthorized party. The cryptographic response secures against eavesdropping and replay attacks over communication links.

Three cards are provided with the service. Each card supports one user. (Additional cards can be obtained.)

Use of access control cards outside the U.S.

These access controls cards, used for authentication, are legally exportable as they only encrypt a response to a challenge. Users traveling abroad can bring the access control card with them. The CRYPTOCard Corporation will give an exemption certificate from the U.S. Department of Commerce to any user who requests one.

Authentication Servers

Each site's Security Prime router communicates with our Security Prime authentication servers.

These servers authenticate individual users and store their respective security profiles. Security Prime routers direct authentication requests to this server. If the authentication is valid, the server returns the security profile for the individual.

The authentication servers are distributed on our secure backbone. These servers are managed by the Managed Services Group and are monitored 24 hours a day by our operations staff.

Static Packet Filters

Packet filters are the primary mechanism which routers use to protect a site's LAN from unwanted traffic from the Internet. Packet filters restrict traffic based on source and destination IP addresses, as well as protocol.

Static filters are installed in the router and are applied uniformly to all packets the router processes. They are useful but inflexible in the face of changing needs and do not provide strong protection.

Proper application of filters can provide substantial protection from intrusions. They can enforce policies such as allowing all telnet connections out-bound from a site and all in-bound mail connections to the mail host while denying all other traffic.

Because some attributes of packets are arbitrary and not completely specified, static packet filters must frequently allow access for broad ranges of packets, opening large holes to accommodate certain applications and protocols.

Used alone, static filters enforce the same security restrictions on all users of a site and do not allow varying levels of access. Thus, they apply a broad brush to all users.

Dynamic Packet Filters

Dynamic filters are installed in response to a pattern of traffic. Thus, holes in the firewall can be opened or closed in response to particular events.

One example might be outgoing Domain Name Service requests. Static filters would require the router to accept all inbound traffic using the UDP protocol in order to receive the answer. Dynamic filters can cause the router to accept incoming packets only when it expects a response to outgoing requests, thus minimizing the traffic it will accept and the security risk. Similar approaches can be used to protect against the SATAN program which is used to probe a site for vulnerabilities.

Dynamic firewalls have usage timers that allow them to be dropped from the Security Prime router configuration after a period of time.

User Profiles

User profiles are filters that can be invoked in response to the authentication of a user through the Security Prime router by the authentication server.

These profiles, an extension of dynamic filters, can be tailored to allow access to particular services on an individual basis. One profile may be added to allow a user to connect to a POP mailbox and another profile may allow login access.

Different individuals may have access to different profiles. The authentication server is responsible for telling the Security Prime router which profile it should load according to which user profile has authenticated.

When remote users want access, they telnet to the router for authentication. Once authenticated, the user can select a profile to be installed on the router.

The source IP addresses of the individual users are determined at firewall usage and are applied to the dynamically installed firewalls. This allows the individual to use any remote site to connect securely. The use of the cryptographic challenge prohibits replay attacks of the authentication process.

How Remote Users Establish a Connection

A remote user wishing to connect to the Security Prime customer's corporate LAN must first connect to the Internet (via Remote Access, LAN-Dial, etc.). Next, the remote user telnets directly to the Security Prime router which is acting as the Internet gateway for that LAN.

The remote user is prompted for a userid and then given a crypto-challenge. The crypto-challenge is a string of characters which the user will enter into his/her access control card. The access control card runs the challenge through the DES algorithm with a private key and produces a response which the user enters to the router.

The router then communicates with the authentication server to verify that the response entered by the user is valid.

After successful authentication, the authentication server informs the router which individual security profile to use (all individual security profiles are stored in the router). The user is given a list of services which he/she can access (depending on their individual security profile) and is prompted for a selection.

Upon selection of accessible services, the individual firewall is installed on the router and the user is able to access the Security Prime customer's corporate LAN.

Figure 1 depicts the relationship between the user, authentication server, and the Security Prime router. The interactions of a connection are delineated and described in the drawing.

Figure 1: Relationship between user, authentication server, and Security Prime router.

Figure 2 shows a sample user authentication session, depicting what the user will see as output from the access control card and the router and appropriate input from the user. In this example the user profile allows the user to access ftp on the local private network. After the user has successfully completed the authentication session, he/she is able to use ftp on and to the LAN.

Figure 2: Example of a remote user session when connecting to the local network.

Security Prime I/O

>telnet router.company.com
login: 39300067
Password: press Enter
Challenge 58627519
Enter Response: 1FE2A8C3

Connection closed by foreign host

Access Control Card I/O

[ON/OFF] PIN? 1234 [ENT]
READY
[CH/MAC] 58627519 [ENT]
1FE2A8C3

Remote user can now access the local private network

How to Use the Access Control Card

When you first receive the access control card and turn it on, you will be prompted to enter the initial PIN set by the keymaster. The site security officer has knowledge of this initial PIN. Key in the number and press the ENT key.

The card now prompts you to enter a new PIN. The number must be at least four digits in length. Key in the digits, then press ENT.

The card now asks you to verify the choice. Re-key the same PIN and press ENT again. The card is now ready to be used.

If at any time you decide to change the PIN, press the CPIN key. Enter the new PIN and verify it as described above.

Note: Only six attempts are allowed to enter a correct PIN.

If all six attempts are in error, the card will become locked and must be returned to us for reprogramming.

After you successfully enter the PIN, the card displays the Ready prompt.

At this point, press the CH/MAC key and begin entering the challenge code from the authentication server. When finished, press the ENT key.

A code consisting of numbers and possibly some letters appears on the display. This code is the answer to the authentication server's challenge. Sending this code to the authentication server will install your custom profile and allow access into the local site.

Access Control Card Problems

If a user is unable to enter the correct PIN within six attempts, the card becomes locked. This feature erases the DES key along with all other information stored in the access control card.

The access control card must be returned to the keymaster for reprogramming. There is a service charge for each incidence as outlined in the Security Prime service option contract.

Locked cards should be sent to :

PSINet, Inc.
Attn: Keymaster
44983 Knoll Square
Ashburn, VA 20147

There are several physical precautions you must follow to ensure that the access control card is in good working condition.

The display on the card is made of glass and will break if dropped onto a hard surface.

Bending or twisting the card will also damage it, so carrying it in a hip pocket or placing heavy objects upon it should be avoided.

If a card is lost or stolen, notify the Managed Services Group immediately via e-mail to spart@psi.com so that the user information on the authentication servers can be changed to maintain security.

There is a charge for lost/stolen/damaged access control cards as outlined in the Security Prime service option contract. Requests for replacement cards should be directed to:

PSINet Inc.
Attn: Keymaster
44983 Knoll Square
Ashburn, VA 20147

The batteries in the access control card should last up to three years.

In the event that the unit's batteries require replacement, new batteries can be purchased at any retail electronics outlet.

The batteries should be changed one at a time so that the DES keys stored in the card's flash memory are not erased.

If both batteries are removed at the same time, the card will have to be reprogrammed by the keymaster.

The batteries are held in place within the unit by plastic clips. One clip is at the top edge of the card and the other is at the bottom edge of the card. Use your fingernail or some flat and narrow object to engage the groove and pull straight out.

Replace the batteries one at a time. Be sure to maintain correct polarity (plus signs should face toward the back of the unit).

		Technical Library