Encryption in Business
Because of legislative requirements and the sensitivity of electronic business information, organizations are increasingly deploying a variety of encryption solutions. While the focus has been on the flow of information between the business perimeter and the outside Internet, businesses also are examining options to better protect data at rest at the core of the infrastructure. Security practitioners continue to integrate virtual private networks (VPNs), secure sockets layer (SSL) and Wi-Fi protected access (WPA) technologies into the infrastructure fabric. All of these use encryption to secure “data in motion.”
This article examines VPN, SSL and WPA technologies, as well as triple data encryption standard (3DES) and the advanced encryption standard (AES). By deploying these technologies, security practitioners can significantly address the challenge of “confidentiality” in the transmission of sensitive information.
California’s Assembly Bill 1950 is an example of legislation that is leading businesses to deploy encryption capabilities from the edge of the network to the inside core. This bill requires businesses to protect information about California residents from unauthorized access, destruction, use, modification or disclosure—encryption is a reasonable way to protect all such information. Any business that comes into sensitive information about California residents will feel the impact of this bill.
Further, wireless communication is transforming the computing infrastructure inside businesses. The number of laptops, PDAs and wireless access points (APs) continues to increase. These systems transmit sensitive information that must be protected.
Businesses also are looking to establish a “network of trust.” Organizations have to be assured that any information transmitted among customers, partners and business associates remains private and protected as it travels between services.
Virtual Private Networks and Secure Sockets Layer
Virtual private networks (VPNs) are a cost-effective way to connect remote sites or branch offices with the corporate infrastructure over the Internet. VPNs are an excellent example of an application of encryption technology. VPNs encrypt all traffic transmitted between its end points. Encryption protocols typically supported by VPNs include 3DES, IPSec and AES.
Secure sockets layer (SSL) encrypts information such as credit card numbers or other data when it is transmitted over the Internet. SSL is commonly used to encrypt HTTP traffic. SSL uses a combination of public key cryptography and secret key encryption to provide confidentiality. When you enter “https://” as the URL in a Web browser, you are using SSL to communicate information securely. SSL supports server as well as client authentication, so both ends of the connection can authenticate their identity.
One common use of SSL is to enable business partner access to proprietary information over the Internet. An example is HCR Manor Care’s system to manage legal documents. In many instances, outside law firms are contracted to represent HCR Manor Care’s interests in various types of legal transactions. Rather than allowing these firms to connect directly to its network, HCR Manor Care obtained a certificate from a certificate authority and used it to grant controlled access to an application server in a screened subnet. This application server communicates encrypted case information to outside firms using SSL and with the database server on the internal network via IPSec. Access to sensitive information on the database is controlled, connection to the HCR Manor Care network provides flexibility at a low cost, and the information transmitted to the remote firms retains its confidentiality.
VPN solutions available from vendors today include Web VPN, also known as SSL VPN, which leverages SSL and a Web browser to eliminate the need for a client application. Using the Web browser, an end user at a remote location can connect to the enterprise infrastructure over a secure connection based on SSL. All information is encrypted in the SSL connection that is established between the end points. This provides two potential cost advantages. First, no client-side software, other than a browser that supports SSL, is typically required. This may reduce VPN management costs associated with help desk and client update activities. Second, remote users can connect to information in the corporate data center over any Internet connection. Organizations currently using VPN services provided and managed by a third party, such as one of the interexchange carriers (MCI, AT&T, etc.), may experience a significant return on investment by moving to Web VPN.
As with all emerging technologies, Web VPN has some limitations. For example, there may be a requirement for additional software on the client to support non-Web-enabled applications, thereby increasing total cost of ownership. Organizations looking at Web VPN technology should ensure its compatibility with business requirements and objectives.
From a security perspective, Web VPN provides significant flexibility in controlling remote access to specific data-center services. For example, SSL VPN can restrict a specific user or group of users to the use of a corporate intranet application, while denying access to all other applications in the data center.
The encryption protocols supported by SSL include RC4, the RSA algorithm and the data encryption standard (DES). SSLv3 is the latest version of this protocol.
Wi-Fi Protected Access
The Wi-Fi protected access (WPA) standard was developed by the Wi-Fi Alliance to address security challenges associated with the wired equivalent privacy (WEP) protocol. WPA uses the temporal key integrity protocol (TKIP) to encrypt information and the IEEE 801.1x/extensible authentication protocol (EAP) for authentication.
In June 2004, the IEEE 802.11i standard was ratified. IEEE 802.11i, also being marketed as WPAv2, supports AES for secure transmission over a wireless infrastructure. Security practitioners need to make sure that all wireless communication is encrypted and that the encryption protocol deployed is based on the organization’s security policy.
Although the new wireless encryption standards are improvements over WEP, some organizations may not be ready to deal with the performance issues that often accompany the deployment of AES, for example. In such cases, an interim move to dynamic WEP may be the answer. In a dynamic WEP solution, the WEP key changes at a frequency designated by the security administrator. The re-keying frequency selected should depend on the amount of information moving through the access points and the capabilities of current wireless hacking tools. Although not a perfect defense, this helps to safeguard against intruders by regularly changing the encryption key. It also allows employees to use existing wireless clients without experiencing unacceptable performance degradation due to the implementation of more processor-intensive encryption algorithms.
One example of how 802.1x and dynamic WEP work together to protect information is the introduction of wireless access into corporate conference rooms. Conference rooms are typically unguarded and unlocked. Data jacks in these areas can be gaping holes through an organization’s security perimeter. In addition, most meeting areas do not have sufficient jacks for everyone who needs network access.
HCR Manor Care designed a solution for this problem by installing wireless access points that support 802.1x and dynamic WEP into the conference rooms. A RADIUS server was implemented to authenticate users to the wireless access points before allowing a wireless client onto the network. This is a function of the 802.1x standard. Finally, the network jacks were disabled. The result was a fa