®

Gradient Technologies, Inc.Gradient Technologies, Inc.

Inter-Cell InterworkingInter-Cell InterworkingAccess Control Across the BoundaryAccess Control Across the Boundary

Open Group Members MeetingOpen Group Members MeetingSand Diego, CA USASand Diego, CA USA

April 1998April 1998

Brian BretonBrian Breton

InternetInternet

Prospective CustomersProspective CustomersRest of the WorldRest of the World

ExtranetExtranet

Remote EmployeesRemote EmployeesCustomersCustomers

Business PartnersBusiness Partners

Multiple User PopulationsMultiple User Populations

EmployeesEmployees

IntranetIntranet

AuthenticationAuthentication

Data IntegrityData Integrity

AuthorizationAuthorization

Data PrivacyData Privacy

AvailabilityAvailability

ScalabilityScalability

SecureSecuredatabase accessdatabase access

Enterprise Security PerspectiveEnterprise Security Perspective

Leverage existing Leverage existing investmentsinvestments

The New Corporate NetworkThe New Corporate Network

StandardBrowser

Web and App Servers

Internet

Business Partners

Netscape and Microsoft

UNIX and NT

PrivateNetwork

Mainframes UNIX and NT

Data Sources

Intranet

Extranet

Remote Employees

DatabaseInformix

Ingredients to TrustIngredients to Trust• Pre-existing trust relationships have to be

established between enterprises

• Responsibility for user identification MUST be at local system, not target– potential for multi-authn mechanisms

• Target system should control access decisions

• Credentials serves as the basis for the target institution to make authorization decisions

• Secure communications channel

Trust via TechnologyTrust via Technology• DCE Inter-Cell DCE Inter-Cell

• Public KeyPublic Key– Common public key certificate authorityCommon public key certificate authority

– Between multiple certificate authoritiesBetween multiple certificate authorities

• Basic authentication at target siteBasic authentication at target site

DCE Inter-Cell TrustDCE Inter-Cell TrustCompany A lets Company B inCompany A lets Company B in• ProsPros

– B administers its own B administers its own usersusers

– Transparent to end-Transparent to end-usersusers

• ConsCons– A must trust B to A must trust B to

administer its users administer its users properlyproperly

PrivatePrivateNetwork(s)Network(s)

The Role of FirewallsThe Role of Firewalls

Problems with FirewallsProblems with Firewalls• Most attacks are internal, therefore less Most attacks are internal, therefore less

susceptible to prevention by firewallssusceptible to prevention by firewalls• FirewallsFirewalls

– Cannot provide full protection against external Cannot provide full protection against external attackattack

– Are not a security infrastructure, but a method of Are not a security infrastructure, but a method of access preventionaccess prevention

– Do not inherently provide out-of-the-box form of Do not inherently provide out-of-the-box form of fine-grained access control to internal resourcesfine-grained access control to internal resources

Firewalls + Security Infrastructure Firewalls + Security Infrastructure

External Networks

The Role of SSLThe Role of SSL

WebWebServerServer

• Authentication via Public Keys and Basic Auth.• Data Privacy

®

Gradient Technologies, Inc.Gradient Technologies, Inc.

NetCrusaderP R O D U C T F A M I L Y

CommonCommonAuthorization Authorization

ModelModel

NetCrusaderSecurity Server

Multiple Multiple AuthenticationAuthentication

MethodsMethods

Username/Password

Public-KeyCertificate

Two-FactorAuthentication

Customers

Partners

Employees

MultipleMultipleUserUser

PopulationsPopulations

Interoperating Across Security DomainsInteroperating Across Security DomainsMultiple Multiple

EncryptionEncryptionMethodsMethods

DES, RC4,RSA, CAST,

others

Object

Client/Server

Web-based

Multiple Application TypesMultiple Application Types

DistributedDistributedSecurity Security

ManagementManagement

NetCrusaderCommander

Heritage

NetCrusaderNetCrusaderSecurity ServerSecurity Server

Web browser

+ NetCrusaderNetCrusaderClientClient

Web browseronly

NetCrusader Web-based ArchitectureNetCrusader Web-based ArchitectureMicrosoft/Netscape/Oracle

Web Server(NT, Solaris, AIX, HP-UX)

NetCrusaderNetCrusaderCommanderCommander

ISAPI/NSAPIApplications

ProtocolFilter

Entrust/HTTP;DCE/HTTP

SSL NetCrusader Security Adapter

Username/Passwordor Public-Key Certificate

NetCrusaderCredentials

AccessPermissions

Delegationto backendresources

TokenCard /SmartCard(optional)

SmartCard(optional)

External Access to FinancialSystem Using Web C/S Architecture

Trading Partners

BrowserBrowser

CustomerCustomerDatabaseDatabase

OracleDatabase

Seamless Desktop-to-database Security

WebServer/WebServer/TradingTrading

ApplicationApplication

NetCrusader ExampleNetCrusader Example

Customers

SSLSSL

NetCrusaderNetCrusader NetCrusaderNetCrusader

Internetor PrivateNetworkNetCrusaderNetCrusader

SSL Basic AuthenticationSSL Basic Authentication

• Pros:Pros:– No additional client softwareNo additional client software

• Cons:Cons:– Separate logins to multiple web serversSeparate logins to multiple web servers

– Encrypted passwords transmittedEncrypted passwords transmitted

– Separate UserID/Password management across web Separate UserID/Password management across web serversservers

• Good Selection for:Good Selection for:– Thin client requirement scenarios with no ability to install Thin client requirement scenarios with no ability to install

public key certificatespublic key certificates

SSL with Public Key CertificatesSSL with Public Key Certificates• Pros:Pros:

– No additional client executablesNo additional client executables– Strong authenticationStrong authentication– Variable strength data privacy:Variable strength data privacy:– Enables SSO across multiple web serversEnables SSO across multiple web servers

• Cons:Cons:– Must deploy & manage certificates to clientMust deploy & manage certificates to client– Public Key Mgt. tools immaturePublic Key Mgt. tools immature

• Good Selection for:Good Selection for:– Organizations committed to public key technology Organizations committed to public key technology – Thin client requirement scenariosThin client requirement scenarios

Entrust Public Key InfrastructureEntrust Public Key Infrastructure• Pros:Pros:

– Strong Public key based AuthenticationStrong Public key based Authentication– Variable strength data privacy based upon strength of Entrust Variable strength data privacy based upon strength of Entrust

CAST software installedCAST software installed• CAST much faster than SSL CAST much faster than SSL • Enables SSO across multiple web serversEnables SSO across multiple web servers

– Strong Public Key Management supportStrong Public Key Management support

• Cons:Cons:– Must deploy & manage certificates to clientMust deploy & manage certificates to client– Must deploy & manage Entrust and NetC Client s/wMust deploy & manage Entrust and NetC Client s/w

• Good Selection for:Good Selection for:– Large organizations with control over users desktopsLarge organizations with control over users desktops

DCE/HTTP DCE/HTTP • Pros:Pros:

– Single Sign On across multiple web servers and back end Single Sign On across multiple web servers and back end applicationsapplications

– No Firewall Disruption:No Firewall Disruption:• Data tunneled thru HTTP portData tunneled thru HTTP port

– 56 Bit DES data privacy56 Bit DES data privacy• DES much faster than public keyDES much faster than public key

• Cons:Cons:– Requires Desktop NetCrusader softwareRequires Desktop NetCrusader software

• Good Selection for:Good Selection for:– Organizations using PC-DCE and/or KerberosOrganizations using PC-DCE and/or Kerberos

NetCrusader SummaryNetCrusader Summary

• Delivers a comprehensive Enterprise Security Delivers a comprehensive Enterprise Security InfrastructureInfrastructure– Integrates best of breed security and RAD Integrates best of breed security and RAD

technologiestechnologies

– Support for multiple authentication mechanismsSupport for multiple authentication mechanisms

– Single, centralized authorization modelSingle, centralized authorization model

– Fine-grained access controlFine-grained access control

– Ease of security administrationEase of security administration

– Supports common platforms and applicationsSupports common platforms and applications

®

P R O D U C T F A M I L Y

NetCrusaderSecurity SolutionsSecurity Solutionsfor the Enterprisefor the Enterprise

Gradient Technologies, Inc.Gradient Technologies, Inc.2 Mount Royal Avenue2 Mount Royal AvenueMarlborough, MA USA 01752Marlborough, MA USA 01752+1.508.624.9600+1.508.624.9600

www.gradient.comwww.gradient.com