SSi Service Strategies Inc.

VPN

Home
Product Information
Product Evaluation
Contact SSi
Site Contents
Site Search
Glossary
Notices

 

eTrust VPN

VPN Software Solution

eTrust provides a comprehensive VPN software solution, offering total privacy for communications users over public networks and between servers behind your firewall. The product installs on gateway servers, as well as internal application servers and Web servers. Network protection policies are enforced no matter where the remote user is located, or how the user is accessing the server - by dial-in, local network, or Internet Access. The product combines the security of a private network with the low cost and scalability of a public network. Existing applications are able to leverage this additional security, adding encryption, authentication, and authorization. If you need to secure communications between business partners, remote offices, and road warriors or if you need to control access to your network servers, or to provide security both inside and outside of your firewall, you need a VPN solution.

How does eTrust VPN work?

Each of your network or application servers is a member of the VPN. This provides protection both inside and outside your firewall. Access to your server is controlled through the security policies you define using the Administrator. Typical solutions are based on firewall technology, which provides a single point of defense on the network. Unfortunately, dial-in servers, disgruntled employees, and other back doors leave your network vulnerable to attack. The product installs on your network servers, which provide protection right up to the server. Security policies are enforced no matter where the remote user is located or how the user is accessing the server: dial-in, local network, or internet access.

Performance

Evaluating the security policies on each member adds roughly a 4% overhead increase on each member. Also, since encryption is performed in the software, network throughput will be affected, based on the size of the processor. Typical encryption rates run between 150 Kbps to 2 Mbps. CA intends to incorporate support for additional PCI-based hardware accelerator cards. This will be supported in eTrust VPN 3, and will support up to 10Mbps. This will combine the benefits of end-to-end security with fast throughput.

Encryption

eTrust VPN intercepts data differently on each operating system:

bulletOn Windows platforms, the product intercepts the TDI and NDIS layers
bulletOn Streams-based platforms, it intercepts the TCP, IP, and Socket streams modules
bulletOn BSD-based platforms, it intercepts the protocol switch table and the interface table

The product uses public/private keys for the handshake and the exchange of the DES key. The public/private key pair size is 1024 bits. eTrust VPN encrypts the payload portion of the TCP/IP packet using DES encryption. It is sold as both a domestic and an export release. The domestic release uses DES-56 encryption, and the export and demonstration releases use DES-40 encryption. When two hosts handshake with each other, they negotiate a DES key size. The algorithm is to encrypt to the highest level that both hosts support.

The product supports the following encryption algorithms: For the snare secure handshake, and for authentication, The software uses an RSA Public Key Cryptosystem 1024 bit key. Network traffic is encrypted based on the version you purchase: 3DES (168-bit DES key), DES-56, or DES-40. Please note that different restrictions apply for shipping outside the USA and Canada.

Administration

eTrust VPN generates a new public/private key pair for use during a secure handshake with other hosts. The two hosts exchange public keys and use them to exchange a symmetric encryption key. This method of peer-to-peer key exchange eliminates the need for key management, escrows, or other manager overhead. After installing the Administrator, you define security policies for logical groups of your servers. Members are the network servers you have grouped together. All members within a group share the same security policies, and have a trust relationship between themselves.

The product allows you to define the following security policies for your group:

bulletUnrestricted network services, allowing access to anyone
bulletTrusted hosts and groups who have unrestricted network access
bulletUntrusted hosts and groups who have no network access
bulletThe method used to authenticate users
bulletWhether non-snared (unencrypted) network traffic is allowed
bulletWhether to perform payload-only encryption or to tunnel encrypted traffic
bulletWhether UDP traffic will be encrypted

Authentication

eTrust VPN provides transparent data encryption between hosts. Plug-in architecture lets you integrate any authentication method. The product interoperates with other authentication systems using dynamic login screens, public key repositories, and user credentials. Using it with an integrated authentication system will give you a robust, secure environment.

Auditing

The Administrator logs security events for each VPN member. Also, each member and client can log each network connection, and whether or not it was encrypted. The following security events can be logged on the Administrator:

bulletMember events, including invitation, acceptance, rejection, rule update, and failures
bulletAuthentication events, including successful and unsuccessful attempts
bulletRestricted Services events, including connection attempts

If you would like to request additional information on an eTrust network protection product or service, please click on the button below.

 

Service Strategies

Service Strategies Inc.

2392 Mount Vernon Rd

Dunwoody, GA 30338-3092

678-441-0020   800-662-1615

assist@ssimail.com

Copyright © 1998 - 2002 Service Strategies Inc. All rights reserved.
Revised: October 13, 2003.