Employees need to have access to corporate resources network drives, servers, etc. that contain many sensitive pieces of information. Currently, this is being done by remoting through unencrypted VNC, but the company would like to move to a VPN solution.
Full of Holes have employees that are always on a road and need a secure way to access company's network drives and servers. With today's work environment it's not unusual for employees to log in remotely and do their work as if they were sitting on a local workstation and using local network resources. Company is currently using unencrypted VNC to remote in, with the lack of security VNC provides, it puts companies sensitive information in jeopardy. As an alternative to VNC company would like to use Virtual Private Network (VPN) to allow employees to remote in. VPN creates a "tunnel" which allows two endpoints to connect securely and any traffic between the two points are encrypted. By implementing a VPN, the company can allow its clients to use public internet from around the world and accomplish a secure access to internal network. VPN eliminates the administrative and financial burdens that were there with the traditional leased line wide-area network (WAN) and allows clients to be more productive. The following section describes how IPSec and SSL VPN differ and which best fits the companies needs.
Solution 1 - Internet Protocol Security (IPsec)
Â Â Â Â Â Â Â Â Â Â Â Internet Protocol Security (IPSec) uses Network Layer of OSI model (Open System Interconnection) which provides combination of encryption and tunneling to secure the data that travels between the two endpoint without any associations to any specific application. IPSec does require third-party hardware and software to be installed on companies network, as well as client software on each remote devices like laptops or PDA to add the encryption. Once connected to IPSec, virtual clients have access to the internal network and secure access to corporate information as if they were locally logged into the network. The IPSec hardware and software provide extra layer of protection to securely exchange sensitive information between two employees. Thus, by allowing only the users with IPSec client to communication with the internal network eliminates unauthorized users from gaining access to the companies information or the internal network. One of the main drawbacks of IPSec is its financial burden to maintain licenses for the client software which also makes it difficult to install and configure client software on all remote machines, especially if they can't physically be present to configure software.
Solution 2 - Secure Socket Layer (SSL)
Secure Socket Layer (SSL) uses the same tunnel concept as IPSec to connect two computers over insecure network. SSL doesn't need any special client software to be installed on individual PCs. Since SSL is built-in many browsers today, no client software is needed, however due to its dependence on browser; SSL generally works with web-based applications. SSL VPN allows more defined access control by providing tunneling to specific applications rather than the entire corporation's network. Some additional workarounds might be necessary to allow employees to access non web-based applications, but doing so adds complexity which may not be favored by many organizations.
Both IPSec and SSL VPN provide significant security to prevent information breach and protect sensitive data from eavesdropper. However, with no client software to install and easy access to corporate network from all around the world, SSL VPN is more desirable solution. Authentication and Authorization allows only authorized users to use resources through SSL VPN and individual users would be allowed to access only those resources that they are supposed to access.
SSL VPNs work differently. They establish connectivity using SSL, which functions at
Levels 4-5. They also encapsulate information at Levels 6-7 and communicate at the
highest levels in the OSI model. Today, some SSL VPNs are also able to tunnel network level
Problem 1 Overview
Full of Holes currently has 3 servers that are using Secure Socket Layer (SSL) certifications that are close to expire.Â In addition, given the companies unstable relationship with current vendor VeriSign,Â they would like to sign a new vendor to host its SSL certification for the following web sites https://store.fullofholes.com, http://mail.fullofholes.com and http://portal.fullofholes.com.Â Also the company does not want any subsidiary of VeriSign to host the 3 servers. SSL as we learned is an encryption protocol that provides secure communication link on a network such as the internet. Â SSL plays a key role in today's business as many transactions are done over the internet and most of sensitive information is transferred across the web. Hence, securing that information to avoid data breaches becomes essential for business to maintain privacy and a company's reputation. Â Many websites today provide a secure connection, this is indicated by having a closed lock symbol at the bottom of the browser or SSL provider's logo upon entering a secure zone.Â It becomes imperative for Full of Holes to have SSL certification on its 3 servers to ensure safe communication between company servers and its clients. SSL certification consists of a public key and a private key. As we learned in class Public key is used to encrypt the information and private key is used to decrypt the information. SSL process starts by sending request to a secure socket, the server then responds with SSL certificates kind of like a handshake gesture. Session key then seeds encrypted with SSL public key. Further communication between two nodes is encrypted and hence it becomes important to have SSL certification.
Solution 1 Comodo
Â Comodo founded by Melih Abdulhayoglu in 1998, a privately owned company to produce computer security like SSL certificates. Melih organized and arranged first meeting of Certification Authority Browser Forum (CA/Browser Forum) to establish end-to-end authentication and security business procedure. Comodo provides wide range of certification profile like Organization Validation (OV), Doman Validation (DV), and Extended Validation (EV). To ensure Comodo certification Authority (CA) are providing highest authentication, they go through an annual WebTrust audit by Ernst & Young. EV multi-domain certificates are affiliated with CA/Browser providing up to 256 bit encryption. EV Multi-Domain certification can be purchased for 1699.50/yr, which includes 3 domains with EV technology. EV technology adds an additional layer of trust by turning the browser address bar green every time a customer enters the secure area of your website. Comodo uses the UTN-USERFIRST
Solution 2 - GlobalSign
GlobalSign an alternative to VeriSign company, provides service all around the world with simplified variety of SSL certification. Simiar to Comodo, GlobalSign is broken down into 3 classes like Doman Validation (DV), Extended Validation (EV) and Organization Validation (OV), unique approach designed to make decision easier and eliminate the time and frustration for finding the right certification. GlobalSign is accredited by WebTrust Certificate Authority and provides publicly trusted X.509 complainant SSL, including the new EV SSL Extended Validation Certificate, S/MIME and code signing certificates for use on all popular platforms. With the use of Server-Gated Cryptography (SGC) Certificates, this allows powerfull SSL encryption up to 256-bit depending on the web browser, operating system, and host server. SGC enables SSL certification to force web servers to create strong 128-bit encrypted connection, with old 40-bit browser. GlobalSign's strong certificate is issued from a 2048 bit SHA-1 with RSA encryption to ensure secure communication. Even though most of this is transparent to end users, but the users know appropriate security measures are taken to keep one's information from falling into wrong hands.
Having a SSL certification plays a key role in today's business, especially when a great deal of business is conducted over the internet. By taking appropriate security measurements many of threats encountered from the internet today can be eliminated to great degree. Ensuring a good SSL certification that will not only provide encryption communication but also knowing that the highest encryption algorithm is used to protect ones privacy is essential in gaining customers trust in Full of Holes. After comparing two SLL certification providers, I would recommend Full of Holes to use Comodo EV Multi-Domain SSL Certification. Not only does Comodo provide 256 bit SHA-1 with RSA encryption, but also ensures data is well protected from one node to another. With many different SSL certification companies, providing Extended Validation certification are most likely to have same high assurance encryption to protect against information breaches.
Problem 1 Overview
Communication has become an essential part of doing business today.Â Â The flexibility in a work place allows employees to work from off-site locations including across the world. Keeping in touch with co-workers and clients in real time can simplify communication and save time and money for the various companies.Â Â Instant Messengers have always been in demand and continue to grow. There are numerous types of Instant Messengers available (from Yahoo messenger, MSN messenger, Gtalk, AIM, Skype and so on ) to intergraded social networks messengers (Facebook &Â Myspace). HoweverÂ it is important for businesses to consider some keys items mentioned below when selecting the one that fits their business:
Authentication - allowing only corporate user to login
Security - secure sign-on, digital signatures and encryption
Anti-Virus - to prevent malware while transmitting files between users
Chat Logs - making sure IM is not being abused by employees
Special features can vary from centralized administration to features like VOIP or even broadcasting a message to entire group
Administration - Controlling tools for authentication and privileges
Currently the employees at Full of Holes are using multiple different IM, which is not a secure way to communicate as it presents vulnerability to companies information.Â Â
Solution 1 - IBM Lotus SameTime
Â Â Â Â Â Â Â Â Â Â Â Â Â IBM Lotus SameTime Instant Messenger has many features that can provide benefits to companies communicationÂ needs with its clients and co-workers.Â Real-time communication, video and voice conferencing and effective collaboration with others provides great benefits to the company. The configuration of SSL on LDAP creates a secure communication link and proper encryption/decryption of the confidential message.Â LDAP server authenticate users ensuring only authorized users have access to the communication tools. IBM Lotus Sametime encryption is handled using RC2 a custom cipher by Lotus with a 128-bit key size. RC2 is a 64-bit block cipher with a variable size key and key are generated by using Diffle-Hellman which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communication channel. Easy Integration to Microsoft Outlook making managing contacts and calendar event easy to view and organize. Also given today cell phone technology IBM lotus sametime can be configured to be used on many cell phone today making it easier to communicate with peers at anytime.Â Â Pricing runs at $38 per registered user or $25,700 per processor for unlimited extranet use.Â .
Solution 2 - Microsoft Office Communicator
Â Â Â Â Microsoft Office Communicator is another popular Instant Messenger used by many businesses today and offers variety of features.Â From Instant Messaging with others in different location or time zone, Voice over IP (VOIP) and Video conferencing to name few.Â Â The integration to programs across the Microsoft Office suite such as outlook makes it easier to manage and update ones status based on the calendar event.Â Communication between user is established through Microsoft Communicator server, making communication secure and allowing only authorized user access to proper communication tools. With the use of incompatible Interactive Connectivity Establishment for Network address translation(NAT) transversal and Transport Layer Security(TLS) to encrypt the communication inside and outside the corporate network.Â TLS cryptographic protocols provide security over network such as internet by encrypting segments of network connections at the Transport Layer end-to-end.Â Also, cryptography TLS provides endpoint authentication and communication confidentiality over the internet.Â TSL includes RSA security with 1024 and 2048 bitÂ strengths.
Â Â Â After comparing few products and review the benefits of the secure Instant Messenger for 200 Full of Holes employees, I think Microsoft Office Communication would best fit the needs.Â Communicator provides efficient security to keep communication secure andÂ with out of box functionality from VOIP, video/audio conferencing and desktop sharingÂ provides great tools that can be used to cut cost.Â Office packages with volume licensing are available through Microsoft and can help reduce cost and provide more beneficial for company's needs. Â Company can also take advantages of features like video conferencing and even using ftp to securely transfer file between peers.