|
What is
EnSAFE?
EnSAFE is an integrated end system
based security solution. This solution provides support for role based
network access control at end system level, authenticates end system
based on the signature generated from its various hardware and software
parameters and also establishes secure channel to TCP based
client-server applications.
EnSAFE
Architecture:
EnSAFE is designed using Client-Server
architecture. Server component has to be installed in one of the
network system, whereas Client component has to be installed in all
systems of network. This is an Intranet based security solution.
Architecture Diagram of
EnSAFE is given below:
Salient
Features:
-
End to End Security
-
Application Transparent
-
Confidentiality and Integrity for Network Communication
-
Session wise Key Exchange
-
Machine Authentication
-
Role Based Network Access Control
-
Multi layered Defense.
-
Plug-in support for Crypto Algorithms
-
Plug-in support for User Authentication mechanisms
-
Provides Security for all TCP based applications
-
Runs on Windows and Linux
-
Easy to use and administer
-
Indigenous Technology
Functional Components of
EnSAFE:
1.1 Network Access
Control System (NACS):
1.2 Machine
Authentication System (MAS):
1.3 Transparent
Encrypted Communication System (TECS):
1.4 Other services
of EnSAFE
1.5 Benefits of
EnSAFE
1.1.
Network Access Control System (NACS):
This module helps in controlling the
access to different network services at the end system level. It
protects end system from Intranet threats. It inspects both incoming
and outgoing packets ensuring that only legitimate traffic is allowed,
based on defined policies.
Filtering rules at the end
system level can be fine tuned based on the following
1. Protocols (TCP, UDP and ICMP)
2. Source and destination IP addresses
3. Source and destination ports
4. Roles assigned to the clients
1.1.1 Role based Access
control:
NACS provides support for role based
access to network services. Role based Access control allows the system
administrator to define and bind the privileges to network services
based on roles. Users can then be binded with the roles. This provides
flexibility in user management.
1.1.2 Network Access Control
System Log (NACS Log):
The NACS Log, logs the information
about flow of packets into and out of each end system.
1.1.3 Activity
Log:
The Activity Log maintains two logs,
Client Log and the Server Log. The Client Log keeps track of the
activities carried out at the Client Console. The Server Log keeps
track of the activities carried out at the Administrator Console.
1.2 Machine Authentication System (MAS):
This module helps in authenticating
an end system based on its signature generated from various hardware
and software parameters of end system. Signature is generated from any
or combination of the following parameters.
1. CPU Parameters
2. OS Parameters
3. RAM Parameters
4. Hard Disk Drive Parameters
5. Network Information
1.2.1 Machine Authentication
based on Signature:
Every end system has to register its
signature at the Server. Once registered with the Server, whenever any
end system tries to use TCP application, both the end system's
signature will be generated on the fly and it is verified with the
registered value at Server. In case of any deviation from the
registered value, connection will be aborted.
1.2.2 Flexibility in choosing
parameters for different end systems:
Parameters to be used for computing
signature can be set separately for each end system through
policies
1.3 Transparent Encrypted Communication System
(TECS):
This module provides security
features for data in transmit like encryption, integrity, cipher suite
negotiation and key setup
1.3.1 Session-Wise
Negotiation of Cryptographic Algorithm IDs and Keys
Cryptographic algorithm IDs and keys
will be negotiated for every TCP application session. Currently
solution uses Blowfish algorithm for application data encryption. SHA-1
algorithm is used for adding integrity check and Diffie-Hellman key
exchange algorithm is used for key setup.
1.3.2 End-to-End
Encryption
Confidentiality is supported by
encrypting the data in transmit.
1.3.3
Integrity
Whenever data flows between two
clients, this feature ensures that the data is not manipulated by any
internal or external intruders.
1.3.4 Support for Pluggable
Cryptographic Algorithms
User specific cryptographic
algorithms can be plugged into EnSAFE, provided these algorithms are
designed using the crypto API specifications of EnSAFE.
1.4 Other services of EnSAFE
1.4.1 Policy
Manager:
Policy Manager feature aids in
adding, modifying, enabling, disabling and editing and deleting the
following types of policies.
1. Network Access Control Policies
2. Registration Policies
3. Encryption Policies
1.4.2 Centralized
Administration:
Centralized administration allows
quick administration of networks with large number of computers,
especially targeted for system administrators.
1.4.3 Automatic Policy
Updation:
This solution supports automatic
policy updating feature which time to time pushes policies specific to
each end system.
1.4.4 Application
Transparency:
EnSAFE functionality is designed by
interfacing with the transport layer functionality, which makes it
application transparent.
1.4.5 Runs on Windows and
Linux:
This solution is implemented for
Windows and Linux Operating Systems and is interoperable
Deployment Diagram of EnSAFE is
given below:
1.5 Benefits of EnSAFE
1.5.1 Provide Security to
End-to-End Systems and their Communications
1.5.2 Provides three level
Authentication
1. User Authentication
2. Network Packet's Authentication
3. Machine Authentication
1.5.3 Provides Transparent
Security to the Application's communication
1. Encrypted communication
2. Integrity of data on move
3. Session wise key exchange
1.5.4 Provides the
Central Administration Console for Policy formulation and Enforcement
for all the EnSAFE agents.
1.5.5 Provides the centralized
controlled distributed firewall to control the unwanted traffic from
the End-Systems |
