Keys to a secret network

If you want to keep an e-mail message, a file, or a database record private, you encrypt it and you make sure that only authorized users receive the key. Not especially difficult, as long as it involves a single application (such as e-mail), a relatively small amount of data, or only a few users. But how would you bring the same level of security to an entire project or workgroup?

Seclarity’s SiNic makes it nearly as straightforward as installing network interface cards. Boasting such security-conscious users as the National Institutes of Health and the Department of Energy, a SiNic setup is comprised of only two basic components: a modified 10/100 NIC and a central software management console. Together, they create what is essentially a hardware-based PKI, but only for Windows workstations.

Think of the SiNic as a firewall in every machine. Each is individually programmable, yet fully controlled from a console that provides policy-based security management for users, groups, and machines. Rules and roles are downloaded to each SiNic, so once the user authenticates, the card requires no additional contact with the console station in order to function.

Even better, SiNic’s authentication database can integrate with a local LDAP or RADIUS authentication database, allowing administrators to define a global security policy for every SiNic and then tailor that policy to group, departmental, or even individual needs. Extremely powerful security policies can be designed based on any combination of variables, including location and time.

The system has a hierarchy of how rules are applied: machine rules, then groups, then users. Services allow inheritance, so while a user may not have explicit access to a mainframe, he could be allowed to access that mainframe from a computer that does. On the other hand, machine-based policies can also make access highly restrictive: The mainframe could be made accessible only from machines in a secured vault, for example.

SiNic’s policy granularity extends to encryption. The management console can associate any of the SiNic’s multiple supported encryption methods to different services. For example, Telnet traffic could ride over AES-128 to a specific Unix server without having to use SSH. From the same machine, FTP traffic could ride 3DES to yet another machine.

The SiNic is configured like any normal NIC card. Just install it on all stations you wish to subject to the Seclarity security solution. The central console and management station must have not only a SiNic, but a static IP address as well. SiNic supports DHCP addressing on any other workstations in the system, but configuring participating workstations requires knowing their IP addresses, so static addresses are a good idea.

For the console, Seclarity requires at least 160MB of disk space available on a Windows 2000 Professional or Windows XP Professional workstation. We installed ours on an HP workstation running a 2.4GHz Intel Pentium 4 with 1GB of RAM and 40GB of hard disk space. During installation, Seclarity deposits not only the management software, but also Microsoft SQL Server, which it uses as the authentication database. Administrators will be well advised to maintain patch levels on this machine or suffer dire consequences if the system becomes infected with the likes of Slammer. Finally, to enable communication with all stations in the Seclarity system, the console station automatically generates a dual key certificate pair during installation.

Once you’ve got your console running, it’s time to discover any workstations using SiNics. The system can scan for DHCP addresses using directed broadcasts to find machines on a certain subnet, even subnets other than the one where the console resides. However, the catch is that most networks disallow directed broadcasts in order to thwart DDoS attacks. This is another reason it’s preferable to use static addresses.

You can add users to the SiNic console manually or you can import the users from a Primary Domain Controller (NT domains) or Active Directory. At the time of this writing, the system only supported the Active Directory flavor of LDAP and only on the unencrypted port 389 instead of the more secure SSL-enabled port 445. However, Seclarity has confirmed that LDAP import over SSL will be supported in a future release.

Using these capabilities, SiNic-enabled systems could add bulletproof security to any directory-compatible identity management system, but at the moment restricts you to Microsoft’s platform. LDAP integration is a “warm” configuration, in that you must import your user database and schedule synchronization. We’d prefer a “hot” configuration that stores user records in the local database, but does the actual authentication live from the back-end LDAP server.

SiNic not only brings iron-clad security to each workstation, but also eliminates the need for an Internet firewall. And once Seclarity comes out with a wireless card, SiNic will obviate the need for 802.1x WPA (Wi-Fi Protected Access) rollouts as well. According to the company, both Wi-Fi and gigabit network cards are on the way. Meanwhile, 32-bit PCI 10/100 cards are all that’s available.

Seclarity’s SiNic is an early take on a revolutionary security architecture. While its capabilities are appealing to government, university, and enterprise workgroups that require bulletproof security, the limited hardware and operating system platform support, as well as the console’s hefty price tag, limit its attraction to fairly well-heeled institutions.

The dedicated 10/100 PCI network interface card comes with drivers for Windows 95, Windows 98, Windows ME, Windows NT, and Windows 2000. The platform supports Windows XP, but only using the Windows 2000 driver set. Dedicated XP drivers are a thing of the future. One thing that may daunt some potential customers is that Seclarity’s drivers are not digitally signed, nor are they Microsoft certified, though Seclarity does extensive internal testing.