Home
Services
Careers
Support and Downloads
Regulatory Compliance
White Papers
Contact Us

CONTACT US 

Home arrow White Papers
White Papers


Computer and Network Security


Overview

As required by the Sarbanes-Oxley Act of 2002, this paper provides a description of computer and network security at Realtime, from the standpoint of how security affects users of the system.

The security architecture described in this paper was developed with the following objectives in mind:

  1. Ironclad protection of systems and data.
  2. Transparency, with minimal inconvenience for users.
  3. Sufficient flexibility to interoperate smoothly with all customer requirements and architectures.
The newest server (S7) was built from the ground up to support these goals, and required more than a year of preparation before it was deemed ready to be used online.

Encryption

Three different methods of encryption are supported:
  1. IPSec (Internet Protocol Security). A security architecture developed by the Internet Engineering Task Force which supports all network services.
  2. SSL (Secure Socket Layer). An encryption system designed by Netscape for web pages. SSL is primarily used for encrypting web pages, and comes pre-installed in all web browsers.
  3. SSH (Secure SHell). An encryption system originally developed at Helsinki University and later upgraded by the Internet Engineering Task Force. SSH was originally used for encrypting character data in Unix systems, although it now supports most network services.
Although all three methods of encryption are fully supported by Realtime, each approach has advantages and disadvantages.

IPSec is far more complex to install and troubleshoot than other methods of encryption, and is only recommended for communication between corporate offices equipped with Cisco routers. Realtime only supports IPSec based on Cisco routers which are supported either by Realtime or by a company specializing in network management.

All Realtime software has options which allow it to be used without IPSec.

SSL is the most convenient method of encryption because it is built into all web browsers. However it only works for web pages. Things such as file transfers and report printing can be built into web pages, but require additional mouse clicks and training on the part of users.

SSH is the most convenient way to gain console access to Realtime (Secure CRT), and can also be used for other purposes.

Password Policies

When new passwords are created, the passwords are checked to see if they follow certain rules, such as being 8 characters or more, and containing at least one non-alphabetic character. These rules, however, do not guarantee that passwords can't be "cracked", because password guessing software has improved dramatically over the last few years. Periodically, passwords are analyzed by password cracking software, and users with insecure passwords are asked to select new ones.

Standard password policies for users who work in corporate office, or have access to company data are:

  • Passwords must be changed at last once every 6 months.
  • The time between password changes must not be less than 3 days.
  • Passwords may not be reused. The system automatically maintains a list of the last 10 passwords which were used, and doesn't allow any password to be used if it is already on the list.
  • A warning is issued 14 days before a password is due to expire.
  • Accounts are locked if they haven't been used for 45 days.
  • Accounts are locked if a user tries to log into the system more than 20 times with an incorrect password.
However there are several factors which influence password policies:
  • Customer security policies.
  • Existence authtication methods other than passwords.
  • Restrictions regarding what an account can do.
  • Systems which can detect and prevent potential brute force password guessing attacks.
Certain kinds of login attempts, which bear the unmistakable signature of malicious intent, will cause a remote computer to be permanently blocked, so that it can't access any Realtime services, including web pages and email. On the other end of the spectrum, computers in restaurants which are known to reside in locked rooms and have static IP addresses, with IP address checking activated, and which can only access specific web pages, are rarely required to change passwords.

Network Blocking Policies

Realtime uses a variety of network intrusion detection and prevention techniques - some based on commercial software, and some based on software created by Realtime to deal with specific security issues. A variety of activities are monitored both on the network and the server, and these activities can be classified, in general terms, as:
  1. Unmistakably hostile
  2. Suspicious, and
  3. Normal
An example of unmistakably hostile activity would an attempt to connect with Realtime using an older version of SSH encryption which is known to be insecure. The only explanation of why anyone might want to use the old encryption techniques would be if they were fishing for a vulnerable system, so such activity is classified as hostile.

An example of a suspicious activity is network traffic from a single source which is much heavier than usual. An example of such activity would be the receipt of a large number of emails with invalid email addresses. This probably incidates that a spammer is running a brute-force attempt at guessing email addresses.

IP addresses which are the source of hostile activities are automatically blocked, more-or-less permanently. Some kinds of suspicious activities may be automatically blocked (temporarily or permanently), unless they originate from an IP address which is known to belong to a customer.

If suspicious activity exists, but has not been blocked automatically, a support person is immediately paged, and a decision is made by a human being regarding how to handle the problem.

Email Policies

Spam volume has increased 73% in the last 3 months (see http://informationweek.com/news/showArticle.jhtml?articleID=196602463), with no end in sight. Blacklists are becoming less effective, because of the large numbers of computers which have been hijacked and turned into spam robots (approximately a million computers). Filters which scan the content of email (e.g. Bayesian filters) are also becoming ineffective because spammers are hiding their sales pitches in JPEG images, which cannot be interpreted by software.

Currently, about 75% of incoming email is rejected based on blacklists. When email is rejected due to a blacklist, the sender is always notified, and given an option to go to a web site which gives him the ability to put himself on a whitelist.

Content-based filtering can also be turned on by individual users, which results in spam being routed to a spam folder on the server, instead of the inbox.

In addition to content-based filtering which is available on the mail server, it is also possible to set up most PC mail programs to do content-based filtering locally. This can sometimes be helpful, because the software can be trained to recognize specific kinds of spam which most often affect that particular user. However all kinds of content-based filtering require users to check spam folders for email which might have been routed there by mistake ("false positives").

Other, more drastic strategies have been talked about in various discussion groups, and may get more attention in the industry if the spam problem continues to escalate.

Known Vulnerabilities

Probably the biggest vulnerability for any server on the Internet is a denial-of-service attack which simply overwhelms the system with more traffic than it can handle. This threat is mitigated at Realtime by a very large margin of spare Internet bandwidth, plus redundant Internet connections.

Additional protection is provided both by firewalls and the server, which can detect and, if necessary, block malicious traffic.

In the last year, there has been a bug in Internet Explorer which caused it to issue spurourious SSL web page requests at a rate of about 900 requests per second. This traffic doesn't get blocked automatically because it originates from a customer's computer. Luckily, the bug appears to have been fixed recently. However if it should reappear, Realtime's policy will be to manually block the remote computer for 10 seconds (which stops the requests), and then notify the customer.

The only other known vulnerability is email viruses. Virus definitions used for email are updated every three hours, and most computers which are infected with viruses also get added to email black lists. However a small number of viruses still get through, and no matter where your email is being hosted, it is important to use up-to-date email client software, and to train users not to open attachments they aren't expecting. (Note: In addition to Microsoft Outlook, excellent email software is available for free from the people who created the Firefox web browser. It can be downloaded from http://www.mozilla.com/en-US/thunderbird/.)

Server Protection

Customers sometimes ask if virus infections on desktop PCs can infect servers at Realtime. The answer is "no" - for several reasons. Servers at Realtime are HP Unix machines which are inherently incapable - both in hardware and in software - of executing the viruses, Trojans, and worms which commonly infect desktop PCs.

Although computer viruses on HP Unix are virtually non-existent, it is Realtime's policy to nevetheless assume that viruses for HP Unix might eventually be created, and therfore take additional measures to protect against them.

These measures include several types of intrusion detection and prevention, daily audits of every aspect of the system's operation, immediate paging of support personnel whenever suspicious activity is detected, and the use of a strict software architecture that protects the system from unauthorized installation or modification of programs.

Realtime support personnel also run sophisticated attacks on their own servers periodically, in order to provide another dimension of security.

Data Backup

All data stored on disks at Realtime is immediately written to a mirror disk, and then copied over night to two different kinds of tapes. So within 12-24 hours, every piece of information stored at Realtime has been copied three times, each time on a different kind of storage device.

Client PC Recommendations

IT departments are usually well aware of the security needs of the computers they manage, and Realtime is very flexible about interoperating with a variety of security architectures.

Auditors often require that a system be in place to insure that virus protection, software patches, and firewalls are all in working order. Simply installing Windows XP/SP2 usually solves the problem, because the operating system creates warning messages for any of the three are missing.

However, this isn't always possible with POS computers, which might contain software that doesn't run on current versions of Windows. If these computers need to be connected to the Internet, a common solution is to provide "pinhole" access to the Internet, meaning that everything on the Internet is blocked, except specific destinations which are needed for conducting business. For communicating with Realtime, there are three sets of addresses which should be allowed through firewalls:

  • 208.36.171.0/28 - Internet via XO
  • 8.3.131.0/24 - Internet via Level3
  • 12.98.202.248/29 - Internet via AT&T
It should also be noted that the Level3 internet connection is much faster than the others, and should always be the first choice when accessing Realtime.

Proxy Servers

The Microsoft product called ISA Server 2006 (Internet Security and Acceleration Server 2006) is sometimes used as an Internet gateway in environments where it is impractical to control Internet access on a large number of individual PCs. Although the ISA Server it is called an "acceleration" server, it always slows down performance when SSL encryption is used, and Realtime recommends bypassing it selectively, if possible, in order to achieve better reliabity and performance. Instructions on how to do this are available at http://support.public.rt.net/proxy.html.

Sarbanes-Oxley Compliance

Publicly held companies are now required by law (Sarbanes-Oxley act of 2002) to conform to certain business practices, some of which relate to the handling of software changes, as well as the handling of user IDs. All publicly held Realtime customers must adhere to Sarbanes-Oxley protocols. Sarbanes-Oxley tracking is handled by a web based system which is available at https://ss71.rt.net/rt/proj/proj.010.cgi.

Software changes are required to have an audit trail which documents the following steps:

  1. Request for change.
  2. Programming of change.
  3. Approval for putting the change into production.
  4. Implementation of the change.
In general, the request must originate with the Realtime customer, although in a few cases the request can be originated by Realtime management. Once a change has been programmed, it can be approved for use in the production environment either by the customer or by Realtime management. The actual implementaion of the change, which entails moving new or changed software into the production environment, must be done by Realtime management, unless a Realtime programmer has documented the reason for an "emergency" implementation of the program change.

This is just a general procedure. There are several technical details which only affect Realtime. An emergency implementation, for example, automatically triggers a text message and an email to Realtime management.

User access must also be documented; Realtime personnel will not honor access change requests which are not properly documented. Access changes typically are made when employees are hired or terminated. These changes must be communicated to Realtime through the same system that documents software changes.

 

Search


SERVICES

CAREERS

WHITE PAPERS