SUMMARY OF NETWORK ENCRYPTION PLATFORMS
| REVISION 3, 27 FEBRUARY 1994
|
|Highlights of this Revision
|---------------------------
|
| * Updated description of ANS Interlock product
| * Added description of MorningStar EXPRESS router
| * Contact information moved closer to top of document
|
Disclaimers
-----------
No warranty is expressed or implied as to the accuracy of the
information in this summary. This summary has not been rigorously
researched--please contact the manufacturer(s) for complete
and accurate details.
This is in no way intended to be a complete list. It is a
compilation of responses to a query posted to various Internet
network-security-oriented lists and newsgroups.
Neither I nor netMAINE have any interest in or affiliation
with any of the companies whose products are described below.
Those things being said, I believe and intend this summary to be
an accurate representation of the information I received in reply
to my queries. If you find any errors or omissions, PLEASE
CONTACT ME so I can correct the summary (see contact information
below).
Contact Information
-------------------
Please contact me at one of the addresses below with questions,
new information, or errata.
ELECTRONIC MAIL: netmaine @
ansremote .
com
VOICE: 207 780.NET1 (780.6381)
POSTAL MAIL: Andy Robinson
netMAINE
PO Box 8258
Portland, ME 04104-8258
Acknowledgements
----------------
This document is based largely on a posting made to the Firewalls
mailing list (Firewalls @
GreatCircle .
COM). I do not have the
original posting so I can not credit the author, but I would like
to at least acknowledge the ultimate source of much of the
information in this document.
Breaking Encryption
-------------------
Modern encryption schemes are very difficult to break, but they
can be broken by iteration or other techniques. The following
figures represent the times to break 40 and 64 bit encryption keys:
40 bit key (maximum allowed for export from U.S.)
* 1 486 PC would take three (3) years.
* 1,300 486 PCs in parallel would take one (1) day.
64 bit key (typical for domestic implementations)
* 1 486 PC would take sixty million (60,000,000) years
* 20 billion 486 PCs in parallel would take one (1) day
Source: RSA Data Security
Encryption Platforms
--------------------
1. LANGuardian, UUNET Technologies, 703-204-8000, $6000/unit
- Dedicated platform
- "Splices" between external gateway/router and local network
- Selective encryption/decryption based on destination/origin
- Out-of-band (diskette, dialup) key exchanges
- One unit required for each secure endpoint
2. Various, Semaphore Communications (Xerox), 408-980-7767
Call and ask for Cliff Reeser. Semaphore has a variety of products
including:
- Encryption unit--workgroup (NEU-WG, 15 stations: $3995)
- Encryption unit--frame relay (NEU-ST, 1Q94, $6995)
- Encryption unit--router (NEU-RT, 2Q94, $6695)
- Encryption unit--PC (NEU-PC, 4Q94, ?????)
- Network security center (NSC, $7495-16750)
* ALL ENCRYPTION UNITS ARE MANAGED BY THE NSC (you have to buy
at least the software). NSC runs under OS/2 [As far as I'm
concerned this is great--other aren't so pleased by the choice]
The software only is $7495. The software pre-installed on
a hardware platform (486/66, NSC, 16Mb RAM, NEU-WG, NIC,
SVGA monitor, 540 Mb SCSI HD, SCSI tape drive, OS/2, PC/TCP,
etc.) for $16750.
* NEU-WGs protect small workgroups and are essentially
encrypting concentrators.
* NEU-PCs protect individual workstations and are inserted
between the workstation and the LAN.
* NEU-ST protects frame-relay WAN links and is inserted
between the router and the CSU/DSU.
* NEU-RT protects any WAN link, and is inserted between
the LAN and the router.
* One NEU-ST or NEU-RT is required for each secure endpoint.
* The NSC performs secure key changes for practically any
number of NEUs using RSA public key encryption. These
changes can be performed automatically at specified intervals.
* The NSC also provides monitoring and logging capabilities
and (apparently) rules-based access controls to all network
resources--all with a menu-driven GUI.
* NSCs and NEUs are protected by encrypted "key-like devices"
(called datakeys) and passwords.
| 3. Interlock, Advanced Network and Services (ANS), 703-758-7721,
| LEASED ON PER-YEAR BASIS WITH 7x24 SUPPORT.
|
| Interlock is a comprehensive security platform offering the
| following features:
|
| * Access control based on user or group id, service or protocol,
| source and destination host/network address, time of day,
| and day of week.
|
| * Application gateways for TELNET, FTP, SMTP, X, NNTP, and NTP.
|
| * Strong authentication available for all application gateways
| using Security Dynamics SecurID tokens.
|
| * Extensive logging, monitoring, and auditing capabilities.
|
| * Link or connection-level encryption in hardware, software,
| or both, configurable in the access control rules base (ACRB)
|
| * Fully configured Interlock is leased, with 7x24 support, for
| $30,000 per year (modules can be removed to lower cost). This
| cost includes all software and hardware (system is based on
| RS6000 320H).
|
| * According to Daisy Perry of ANS, ANS is planning to release
| a software-only version of Interlock. Timeframe and
| pricing structure not known at this time.
|
| 4. EXPRESS Router, MorningStar Technologies Inc., (614) 451-1883,
| $1995 (basic version), $2245 (Frame Relay version)
|
| The EXPRESS is a full router, supporting RIP and OSPF on dialup
| and or dedicated lines up to T1 speeds. The router has a fixed
| configuration with two RS232 WAN ports (up to 64Kbps), one V.35
| synchronous port (up to T1/E1), and one AUI port for connection
| to an Ethernet LAN
|
| Most important to this summary, the EXPRESS supports DES
| encryption between known-secure hosts or networks.
|
|
