Hp COMPAQ PROLIANT 4500, COMPAQ PROLIANT 4000, COMPAQ PROLIANT 7000, COMPAQ PROLIANT 5000, COMPAQ PROLIANT 6500 Enterprise Security Framework

WHITE PAPER

.

.

August 1997
Prepared By

Internet Solutions
Business Unit

Compaq Computer
Corporation

CONTENTS

Introduction ................3

Security

Environment................ 4

Security Environment:

Importance and Trends.....4

Security Environment:

Threats and Pressures ...... 5

Security Environment:
Enterprise Opportunities/

Risks................................7

Security Environment:

Current Situation ..............8

Understanding

Security..................... 10

Security Market.........13

Security Market: Firewall

Expansion......................13

Security Market:
Identification and
Authentication

Importance.....................14

Security Market:
Balanced Hardware/

Software Solutions.......... 15

Security Market:
Proliferation/Limitation of

Security Offerings ........... 16

Enterprise Security

Framework ................ 18

Conclusion................ 21

248A/0897ECG

.

.

.

.

Compaq Enterprise Security

.

.

.

.

.

.

.

Framework

.

.

.

.

.

In the highly competitive world of enterprise computing, security has become an intricate

.

.

.

and critical element. The Compaq Enterprise Security Framework incorporates the latest

.

.

.

.

technology, a balanced hardware/software solution, and interoperablity with current

.

.

.

security at multiple platform levels to clarify security solutions. Through use of The

.

.

.

Compaq Enterprise Security Framework, you can develop solutions that do not

.

.

.

.

compromise performance yet are still pragmatic and easy to use. In so doing, you can

.

.

.

help to determine a practical roadmap for the deployment of enterprise security.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

1

WHITE PAPER (cont.)

.

.

.

NOTICE

.

.

.

.

.

The information in this publication is subject to change without notice.

.

.

.

.

.

.

.

.

COMPAQ COMPUTER CORPORATION SHALL NOT BE LIABLE FOR TECHNICAL

.

.

OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR

.

.

.

INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE

.

.

.

FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL.

.

.

.

.

This publication does not constitute an endorsement of the product or products that were tested.

.

.

.

The configuration or configurations tested or described may or may not be the only available

.

.

.

solution. This test is not a determination of product quality or correctness, nor does it ensure

.

.

.

compliance with any federal, state or local requirements. Compaq does not warrant products other

.

.

.

than its own strictly as stated in Compaq product warranties.

.

.

.

.

.

Product names mentioned herein may be trademarks and/or registered trademarks of their

.

.

.

respective companies.

.

.

.

.

.

©1997 Compaq Computer Corporation. All rights reserved. Printed in the U.S.A.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Compaq Enterprise Security Framework

.

.

.

.

.

First Edition (August 1997)

.

.

.

Document Number 248A/0897ECG

.

.

.

.

.

.

.

.

.

.

.

.

2

WHITE PAPER (cont.)

.

.

.

.

.

.

.

INTRODUCTION

.

.

.

.

Computing security is one of the fastest changing and most complicated areas in the information

.

.

.

technology industry today. Each day seems to bring another threat to the security of the world’s

.

.

.

computing resources. Recently, the Social Security Administration took its operations off line

.

.

.

because of privacy fears. In addition, Microsoft has had to re-tool its Explorer browser due to

.

.

.

security concerns, and companies have reported a threefold increase in virus incidents over the last

.

.

.

year. These items follow the spectacular stories of hackers who broke into and modified the content

.

.

.

of the CIA’s and Justice Department’s web sites, and of computing thief Kevin Mitnick, who

.

.

.

gained access to thousands of consumers’ credit card numbers. These incidents represent only a

.

.

.

.

subset of the wide variety of threats computer users and administrators must defend against.

.

.

.

Making this area even more complex is the confusing array of technologies and solutions, including

.

.

.

encryption, firewalls, smartcards, and digital certificates, which are offered to solve these problems.

.

.

.

.

With the overall growth of computing, particularly networked and inter-networked computing,

.

.

.

more resources and information are at risk than ever before, with new threats emerging daily.

.

.

.

Independent research estimates potential losses from lack of security at between $40-80 billion in

.

.

.

the year 2000. Enterprises abilities to protect their resources and capitalize on opportunities will

.

.

.

depend on the level of security they enforce.

.

.

.

.

.

Computing security breaches as well as the concerns of IT managers are rising, yet the deployment

.

.

.

of security solutions lags. Over 75% of organizations responding to a recent poll reported a

.

.

.

significant computer breach over the last year: the subset of these organizations, which could

.

.

.

quantify their losses (249 institutions), reported losses of over $100 million. While most security

.

.

.

problems remain basic, such as viruses, password exposure, and physical theft, to date most

.

.

.

enterprises have employed only limited or point solutions for security.

.

.

.

.

IT managers must design a practical roadmap to guide their enterprises through this tangle of

.

.

.

.

information, threats, and solutions. In charting a course, they must incorporate the latest

.

.

.

technologies, adapt to new threats, and ensure that their solutions do not compromise performance.

.

.

.

.

The Compaq Enterprise Security Framework addresses enterprise security in terms of computing

.

.

.

platforms, secure computing technology, and the objectives required of a strong enterprise security

.

.

.

policy. The framework also describes solution sets for each platform in terms of “levels” of

.

.

.

security. Using the easy-to-understand framework and levels, enterprises can plan a security

.

.

.

solution roadmap that meets their business requirements. Compaq’s Enterprise Security Framework

.

.

.

delivers the critical needs of IT managers and makes the process of securing enterprise computing

.

.

.

as easy as possible.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

3

WHITE PAPER (cont.)

.

.

.

.

.

.

.

SECURITY ENVIRONMENT

.

.

.

.

Computing security has always been critical to enterprises. However, in today’s environment the

.

.

.

components of the computing world have changed in ways that make computing security more

.

.

.

critical and complex. In the past, computing security focused on protecting assets in a mainframe-

.

.

.

oriented system. In the current, inter-networked environment, enterprises view security as crucial

.

.

.

for two reasons: first, computing security measures protect against potentially devastating losses;

.

.

.

and second, security enables businesses and opportunities to generate new revenue and reduce

.

.

.

costs. Facing a growing variety of threats, losses, and intense market pressures, IT managers will

.

.

.

propel the demand for practical, sound security solutions in the near future.

.

.

.

.

.

.

.

Security Environment: Importance and Trends

.

.

.

.

.

Several computing environment trends have changed the nature and challenges of computing

.

.

.

security (see Figure 1).

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Computing Growth

Computing

Resources

Security

Networked Computing

Figure 1

• The most obvious computing trend affecting security concerns is the dramatic growth in the

installed base of desktops, workstations, laptops, and PDAs in both the consumer and business
markets. The simple impact of this growth has been to place more valuable enterprise, personal
information, applications, and hardware assets in the hands of numerous people.

• The next trend is the importance of networked (client/server) computing, primarily in

enterprises and small businesses. As this type of computing has become the dominant
architecture, more people have networked access to significant enterprise information and
applications than ever before. Some analysts estimate that 50% of the world’s computers are
networked in some way (LAN, WAN, etc.).

• The third trend is the emergence of inter-networked computing. In the last 2-3 years, more

enterprises and institutions have connected from their internal networks to the greater networks
of other businesses and consumers on the Internet. Inter-connected networks now enable more
parties (business partners, customers, and employees) to gain access to crucial systems’
resources across public, traditionally unsecured networks.

• Finally, the promise of Electronic Commerce is pressing businesses and computing vendors to

find ways to securely conduct commercial and private transactions over public networks. In
many cases, these transactions involve parties with whom they have no previous affiliation.

Together, these trends have created a significantly different and more difficult computing
environment for IT managers to secure. Previously, they could control the enterprise’s information

Internetworked Systems

Network A Network B

Network C

Electronic Commerce

Public

Network

4

WHITE PAPER (cont.)

.

.

residing on mainframes and mid-range systems in a closely monitored and physically secure

.

.

.

environment – the glass house. In this setting, businesses deployed private, leased lines for external

.

.

.

data transactions with known partners and used e-mail for internal communication only.

.

.

.

.

.

In the new environment, a wide variety of enterprise computers either contain or connect to critical

.

.

.

business information. In addition, these devices can be portable (laptops, PDAs) and are rarely

.

.

.

physically secured. Servers are corporally distributed throughout an enterprise, and each sever can

.

.

.

be connected to hundreds of clients. These servers are also frequently networked to outside parties

.

.

.

through the Internet or to remote access modems. Furthermore, businesses are now using the public

.

.

.

networks as a platform for conducting commerce and exchanging sensitive information with

.

.

.

consumers and business partners.

.

.

.

.

.

.

.

Security Environment: Threats and Pressures

.

.

.

.

With these trends, a variety of threats have increased in importance and proliferated across the

.

.

.

computing landscape. The following examples provide an idea of the confusing issues with which

.

.

.

IT managers must contend (see Figure 2).

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Application

.

.

Server

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

• Saboteurs and thieves (either internal or external) can access, steal, and change the content of

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

crucial information.

• Hackers can launch viruses and other attacks that crash important systems.

• Disgruntled employees can either steal or guess passwords to gain access to information and

applications they are not authorized to use (e.g. payroll, HR).

• Outsiders can dial-in directly to the network or PCs and use this as a launching point for

internal network attacks.

• Attackers can use various tactics to crash web servers or change their content; web servers can

also be used as access points to the internal network.

Mainframe

Corporate

Network

Corporate

User

— Security Threats —

DB

Web-

Server

Firewall

Figure 2

Internet

Intranet/
Externet

Modem Bank

Mobile

User

Users

5

WHITE PAPER (cont.)

.

.

We want to trust you.”

• Thieves can steal corporate laptops for their information and hardware value and sell assets to

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

third parties (i.e. competitors).

• Physical security of home PCs is at risk from theft, and data stored on disks is at risk from viral

attack.

In addition to their responsibility to protect hardware, software, and information assets from these
threats, IT managers also face pressures to deploy advanced security to their networks. These
pressures can be roughly grouped into “friendly” and “unfriendly” forces (see Figure 3).

“FRIENDLY”

Consumers,

Customers, Partners

Private Information

n

Joint Plans

n

Supplier

n

data/forecasts

The “friendly” pressures primarily come from customers, consumers, and business partners. Both
customers and consumers are concerned with the protection of the private information they share
with companies (i.e., medical records, credit card numbers, joint plans). In addition, they are
unwilling to participate in E-Commerce with companies until they feel the transactions are
completely secure. Business partners’ concerns are focused on two areas: first, on achieving a
comfortable level of security for companies exchanging information over open
“Externets”(meaning the Internet, when it is used for business to business commerce) and secondly,
on the question of legal liability, which is brought into focus by the security issue.

Recent court cases suggest that there is an emerging precedent of “downstream liability.” This
precedent requires companies to employ “reasonable measures” of security or face potential
liability for computer attacks launched on other parties from within their network (e.g. a criminal
breaks into the inadequate security of Company B and uses this trusted position to hack into
Business Partner C’s more robust security system).

When enterprises do not adequately secure their networks, “unfriendly” forces such as competitors
and government either take advantage of that deficiency or demand retribution. The first of these
forces is competitors. Competitors can turn a company’s security weaknesses into an advantage in
one or both of two ways: initially, through the competitor-organized theft of information or
hindrance of internal systems (i.e. attacks which crash strategic company systems such as call
centers, web servers, etc.), and secondly if a competitor accesses or copies private information, they
can quickly counter a business’ strategies (e.g. beat their competitive bid for work, under-price
their product in the market). By the same token, crashing a rival’s critical systems can hurt their
reputation for customer service or on-time performance. Competitors can also create a competitive
advantage through the impact of a publicized breach on the market position and perception of a
company. In many security-sensitive industries (e.g. health care, banking), the security of a
company’s network is a crucial part of the trust formed between business and customer. If this trust
is in question, the relationship is compromised and may cease (e.g., if a private bank loses funds or
account information electronically through a publicized security breach, they will probably lose
clients as well).

— Security Pressures —

Enterprise IT

Managers

Figure 3

“UNFRIENDLY”

Competitors,

Government

“If they can’t trust you,

there will be costs”

Security as

n

competitive
advantage

Downstream liability

n

6

WHITE PAPER (cont.)

.

.

The other potential “unfriendly” force is government. Government regulation of computing security

.

.

.

is still evolving; however, it is possible that both the state and federal governments may begin to

.

.

.

hold enterprises responsible for the privacy of consumer information.

.

.

.

.

.

.

.

Security Environment: Enterprise Opportunities/Risks

.

.

.

.

.

The business reasons for deploying enterprise security can be examined from an opportunity/cost

.

.

.

perspective. Though these opportunities/costs have not yet been fully explored, and quantifying

.

.

.

them is difficult, some estimates have placed potential worldwide enterprise computing losses at

.

.

.

$40 billion by the year 2000. In the denominator of the opportunity/cost perspective are the costs of

.

.

.

inadequate computing security. In the numerator are both the revenue-enhancing and cost-reducing

.

.

.

opportunities enabled by sound computing security.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

The first risk category (see Figure 4) in the denominator is the potential loss of information privacy.

.

.

.

When sensitive information is compromised and falls into unfriendly hands, enterprises can face

.

.

.

several types of losses:

.

.

.

.

• They can lose revenue/value when merger and acquisition plans or contract bid information is

.

.

.

.

.

.

.

.

• They can also lose their competitive position when product plans or designs are stolen or

.

.

.

.

.

.

.

• Additionally, there is the reduced confidence in a company that results from a breach of

.

.

.

.

.

.

.

.

.

.

.

Another area of risk well known to IT managers is application availability. A virus or other attack

.

.

.

can create significant costs for an enterprise in the areas of operational downtime and repair or

.

.

.

recovery. The final area of potential loss is the actual assets under enterprise control. Obviously,

.

.

.

there are the losses associated with the value of the hardware (RSA reports that 200,000 laptops

.

.

.

were stolen in 1996), but many businesses must also vigorously protect their digital assets. The

.

.

.

entire business model of companies whose products largely reside in the digital domain (software

.

.

.

companies, banks, etc.) is dependent upon the security of their assets; they must deploy the most

.

.

.

advanced measures to protect them.

.

.

.

.

.

.

E-Commerce

n Opportunity to sell

existing goods over
web
Opportunity to enter

n

new business areas

Consumer Intimacy

Opportunity to create

n

better relationships
with consumers over
the web

Partner Efficiencies

n Opportunity to share

supply chain data
Opportunity to

n

implement affordable
EDI

Opportunities

Costs/Potential Losses

Information Privacy

Revenue/Value

n

Competitive Position

n

n Reduced Confidence

compromised.

pricing strategies are spread to a competitor.

security such as the early release of an SEC report, the compromising of medical records, or
the theft of employee HR information.

Application Availability

Operation Downtime

n

Repair/Recovery Costs

n

Figure 4

Asset vulnerability

Physical (computers)

n

Digital (software, funds)

n

7