|
|
|
|
|
Nomad’s solutions were designed to support enterprise deployments and are based on a client/server architecture that includes the Nomad OPN Client software and intelligent services, X509 Version 3 Certificate-based Credentials, and Nomad Credential Server and services.
Upon registration with the Nomad Credential Server users are issued X509 V3 Certificate-based credentials that include the user’s digital signature, resource privileges and a Nomad On-demand Private Network client. The user’s credentials, resource privileges and OPN client can be stored on a computer or laptop, or can roam with the mobile user stored securely on a smart card, token, USB thumb drive or any other form of removable media. Nomad’s roaming credentials enable a user to establish a secure connection without installing anything on a computer that is not his/her designated system.
A Nomad registered user simply inserts his/her USB thumb drive into the USB port of any computer and the Nomad OPN client intelligent services take over. The OPN client automatically establishes a trusted network connection between the remote user and the Nomad Credential Server located in your data center. Once the trusted connection is established, the user’s credentials and resource privileges, also stored on the USB thumb drive, are authenticated by the Credential Server Authentication Services. Nomad always performs user authentication first.
A user simply issues a request to send, receive or access applications and data. The Nomad OPN client intercepts this request and places a signature for authentication of the transaction and encrypts the transmitted data. The Nomad Server receives the request, performs authentication, data integrity check and tests for remote client participation. The remote Nomad ICS receives the requests and routes the information to the appropriate application for processing.
The Nomad OPN client software and resource privileges can be updated by the administrator at any time. The user simply initiates an Update with the push of a button. If a user thinks their credentials have been compromised in any way, updated credentials can be easily obtained. The user can change their pass phrase that secures the private signing key or can re-generate new signing and verification keys.
Once registration is complete the user accesses the application just as they normally would. Nomad OPN client intelligent services will trap the information, perform data hashing to validate integrity, sign the data for non-repudiation, encrypt the data for security and send the data. The Nomad OPN client intelligent services interaction between the application layer and network layer isolates the users enabling them to continue with normal processes without affecting their workflow.
Nomad Secure Access supports mutual authentication between the user and the Nomad Credential Server. Unlike other security solutions that only authenticate the user, the Credential Server authenticates the user and the user’s credentials authenticate the Server. This allows the server to validate that it is communicating with a certified user and the user’ credentials authenticate the server to ensure that the data exchange is with a certified server. This dramatically negates the risk of a server authenticating with fraudulent certificate and sensitive data being exchanged.
The Nomad Credential Server is the control center of the Nomad Secure Access process and provides authentication, policy, rules, port management, security, and session services:
Authentication Services
Nomad Credential Server Authentication Services authenticate the user and validates that the user is who they say they are, validates all signatures, and sessions.
Security services
Nomad Credential Server Security Services automatically establish a private network connection on-demand between an authenticated user and the Credential Server to ensure that transmitted information is encrypted and protected against network sniffing. The Credential Server controls the security of all sessions by establishing and maintaining the encryption of active sessions as initiated on-demand by users to back-end applications. Nomad’s on-demand encryption for transmitted data can be used to augment traditional VPN’s to ensure transmitted data is secured no matter where or what computer users access the network and applications.
Policy and Rules Services
Nomad Credential Server Policy and Rules Services control access to resources including applications, databases, email, HTTP, SMTP, POP3, IMAP, FTP, and other protocols.
Upon registration, a user’s resource privileges are registered with the Nomad Credential Service for a user based on his/her role within the organization. This additional layer of control ensures that users, once authenticated to the system only get access to resources they are registered for. Upon authentication of the user to the network, the user request for access to a resource is also validated. Nomad’s two-step authentication process authentications that the user is who they say they are based on their credentials, and authenticates that the requested access is valid based on a user’s resource access privileges. Nomad Credential Server uses an intuitive GUI-interface for creating and administering rules and policies.
Port Management Services
Nomad Credential Server Port Management Services control access to resources, including business applications, email, HTTP, SMTP, POP3, IMAP, FTP, and other protocols.
With Nomad Secure Access, application access can only be achieved via an IP address and port. This ensures that users can gain access to only those applications setup by a security administrator for that user. For example, assume a single server supports application A and B. Application A listens on port 1000, Application B listens on port 2000. A resource definition for a user is setup to access application A on port 1000.
This level of control ensures that the user can only get to application A and CANNOT get to Application B because the resource definition is not setup for port 2000. Why is this important? VPN's and Firewalls typically open up all ports required for access. This means even though some users who need access to Application A or to Application B, with a Firewall or VPN, they will be configured to allow all connections to both ports. Nomad Secure Access augments VPN security by adding defense in depth, by locking down the application based on the port so that authenticated and authorized users can access applications, even when a VPN is used.
Session Services
Nomad Credential Server Session Services maximize resources and manage performance. Nomad session services manage the number of sessions that are active on the system at any given time. Multi-threaded processing enables the Credential Server to run multiple processes at the same time without having to create new sessions each time. The Session Services allocate sessions for processing, but once completed, the session is placed in an idle state until someone comes in again. Before creating a new session, Session Services will check to see if it has sessions allocated for processing, and if it does, will reuse a session and not reallocate resources.
Audit Log
Nomad Credential Server Audit logs an audit trail of who has done what, when, where, and how. Auditing is a critical component of regulatory compliance. In addition, any sensitive information that could be used to compromise the system will not be placed in any log file. Nomad’s audit functions provide the tracing and tracking required by companies to identify potential weak points in resource access settings and provide true non-repudiations required for proof of process.
The Nomad Credential Server validates all requests for registration, generates X509 V3 digital certificate-based credentials, signs the credentials, and sends the credentials to the requesting participant, and places a copy of the credentials in the Credential Server database.
An X509 V3 digital certificate for the user is created at registration by the Credential Server acting as the credential authority. When the Credential receives a request for a certificate from the User, the Credential Server validates the information against the database, and upon validation, generates an X509 V3 certificate. The user’s resource privileges information, set up by a security administrator, are also registered to the user and distributed with the digital certificate to the user to ensure trusted access.
With Nomad Secure Access, organizations can generate X509 V3 certificates or can import 3rd party X509 V3 certificates (PEM format) into Nomad. For example; if an organization is using HTTPS, the SSL transport, for secured information sharing and has purchased 3rd party certificates for users, the certificates can be imported into Nomad where they can be more easily managed by the Nomad administrator. If a certificate for a non-registered user is imported into Nomad, the user simply has to go through the self-registration process and the certificate can continue to be used with the HTTPS application. Nomad X509 certificates also interoperate with other X509 certificate-based applications.
Private Keys are issued by the Nomad OPN client intelligent services during user registration and are encrypted to ensure they can not be compromised. The private signing key never leaves the user and is stored with the user’s credentials either on the hard drive of the computer, USB thumb drive, token or a smart card. Nomad credentials are encrypted using a pass-phrase known only to the user. This ensures that even if an unauthorized user gets the Nomad credentials, they will not be able to get access to the credential data. The Nomad Credential Server counter-signs the credential information and validates the user before access to the network or application is permitted. Nomad Secure Access is efficient and effective because it validates the sender prior to receiving any data, eliminating the need to access the data base when the acceptance is being performed.
Nomad Security’s new standard for public/private key cryptography is built on a solid, security foundation. The FIPS 140-2 level 1 OpenSSL Crypto Algorithm Modules, as defined below, have been incorporated into the solution to provide industry-validated security while reducing the time to deliver new functions.
Advanced Encryption Standard (AES) Algorithm: Certification #146
Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): Cert #256
Secure Hash Algorithm (SHS) Validation System: Cert #235
The patent-pending Nomad public/private key process and user self-service registration process alleviates the registration burden on IT. Revocation of users and credentials can be done manually by the Nomad administrator or integration with corporate HR systems such so that when an employee leaves the corporation, the user’s credentials are immediately revoked. By using Nomad’s Credential Server, instead of expensive 3rd party certificate authorities, deployment costs are dramatically reduced.
Unlike traditional PK infrastructures, Nomad Secure Access manages users and all X509 Version 3 Certificates and resource privileges associated with that user while eliminating the need for a certificate revocation list (CRL). If a user is no longer needed, an administrator simply deletes the user and the user’s associated credentials become invalid. There are similarities between Certificates and Nomad credentials in that they both contain verification data and a stamp of approval by an authority, the difference in PKI and Nomad PK Authentication process is in how the credentials are accessed, who has responsibility for the credential data and who can validate the information.
With a PKI implementation, each request for acceptance must access the certificate at the time the acceptance is being performed. Unlike PKI solutions that place the responsibility of accepting or rejecting data on the user or application, Nomad authenticates the user prior to receiving any data to ensure that the user is a registered user, therefore the data received is trusted data. And because Nomad Secure Access does not use a complex PKI certificate process, certificate costs are dramatically reduced while the distribution and revocation of certificates is virtually eliminated.
CRL’s are notorious for slowing down the process and introduce serious vulnerabilities caused by the gap created when a user leaves a company and the revocation of their certificate based on a daily, weekly or biweekly process of updating the CRL. Until the CRL is updated, the user has access to all systems. Nomad Secure Access manages the user through the Nomad Credential Server, the digital representative. Unlike a central certificate authority, Nomad Secure Access enables organizations to set up multiple Nomad servers to manage a group of users, a division of a company or all users within a company.
Unlike traditional PKI, where everyone has to have access to every participants public key to complete a transaction, with Nomad, all access to networked systems is made through the Credential Server that authenticates the user only. Once a user is deleted from the system by the Nomad administrator, a user’s access is immediately terminated eliminating any lapse time between being terminated and revocation of access privileges. Even though the terminated user has their credentials and the Nomad OPN client, they will be denied access immediately because they are no longer trusted and the Credential Server will no longer perform services for that user. Even if a registered Nomad user tries to send data to the deleted user, Credential Server will disallow the data transaction and no information will be sent.
Nomad Secure Access reduces risk and the complexity of traditional PKI infrastructures by eliminating lapse time between revocation of a user’s credentials to ensure that all data trading is secure. By allowing the user to maintain control of his/her credentials enables the user to roam from one location to another without restriction. Access to information or the exchange of information is still maintained through Credential Server eliminating the requirement for every company or individual to have access to a certificate database.
Nomad Secure Access is protocol independent and supports HTTP, SMTP, POP3, IMAP, FTP, and other protocols.
Protocol independence is provided via a set of proxy servers, also known as gateway components, which are available for immediate use between existing applications and/or products. Nomad’s patent-pending technology enables the interception of communications and provides a solution without application program modifications.
A protocol is defined as “a set of conventions governing the treatment / formatting of data in an electronic communications system”. Some protocol standards include XML, HTTP, FTP, SMTP, SNMP, SOAP and EDI. Nomad is protocol independent because of where is placed in the system.
Nomad Secure Access fits unobtrusively into an IT infrastructure and does not need time-consuming modifications of applications to work with Nomad Secure Access. To provide application transparency, Nomad provides a data wrapping service to ensure that only trusted data is sent over the network. It does not matter what the content of the application data is or how it is defined. The Nomad solution “wraps” credential information to authenticate the user and the application data before it is transmitted into the network as shown in Figure 6. Upon authentication of the user, this Nomad Data Wrapping service removes the wrapper returning the application data to its original state and data delivery proceeds as normal. This process enables the Nomad solution to be quickly implemented into any IT infrastructure with your application and your enterprise.
With Nomad Secure Access, users can securely connect to the enterprise network from anywhere at any time, and give you the peace of mind that when they connect to your resources they are properly authenticated and all communications are secured. Nomad Secure Access is a scaleable and cost effective PK Authentication and Authorization infrastructure that is easy to use and removes the complexity of administration by managing users instead of certificates and by empowering user self-registration. Nomad Secure Access is a simple, yet powerful approach. It avoids costly integration and long drawn-out development projects providing you with better results. Our clients receive an immediate ROI through incremental implementation, group-by-group or one business unit at a time.
|
|
|
|
|
|
|
