GCN INSIDER: Trends and technologies that affect the way government does IT
When PKI certificates run amok
- By Brad Grimes
- Feb 17, 2005
Executives of security startup Venafi Inc. make a good point: If agencies can't manage the digital certificates that ensure secure communications among servers, they could run into problems troubleshooting system downtime. According to Paul Turner, the Draper, Utah-based company's vice president of marketing, it can take an organization days to determine that the reason two systems stopped communicating was that one was using an outdated public-key infrastructure certificate, or a certificate that didn't adhere to policy.
PKI is increasingly used to authenticate users on a network, but it also secures connections among servers, especially across agencies. Venafi is targeting server-to-server security with its new AutoCert Manager, above, which came out Feb. 7. The software automatically scours a network infrastructure to inventory existing certificates. It then automates a slew of manual processes, such as checking expiration dates and policy compliance. Venafi claims organizations can save more than $350,000 a year per 1,000 certificates. AutoCert Manager itself costs about $150,000.
Other companies make certificate management solutions, including Entrust Inc. and RSA Security Inc. Turner says Venafi's is unique because it supports almost any certificate authority. It does not currently support all server-to-server communications, though'just Web Secure Sockets Layer and message queuing'but Turner estimates that covers between 70 and 90 percent of infrastructure PKI needs. The company will add support for voice over IP and other secure communications over time.Add SSL sniffing to your IDS
Secure Sockets Layer encryption is everywhere (including page 27). Because it's built into Web browsers, it's a low-cost way of protecting Internet communications. It's also a convenient way to hide a network attack.
Ordinarily, intrusion detection devices have ignored SSL traffic because it takes too much computing effort to decrypt an SSL stream and sniff out attacks. If malcontents hide their exploits in SSL-encrypted streams, they have a decent chance of infiltrating networks.
Breach Security Inc. of Carlsbad, Calif., which just released its new line of BreachGate Sitegrity application security devices, took some of its core technology and spun it off as BreachView SSL. Agencies can add the software to existing IDS systems to decrypt and analyze SSL without interrupting the SSL session.
Such security is essential to the Sitegrity line because the appliances protect application layer traffic, much of it SSL-encrypted. The Energy, Health and Human Services and Veterans Affairs departments use Breach's products, which have Common Criteria EAL 1 certification. In addition to preventing incoming attacks, Sitegrity analyzes outgoing traffic'before it reaches users'to make sure it hasn't been altered.Rejoice: Metis lives
What is to become of Metis, the popular modeling tool from Computas Technology Inc., now that Austin, Texas-based Troux Technologies Inc. has snapped it up? A number of government agencies, including the Commerce, Defense, Health and Human Services, and Treasury departments, use Computas' Metis software to help map out their respective enterprise architectures.
Pat Emerson, Troux's vice president of sales, told GCN that Metis would be folded into its suite of enterprise architecture tools when the Troux 5 Platform comes out. According to Gartner Research of Stamford, Conn., the integration should happen in two phases: There will be a common repository metamodel by the end of this quarter and integrated interfaces, repository applications and engines around mid-year.
Analysts are optimistic about the combined product. Metis has always been strong on visualization; Troux has been good at IT asset discovery. 'Computas approached this from an enterprise architecture perspective at a high level and worked down. We developed the foundational capabilities and have been moving up,' Emerson said.GCN associate writer Joab Jackson contributed this report. E-mail Brad Grimes at firstname.lastname@example.org.