REDMOND, Wash., Feb. 1, 2000 — It may already seem like ancient history, but there was a time not too long ago when network security was really rather simple. That was back in the days of local area networks, when each system was a self-contained entity — entirely walled off from the outside world — and security was largely a question of denying network access to unwanted visitors.
Today, security is infinitely more complex. The advent of wide area networks and the rise of the Internet have transformed the business landscape as companies come to rely more and more on a combination of the Web, intranets and extranets to streamline internal operations and facilitate communications with customers, suppliers, and partners. Companies that have embraced these new technologies are reaping the rewards in the form of innovative business models that include more rapid development time for new products and services, more efficient manufacturing processes, and access to new markets and new opportunities.
The result is nothing short of a revolution. But to participate, organizations must be willing to open up boundaries that were once closed, providing a greatly expanded universe of users with access to internal applications, systems, and data. This requirement creates extremely complex and difficult security challenges.
“Companies are making their networks look more like the Internet everyday,”
says Shanen Boettcher, Microsoft’s product manager for Windows 2000 security services.
“And as they share out more and more of their internal resources to more and more users, network security becomes more important. The challenge is to make the system secure without making it unmanageable.”
“Security is about locking things down; e-commerce is all about opening things up,”
adds Nand Mulchandani, co-founder and VP of product management at Oblix, a leading developer of directory server based e-commerce solutions in Cupertino, California.
“You’ve got to find a way to keep unwanted people out while letting the right people in and providing them with the right information. Finding the right balance is critical.”
Windows 2000, Microsoft’s newest operating system, was created to help organizations strike the proper balance. Windows 2000 leverages the powerful security features of Windows NT — including single sign-on, easy to use administrative tools for security policy and account management, and a security model predicated on tight integration with the Microsoft BackOffice family of application services — and extends them with new features designed specifically to enable the creation of distributed networks that are secure, easy to deploy, easy to manage, and easy to use.
Centralizing Security Management
One of the most important new security features of Windows 2000 is integration with the Windows 2000 Active Directory. It is a standards-based directory service that is integrated with Windows 2000 and simplifies management, extends security and improves interoperability. Within the Active Directory, companies can store information about network elements such as users, machines and applications.
Active Directory integration helps Windows 2000 overcome an especially vexing set of issues for both managers and users of distributed network systems. Up until now, complicated network infrastructures with multiple security models have forced users to log on repeatedly as they move among applications and systems, often with a different profile at each new entry point. For administrators, that means redundant, complex management, increasing the chances that users will be given too little access to the resources they need, hampering business processes, or too much access to the system, creating serious security problems.
Active Directory uses containers and objects to organize network resources in a logical hierarchy, storing all the information about users, groups, machines, and applications in one location and then giving network administrators an easy way to update that information. Users seeking access to network resources now only have to pass through a single checkpoint.
“When the security infrastructure is scattered across systems, it creates huge security and management issues,”
says Oblix’s Mulchandani.
“Centralizing control of such things as user profiles, roles, and rights is critical to creating a secure system. Previously, companies just couldn’t manage all those things in a centralized way.”
With Active Directory and Windows 2000, network managers can delegate selected administrative privileges to designated users; implement policy-based management that allows them to assign specific security controls to classes of machines, for example, or to Internet or extranet users, applications, or servers; control access to printers, folders, and other resources; and assign different sets of authentication procedures for different groups of users, all from a single location.
For companies like Oblix, this opens up a whole new kind of network management. Starting from the Active Directory features of Windows 2000, Oblix adds solutions that allow businesses to manage information about employees, trading partners, suppliers, and channel organizations in real time over the Web. The result, says Mulchandani, is something he calls centralized control with decentralized management.
“Let’s say you are running a big enterprise with thousands of suppliers and dealers,”
he explains.
“If you’re putting your business on the Web, you’d normally have to staff up the IT help desk to field calls from the tens of thousands of potential users who need user names and passwords. By leveraging the features of Active Directory, Oblix allows you to decentralize these tasks within the constraints of the policies you have established centrally. Now, the manager at the dealer can create new users, because you’ve delegated him control of a small sub-tree of your bigger system, but you know he can’t give anyone access to anything else.”
Simpler Access and Better Performance
In addition to simplifying security management, Active Directory also serves as the foundation for a wide range of security services that provide for the authentication of users as they enter the system, while protecting the integrity of data and applications that reside within, and safeguarding data as it moves between systems. Key features include the Security Configuration Manager, a
“define once, apply many times”
technology that allows administrators to put security configurations into a template and apply it to selected computers in a single operation, and IP Security (IPsec), which provides encryption of network traffic between systems, safeguarding internal networks, and providing secure virtual private networking (VPN) over the Internet to a company’s internal network.
Another security service that is now included in Windows 2000 is the Kerberos Version 5 authentication protocol. An open-standards protocol, Kerberos provides authenticity (“I am who I say I am”), confidentiality (“This message really came from me”), and integrity (“The message has not been tampered with since I sent it”) of network communications. It specifies how users establish the authenticity of their identity on the network. Created at MIT, it is a
“shared-secret”
protocol that authenticates not only the user, but the network as well, protecting against hackers who attempt to impersonate a server to enter the network.
Kerberos replaces Windows NT LAN Manager as the primary protocol for network authentication and access to resources in Windows 2000, and offers a number of important security enhancements, including improved authentication performance which results in faster overall network performance.
According to Boettcher, Public Key Infrastructure (PKI) has also been added to Windows 2000, with important implications for security. PKI represents a standards-based security architecture that combines public-key cryptography with digital certificates to verify the safety and integrity of data and documents and validate the identity of users who are coming in over the Internet. It provides network administrators with a powerful way to protect the security of their communications and business transactions on the Internet.
“PKI is an essential enabling security technology for today’s extended enterprise,”
says Boettcher.
”
It is extremely important for extranets. With PKI, users from heterogeneous clients can come into your system. They just need a standards-based browser. Windows 2000 provides a feature called certificate mapping which gives administrators the ability to map a PKI certificate to a user account in the Active Directory. This provides an important bridge between PKI and the Kerberos protocol used in Windows 2000. This means that administrators can manage internal users and external users, and access control as well as security — centrally and consistently with Windows 2000.
The Dawn of Interoperability
Besides improving overall security, the integration of standards-based protocols such as Kerberos and PKI provide another important benefit: interoperability. Typically, large enterprises have a wide variety of technologies and systems that must work together efficiently. And in today’s business climate, where partners and suppliers are given access to parts of the network, smooth cross-platform operations are more important than ever.
“Our customers require a unified, cohesive, easily-maintained security infrastructure across their enterprise, regardless of what systems they are running in their environment,” said John Hoskins, Director of Business Development at CyberSafe Corp., a leading provider of enterprise network security solutions. For the enterprise customer utilizing Windows 2000 along with existing investments, interoperability means seamless end-to-end secured data communications across platforms, resulting in strengthened overall enterprise security as well as centralizing administration across the board.
“If you’re a large company, there’s a good chance that you have some mainframes, some Unix, and some NT all going at once, with users maintaining separate profiles and administrators maintaining separate access lists,”
says Sam Sides, technology director for QuickStart, an Irvine, California, technology company that offers a total, integrated package of e-business services.
“By bringing these technologies together into a single package, Windows 2000 lets us take all those disparate systems and create a truly integrated network.”
With the public release of Windows 2000, Sides says QuickStart is beginning to work with clients preparing to upgrade from their current platform to the new operating system. He believes that once companies make the move, the transition to Windows 2000 will provide an important competitive advantage.
“Windows 2000 is more than just an upgrade of your NT environment, so taking advantage of all of its capabilities will require some serious upfront planning,”
he says.
“But for those companies that make the effort, the result will be a networked environment that enables true e-business operations, offering just the right balance between access and security.”
Shanen Boettcher agrees.
“Security is really just one means to achieve a larger goal,”
he says.
“The real goal is to end up with a network that you can roll out quickly, that is flexible enough to meet your changing needs, and that you can administer easily from a central location. Windows 2000 is the best platform for achieving all those goals.”