Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer [email protected] Sept 2000...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer [email protected] Sept 2000...
Sentry: A Scalable Solution
Margie CashwellSenior Sales Engineer
[email protected] 2000
Margie CashwellSenior Sales Engineer
[email protected] 2000
OverviewOverview
• State of Digital Mobile Telephony• Examples of Wireless Applications• PKI Architecture• Scalability• Extensibility• Scalable Solutions• Sample Architectures
State of Digital Mobile State of Digital Mobile TelephonyTelephony
• Global System for Mobile Communications (GSM) has over 215 million subscribers
• GSM alone has more subscribers than the Internet has users (210)
• Paradigm shift in mobile telephony 3G, – Sprint 1st cellular provider to offer service
in US
Examples of Wireless Examples of Wireless ApplicationsApplications
• Top three uses of Internet enabled mobile phones:– Travel related uses– Online banking– Email
• Wireless scale = Internet Scale x 100 = Enterprise x 1,000
PKI ArchitecturePKI Architecture
• Requirements:– Multi- Functional– Extensible– Support mass-market network devices
embedded in:• mobile phones:• pagers• PDAs• “smart phones”
ExtensibilityExtensibility
• Ration of device size to certificate size• X.509 certificate format too complex• Elliptic curve keys in certificates• WTLS certificate format• Ability to support new certificate formats
Proven Scalable SolutionsProven Scalable Solutions
• 8 Million Certificates on a single server• Individual and batch certificate issuance and
revocation • Remote publishing of user certificates • Locating and retrieving user certificates • Concurrent signing operations • Concurrent real time online certificate status
checking
Xcert Sample ArchitectureXcert Sample Architecture
Trust Model with External CAsTrust Model with External CAs
WebSentryWebSentry
Sentry Product SuiteSentry Product Suite
Unique ‘rapid deploy’ PKI platform
for Internet and e-commerce applications
that scales to a million users
& manages security for corporations
that use the Internet to conduct business
Sentry Product SuiteSentry Product Suite
Sentry CA - Issue & manage certificates
WebSentry - PKI enable your servers
Sentry RA - Provide remote enrollment
Xcert Development Kit - PKI enable your apps
Professional Services & Training - Achieving ROI
Support - Reliable customer service
Xcert PKI OverviewXcert PKI Overview
•Internet based
•Customizable
•Simple
•Scalable
•Lightweight
•Secure
•Non-proprietary
•PKI enables the application service
•User authorization
•Non-repudiation of transactions (digital signatures)
•Remote user enrollment
•Minimizes enrollment bottlenecks
•Industrial strength CA
•Issues certificates
•Manages certificates
•Manages Access Control Lists
•Supports PKI enabled applications
• Platforms– NT & Solaris
• Certificates & CRLs– X509 v3 (all standard
extensions)• Application Support
– Web– Email– VPN– ERP– SSO– Document security
• Directories– LDAP, X500
• Protocols– HTTP, SSL, LDAP, SMTP,
PKCS• Crypto
– DSA, RSA, ECC• Crypto Hardware
– All PKCS #11• High Assurance
– FIPS-140 level 3 hardware– Real time revocation
Sentry CA SpecificationsSentry CA Specifications
Basic Components:
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server
Sentry CA ArchitectureSentry CA Architecture
Basic Components:
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server
Sentry CA ArchitectureSentry CA Architecture
Basic Components:
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server
Sentry CA ArchitectureSentry CA Architecture
Sentry CA ArchitectureSentry CA Architecture
Basic Components:
• Directory Server
• Signing Engine
• Administration Server
• Enrollment Server
• Logging Server
Sentry CA ArchitectureSentry CA Architecture
Add-on Components:
• Publishing Backend
• Alternate SQL data stores
Sentry CA FeaturesSentry CA Features
• Enrollment– Interfaces
• Vetting– Notification– Examination– Auto vetting
• Extensions– Profiles
• Storage– Interfaces
• Suspension & revocation– Status checking
• Renewal
Certificate lifecycle management
Sentry CA FeaturesSentry CA Features
• Creating CAs• Managing CAs
– User maintenance• CA security &
practices
• Exporting CAs• Importing CAs• Cloning• Subordination• CRLs• External CAs
CA lifecycle management
External CAsExternal CAs
Sentry CA FeaturesSentry CA Features
System administration– Work benches
– ACL management• Admin, vettors, end users
– Logging
– Backing up
– Upgrading
Extending the back-end– Publishing
– Data stores
Sentry RASentry RA
• Industrial strength enrollment solution– Accepts certificate requests– Verifies credentials– Supports CA signing process– Revokes certificates
• Streamlined configuration– auto notification– auto enrollment– auto renewal– application specific profiles
• Distributed component / Stand-alone server• Offloads enrollment bottlenecks from CA• Flexible scalability
Sentry RASentry RA
WebSentryWebSentry
• High assurance PKI for web servers– Plugs into standard web servers– User authorization– Controls access to web pages– Queries Sentry CA
• certificate status• ACL rules
• Zero tolerance security
Wrap UpWrap Up
• Wireless devices large part of the future,• The best way to bring these devices into the
network in a secure fashion is with certificates.
• We expect to see significant PKI and WAP development over the next 18 months.