RealTime IT News

Networld + Interop: Bandwidth, Security the Buzz Words (continued)

Next-Generation Security

Meanwhile, several security companies at N+I announced new support for public-key infrastructure systems in their product lines. The new PKI features are designed to give customers a way to manage digital certificates to authenticate users and devices over the Internet--ideally, providing a manageable framework to better secure sensitive corporate data shared over Internet VPNs.

One reason so many security companies have jumped on the PKI bandwagon is because digital certificates are also required to support the Internet Key Exchange (IKE)--formerly referred to as ISAKMP/Oakley-portion of IPsec, the Internet Engineering Task Force's proposed standard that embeds authentication and encryption capability directly into the IP protocol.

But besides a maturation of the IPsec protocols and underlying PKI technologies--which include X.509 digital certificates and the certificate authority (CA) systems that manage them--the trend has come to the fore as more companies need to secure Internet communications for remote employees and business partners.

"What's driving the [PKI] trend is that VPN deployments are becoming real now," said Jacqueline Ross, vice president of marketing for Check Point Software Technologies. Ross said that whereas 18 months ago, only one-twelfth of Check Point's customers had set up VPNs, today one-fourth are running VPNs--and the number is growing.

Last week Check Point announced details of its next firewall, FireWall-1 4.0, which will support certificate authority systems from Entrust Technologies and VeriSign Inc. With the encryption key management provided by those CAs, customers can now much more easily set up VPNs with FireWall-1, Ross said.

"Wide-scale VPNs are just not manageable without PKI," she said. "You don't need a PKI for authenticating and encrypting traffic between just two sites. But if you've got 1,000 users--and no way to automatically manage digital certificates--you need a key for each user pair, which is 1 million keys."

Last week VeriSign, which provides certificate authority software as well as the Internet's most widely used public certificate authority to verify users' identities, announced VeriSign OnSite for IPSec, a service for corporations to outsource key management in order to provide IPsec-based VPNs.

Companies that announced their products will support the new VeriSign service included 3Com, Ascend, Check Point, Cisco, Shiva, TimeStep, and VPNet Technologies.

Also announcing support for a PKI architecture last week was Red Creek Communications, which will support Netscape's Certificate Server for X.509 digital certificate management in version 3.0 of its software that runs on the company's hardware VPN devices. Future versions of Red Creek's VPN systems will support additional CAs, said product marketing manager Cary Hayward.

Network Associates offers a CA of its own to manage digital certificates from its acquisition last year of Pretty Good Privacy (PGP). While the company plans to extend the system to support X.509 digital certificates and link to Entrust and VeriSign CAs by the end of 1998, most PKI products on the market today are very expensive and difficult to integrate into an existing network, said Peter Watkins, vice president and general manager of Network Associates' Net Tools Secure division.

"We are not into religious wars--we'll support anything the industry decides is a standard, like X.509," Watkins said. "But you've got to have a PKI that's easy to deploy and that doesn't disrupt business processes. We see an opportunity to provide a solution at an attractive price that will let you use the same key for several applications."