HannaH from SecureWare Inc.
Robert Owen Thomas (rthomas@pamd.cig.mot.com)
Wed, 30 Aug 1995 14:06:56 -0500
hello, list-folk--
i read this on the firewalls list, and thought it might be of interest
to everyone here. although it is not an intrusion detection tool, per se,
it seems to be an alternative for Kerberos.
i have no information about this product beyond what you read here. i am
sure Mark Reardon (mwr@sware.com) would be more than happy to field your
questions, however.
regards,
--robert
--- Forwarded mail from "Mark W. Reardon" <mwr@sware.com>
From: "Mark W. Reardon" <mwr@sware.com>
Subject: HannaH from SecureWare Inc.
To: firewalls@GreatCircle.COM
Cc: Shannon Bell <shan.bell@sware.com>, "J. D. Forinash" <foxtrot@sware.com>
Date: Wed, 30 Aug 95 13:24:19 EDT
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
MIIBxjCCAXACFFjVVBsGH5SnHa42KUiEyt0AAAAAMA0GCSqGSIb3DQEBAgUAMFkx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT
DlNlY3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NTA1
MTExMzUzNDVaFw05ODA1MTAxMzUzNDVaMHMxCzAJBgNVBAYTAlVTMRgwFgYDVQQK
Ew9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYD
VQQLEw5FbmdpbmVlcmluZyBDQTEYMBYGA1UEAxMPTWFyayBXLiBSZWFyZG9uMFkw
CgYEVQgBAQICAgQDSwAwSAJBDdoErtN8vyza47fIQHiy1DCvMBhr9Wc3ByPJ/9Ek
rKojJnyXDYzQh0JX3oOLZ0ITBCnbBM69w0DTs4aSJTQjqEcCAwEAATANBgkqhkiG
9w0BAQIFAANBAJcyeNNIi4blzo1SjWV2sXfRQ9uhNHZ4t89hZLbCjaRYvoXjW1Uv
XYCLO/YG1flFrXp5xOzd04+2OcLsw9RViDk=
Issuer-Certificate:
MIIBkzCCAT0CFEbO5h6/SKxULWrq4aExKoYAAAAAMA0GCSqGSIb3DQEBAgUAMEAx
CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT
DlNlY3VyZVdhcmUgUENBMB4XDTk1MDUwODIwMjAxNloXDTk3MDUwNzIwMjAxNlow
WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UE
CxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYE
VQgBAQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFy
x5qzn098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0B
AQIFAANBALtOOv3SWxy+/VEvvY6j06wUNQRhqbtX5g8HgOwPgvoqcrRl939lcOcx
X7q8YB5bVVTow4PsFfnorV5gsOBwnf4=
MIC-Info: RSA-MD5,RSA,
AWnjVT+DI9DOx64N+AJZ0ny8heM78tKJfnnNMgywaulO/oA7aE4pNTy7JE2rtLII
YO9jirEJN23WlWIHyQkA5Pg=
Some of the engineers involved in the product discussed below
forwarded this message to me so that I might comment on it.
The product is called HannaH and I am the development manager
for it. Let me give a little information on it and then I will refrain
from becoming a commercial. I would be glad, however, to answer
any questions, either through email or the firewall list
HannaH is an application that loads into any of the five systems
below and positions itself below the network applications. In the
windows environment it does this at the Winsock layer, in UNIX
it actually groups the TCP layer in the OS. Each session created
between two hosts running HannaH have the option of using strong
authentication, data integrity, and encryption.
HannaH uses certificates that are signed by the HannaH Certificate
Authority, to verify the remote end of the connection. It then looks
in its local database to see what connections that Distinguished
Name is allowed to make and what services to apply. If the remote
host doesn't support HannaH, the database may contain an entry
to allow non-secure connections or reject them.
This initial authentication process is performed using a SecureWare
developed protocol call Peer Authentication and Key Management
Protocol. As the name implies, once the systems have authenticated
themselves, there is also a key negotiated. This key negotiation itself
is protected using the RSA Public key algorithm to hide it. The negotiated
key is used for the session to be created and is different for each session,
even between the same two hosts. The specification for the PAKMP are
on our web site for those that want more detail.
The data sessions themselves are encrypted using DES. Integrity is
done using MD5, and a combination is done on each packet to assure
authentication. Since each session has its own key, if a key is compromised
(brute force or otherwise), only that session is compromised.
HannaH is also designed with an Audit Subsystem that can generate alarms
and supports call out functionality. The alarms can also be setup to forward
critical information to a central Management Workstation for collection and
processing. This connection is also protected. The MWS has more filtering
capabilities for examining the records and can also be customized by the
user to print the Alarm records in any desired format.
The Management Workstation is able to manage the Access Control Databases
from a central site and also administers the Audit Filter and Action Database.
This means that the security administrator can from a central site determine
who has access to the services on each node in their network.
The HannaH Certificate Authority (CA) is a Windows 95 application that allows
the administration of the certificates. These functions include generating RSA
key pairs for users, creating the actual certificates containing the DN and
public
key, creating certificate revocation lists, optional escrowing of the keys
issued,
resigning user generated certificates after their authenticity has been
verified,
and creating cross certificates.
A couple of these functions deserve a little more info.
CRLs are lists of certificates that the CA doesn't want to be accepted by
HannaH
hosts anymore. Each HannaH node must have a valid CRL to verify a certificate.
They are automatically grabbed off of a designated node called the CA Server
and
cached. They generally have a replacement date of several days.
The cross certificates are used for verifying a certificate issued by another
CA. This
allows two companies that use HannaH to allow communications between their
domains. All the cross certificate does is provide a method for verifying that
the
certificate was issued by something that knew the key. Then, access is actually
controlled by the ACDB in each node.
Key escrow has become a sensitive issue and we leave it up to each customer to
decide. The CA can escrow keys that it creates using the recreation from parts
paradigm. For those that don't want to escrow, don't use it. If a user doesn't
want anyone else to know their private key, then they can generate their own
key pair and just provide the public key to the CA for certificate creation.
Now that I have put in more detail than I wanted to, let me mention a few high
level
things. Applications on Windows that use the Winsock layer for communications
run unmodified over HannaH. We have tested several browsers and X-server
implementations. No modifications are required in the UNIX environments either
because we did it down in the system below the call layer.
Availability: we are currently looking at Beta sites for the next version. The
original
HannaH was developed as part of a government bid and it used hardware based
encryption. The commercial product using software based encryption is currently
finishing up development with the goal being to be ready for Interop.
We are investigating using HannaH in firewalls and have had talks to that end.
I
really can't comment more than that since those agreements have not been
announced.
- ------------------------------------------------------------------
Mark Reardon | SecureWare, Inc. | Voice: (404)
315-6296 ext. 134
mwr@sware.com | 2957 Clairmont Rd., Suite 200 | V. Mail: (404) 315-6597 ext.
134
| Atlanta, GA 30329-1647 | Fax:
(404) 315-0293
-----END PRIVACY-ENHANCED MESSAGE-----
---End of forwarded mail from "Mark W. Reardon" <mwr@sware.com>
--
o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o
o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o
o vox: 708.435.7076 fax: 708.435.7360 o
o "When I die, I want to go sleeping, like my grandfather... o
o Not screaming, like the passengers in his car." o