hello, list-folk-- i read this on the firewalls list, and thought it might be of interest to everyone here. although it is not an intrusion detection tool, per se, it seems to be an alternative for Kerberos. i have no information about this product beyond what you read here. i am sure Mark Reardon (mwr@sware.com) would be more than happy to field your questions, however. regards, --robert --- Forwarded mail from "Mark W. Reardon" <mwr@sware.com> From: "Mark W. Reardon" <mwr@sware.com> Subject: HannaH from SecureWare Inc. To: firewalls@GreatCircle.COM Cc: Shannon Bell <shan.bell@sware.com>, "J. D. Forinash" <foxtrot@sware.com> Date: Wed, 30 Aug 95 13:24:19 EDT -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBxjCCAXACFFjVVBsGH5SnHa42KUiEyt0AAAAAMA0GCSqGSIb3DQEBAgUAMFkx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMRcwFQYDVQQLEw5FbmdpbmVlcmluZyBDQTAeFw05NTA1 MTExMzUzNDVaFw05ODA1MTAxMzUzNDVaMHMxCzAJBgNVBAYTAlVTMRgwFgYDVQQK Ew9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsTDlNlY3VyZVdhcmUgUENBMRcwFQYD VQQLEw5FbmdpbmVlcmluZyBDQTEYMBYGA1UEAxMPTWFyayBXLiBSZWFyZG9uMFkw CgYEVQgBAQICAgQDSwAwSAJBDdoErtN8vyza47fIQHiy1DCvMBhr9Wc3ByPJ/9Ek rKojJnyXDYzQh0JX3oOLZ0ITBCnbBM69w0DTs4aSJTQjqEcCAwEAATANBgkqhkiG 9w0BAQIFAANBAJcyeNNIi4blzo1SjWV2sXfRQ9uhNHZ4t89hZLbCjaRYvoXjW1Uv XYCLO/YG1flFrXp5xOzd04+2OcLsw9RViDk= Issuer-Certificate: MIIBkzCCAT0CFEbO5h6/SKxULWrq4aExKoYAAAAAMA0GCSqGSIb3DQEBAgUAMEAx CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9TZWN1cmVXYXJlIEluYy4xFzAVBgNVBAsT DlNlY3VyZVdhcmUgUENBMB4XDTk1MDUwODIwMjAxNloXDTk3MDUwNzIwMjAxNlow WTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UE CxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMFkwCgYE VQgBAQICAgADSwAwSAJBAL4Od/KxhOB6HyUbBJC2X6Ic2P0XEcGnddzJ1QEHjSFy x5qzn098ScMWDEJSiwrsVmQFbNvN01hkke7ZE21aG5sCAwEAATANBgkqhkiG9w0B AQIFAANBALtOOv3SWxy+/VEvvY6j06wUNQRhqbtX5g8HgOwPgvoqcrRl939lcOcx X7q8YB5bVVTow4PsFfnorV5gsOBwnf4= MIC-Info: RSA-MD5,RSA, AWnjVT+DI9DOx64N+AJZ0ny8heM78tKJfnnNMgywaulO/oA7aE4pNTy7JE2rtLII YO9jirEJN23WlWIHyQkA5Pg= Some of the engineers involved in the product discussed below forwarded this message to me so that I might comment on it. The product is called HannaH and I am the development manager for it. Let me give a little information on it and then I will refrain from becoming a commercial. I would be glad, however, to answer any questions, either through email or the firewall list HannaH is an application that loads into any of the five systems below and positions itself below the network applications. In the windows environment it does this at the Winsock layer, in UNIX it actually groups the TCP layer in the OS. Each session created between two hosts running HannaH have the option of using strong authentication, data integrity, and encryption. HannaH uses certificates that are signed by the HannaH Certificate Authority, to verify the remote end of the connection. It then looks in its local database to see what connections that Distinguished Name is allowed to make and what services to apply. If the remote host doesn't support HannaH, the database may contain an entry to allow non-secure connections or reject them. This initial authentication process is performed using a SecureWare developed protocol call Peer Authentication and Key Management Protocol. As the name implies, once the systems have authenticated themselves, there is also a key negotiated. This key negotiation itself is protected using the RSA Public key algorithm to hide it. The negotiated key is used for the session to be created and is different for each session, even between the same two hosts. The specification for the PAKMP are on our web site for those that want more detail. The data sessions themselves are encrypted using DES. Integrity is done using MD5, and a combination is done on each packet to assure authentication. Since each session has its own key, if a key is compromised (brute force or otherwise), only that session is compromised. HannaH is also designed with an Audit Subsystem that can generate alarms and supports call out functionality. The alarms can also be setup to forward critical information to a central Management Workstation for collection and processing. This connection is also protected. The MWS has more filtering capabilities for examining the records and can also be customized by the user to print the Alarm records in any desired format. The Management Workstation is able to manage the Access Control Databases from a central site and also administers the Audit Filter and Action Database. This means that the security administrator can from a central site determine who has access to the services on each node in their network. The HannaH Certificate Authority (CA) is a Windows 95 application that allows the administration of the certificates. These functions include generating RSA key pairs for users, creating the actual certificates containing the DN and public key, creating certificate revocation lists, optional escrowing of the keys issued, resigning user generated certificates after their authenticity has been verified, and creating cross certificates. A couple of these functions deserve a little more info. CRLs are lists of certificates that the CA doesn't want to be accepted by HannaH hosts anymore. Each HannaH node must have a valid CRL to verify a certificate. They are automatically grabbed off of a designated node called the CA Server and cached. They generally have a replacement date of several days. The cross certificates are used for verifying a certificate issued by another CA. This allows two companies that use HannaH to allow communications between their domains. All the cross certificate does is provide a method for verifying that the certificate was issued by something that knew the key. Then, access is actually controlled by the ACDB in each node. Key escrow has become a sensitive issue and we leave it up to each customer to decide. The CA can escrow keys that it creates using the recreation from parts paradigm. For those that don't want to escrow, don't use it. If a user doesn't want anyone else to know their private key, then they can generate their own key pair and just provide the public key to the CA for certificate creation. Now that I have put in more detail than I wanted to, let me mention a few high level things. Applications on Windows that use the Winsock layer for communications run unmodified over HannaH. We have tested several browsers and X-server implementations. No modifications are required in the UNIX environments either because we did it down in the system below the call layer. Availability: we are currently looking at Beta sites for the next version. The original HannaH was developed as part of a government bid and it used hardware based encryption. The commercial product using software based encryption is currently finishing up development with the goal being to be ready for Interop. We are investigating using HannaH in firewalls and have had talks to that end. I really can't comment more than that since those agreements have not been announced. - ------------------------------------------------------------------ Mark Reardon | SecureWare, Inc. | Voice: (404) 315-6296 ext. 134 mwr@sware.com | 2957 Clairmont Rd., Suite 200 | V. Mail: (404) 315-6597 ext. 134 | Atlanta, GA 30329-1647 | Fax: (404) 315-0293 -----END PRIVACY-ENHANCED MESSAGE----- ---End of forwarded mail from "Mark W. Reardon" <mwr@sware.com> -- o robert owen thomas: unix consultant. cymro ydw i. user scratching post. o o e-mail: Robert.Thomas@pamd.cig.mot.com --or-- robt@cymru.com o o vox: 708.435.7076 fax: 708.435.7360 o o "When I die, I want to go sleeping, like my grandfather... o o Not screaming, like the passengers in his car." o