The Ryerson Extranet by lff30040


Secured Access on Campus and from Home or Remote Sites

Computing and                                Ryerson University
Communications Services                           August 2000
           Table of Contents

         Introduction ............................................................... 3
         Importance of Security .............................................................. 8
         Ryerson Servers ......................................................................10
         Secured Access Method (SAM) ..................................................12
         Public Key Infrastructure (PKI) ...................................................15
         Ryerson’s PKI Security Components ............................................18
             § Firewalls......................................................................18
             § Public and private keys...................................................19
             § Digital signatures ..........................................................20
             § Certificate Authorities.....................................................21
             § LDAP Authentication ......................................................22
             § Virtual Private Network (VPN)...........................................23
             § Non-Repudiation ..........................................................24
         Conclusion ............................................................................25
         Links ....................................................................................26

Ryerson University                                                                                  2

The Internet, Intranets, and Extranets are re-defining how companies
communicate and do business. As communications internally and externally
increase, so do the associated risks and security requirements. Ryerson has
implemented a combination of security software from Entrust Corporation and
network switching hardware from Nortel Corporation. This white paper
provides an overview of those security considerations and the implementation
of security hardware and software that are specific to Ryerson.


The Internet is a global network of networks connecting millions of computers
worldwide. This connecting is done via a simple standard common addressing
system and communications protocol called TCP/IP (Transmission Control
Protocol/Internet Protocol). More than 100 countries are linked together to
exchange electronic data. Unlike online services, which are centrally
controlled, the Internet is decentralized by design. Remarkably, this anarchy
by design works exceedingly well.

For most of its existence the Internet was primarily a research and academic
network. More recently, commercial enterprises and a vast number of
consumers have come to recognize the Internet's potential. Today people and
businesses around the world can use the Internet to retrieve information,
communicate and conduct business globally, and access a vast array of
services and resources on-line.

For many universities, the Internet has come full circle. Though many of the
developmental efforts for Internet technologies took place on university and
college campuses, only recently have faculty, staff and students reaped the
advantages that were initially hammered out and tested in those same
laboratories and classrooms.

Of course, the Internet’s weakness is also its fundamental strength. Its
openness makes it the ideal platform for global commerce and
communications. However, since it is open, communications are inherently
difficult to secure. Of most concern is the prospect of outside intruders, or
hackers, breaking into corporate computer systems and either stealing secret
data or corrupting valuable data and generally causing a disturbance.

Ryerson University                                                              3

An Intranet is a private computer network based on the communication
standards of the Internet. It is a smaller version of the Internet that only the
members of an organization can see. Intranets work like the Web, with
browsers, Web servers, and Web sites, but they're used internally. An Intranet's
Web sites look and act just like any other Web sites, but the firewall
surrounding an Intranet fends off unauthorized access.

Like the Internet itself, Intranets are used to share information. Secure Intranets
are now the fastest-growing segment of the Internet because they are much less
expensive to build and manage than private networks based on proprietary

Why set up an Intranet? Companies are looking for an open-architecture, cost-
effective solution for distributing information throughout their organization.
Employees want better information faster. The Intranet offers this solution. As
on the Internet the Web browser is the universal interface for the Intranet.
Never before has a company had the ability to set up a network where all the
operations run from one interface that can run on disparate platforms. Now the
UNIX user can communicate with the MAC user who can then communicate
with the Windows user.

Intranets are closed off from the rest of the Internet by firewall software, which
lets employees surf the Web but keep all the data on internal Web servers

Like employees of a large corporation, university faculty, staff and students
have a great deal of administrative and research needs. These needs are
being eased by the introduction of Web-based systems. Access to these
corporate systems form the company’s Intranet. Basically an Intranet is a
private network belonging to an organization, accessible only by the
organization's members, employees, or others with authorization. In essence,
it's like a mini version of the Internet

Ryerson University                                                                   4

In addition, faculty, staff and students are also looking to access the resources
of their corporate Intranet as they take to the road or dial in from home.
Business partners are also joining together to share business and research
information, either for short-term joint projects or for long-term strategic

Providing remote access to these corporate computers via the Internet requires
an Extranet. An Extranet is basically like building a bridge between the public
Internet and private corporate Intranet. Basically, an Extranet is just a fancy
way of saying that a corporation has opened up portions of its Intranet to
authorized users outside the corporation. See exhibit below – Networks
Compared. Typically, Extranet users are given a login ID and password along
with a digital certificate that must be installed on the their computer.

                     Networks Compared

                     Internet          Intranet            Extranet

 Type of             Open              Private           Controlled

 Used                Public           Organization        Business
                                      Members             Partners

 Information                                              Selective
                     General        Proprietary
 Type                                                     Sharing

Extranets are becoming more and more popular as more companies are
discovering their potential. Want your students to use the automated
registration system from home? Wish you could check your grades without
making the trip back to school? Would you like to show your research partners
the preliminary study results without using overnight mail? Wish that you could
access the computer file you forgot to bring home? All this and more are
possible with an Extranet.

Ryerson University                                                                  5
Extranets are transforming enterprise networking. Rather than using proprietary
networks to exchange information, companies can now leverage their
investments in Intranet and Internet technology and use Extranets to exchange
data and share applications with business partners, suppliers, and customers.

Rather than depend on dedicated leased lines, an Internet-based Virtual Private
Network (VPN) uses the open, distributed infrastructure of the Internet to
securely transmit data between corporate sites. Therefore, it makes sense to
find a middle ground where the organization either supplements or replaces
their current investments in modem pools and their private network
infrastructure with a less expensive solution based on Internet technology. In
this manner business can focus on its core competencies with the assurance
that accessibility will never be compromised, and that the most economical
solution is deployed.

Because the Internet is a public network with open transmission of most data,
Internet-based VPNs include measures for encrypting data passed between
sites, which protects the data against eavesdropping and tampering by
unauthorized parties. As an added advantage, a VPN can provide secure
connectivity for mobile workers.

Internet technology has changed not only the way organizations do business,
but also the way they approach network security. The dynamic nature of
today’s corporate networks means that they are no longer defined by physical
boundaries, but instead by enterprise-wide security policies. To be effective,
these policies must include a broad range of security services that govern
access to network resources, while protecting these same resources from both
internal and external threats.

Ryerson University                                                               6
Ryerson University   7
           Importance of Security

Everyone knows that security is vital to every network. What they often don’t
know is that security is more than erecting physical and electronic barriers. The
strongest encryption and most robust firewall are practically worthless without a
security policy that articulates how these tools are to be used.

Why is Security Important?

Today, there are many reasons to secure the corporate Intranet:
1. To allow only authorized users access to corporate systems;
2. To stay ahead of any legal mandates – regulatory agencies are becoming
   stricter on the issues of privacy, security and liability;
3. To lock out cyber hackers and viruses from both external and internal
   sources to sensitive corporate data;
4. To setup electronic commerce applications that will incorporate secure
   applications and transactions;
5. To guarantee that information sent or received has not been tampered.

What are the dangers?

Examples of danger for not incorporating security measures include:
1. Student grades can be altered;
2. Bookstore online transactions can be made void;
3. Faculty research work disappears;
4. Virus attacks infecting all corporate systems bring them to a halt or totally
5. Payroll and benefit systems can be compromised;
6. Email communications gets altered;
7. Potential loss of passwords.

What are some of the costs associated when security is compromised?

The following are possible costs associated with recovery when security is
§ Security personnel overtime costs
   § to determine why prevention didn't work, who's at fault, and what it will
        take to fix the security gap.
§ Tech-support personnel overtime and reassignment
   § time spent figuring out what should be fixed or replaced, how to repair
        the damage, the necessary resources and where they can be obtained
        and which systems require offline cleanup.

Ryerson University                                                                 8
§   Attacked system downtime
    § could include employees left idle and unable to perform their jobs,
        students not able to complete their assignments and researchers can’t
        continue their research.
§   Opportunity costs
    § lost business from down or inoperable systems. For example, loss of
        access to Continuing Education’s web-based registration and
        tuition/payment system could potentially loose a lot of money if people
        could not access the systems.

Fundamental Security Requirements:

                      Fundamental Security Requirements
Access Control        Determines who may have access to information within a
Authentication        Verifies the identity of communicating parties
Privacy               Protects sensitive information from being viewed
Integrity             Guarantees that information is not tampered with or altered
Non-Repudiation       Inability to deny a transaction

Each is a necessary component for a complete solution. Access is usually
managed by a firewall, which regulates data flow into and out of a network.
Authentication binds the identity of an individual to a specific message or
transaction. For commercial or legal use, authentication must be as legally
acceptable as a signature on a contract. Data privacy and integrity ensure that
communications and transactions remain confidential. Legal and commerce
applications often demand privacy, not merely as a preference but as a legal
prerequisite. Data integrity assures that information remains accurate and is
not altered. Non-repudiation prevents reneging on an agreement by denying a
transaction. Public key technology provides mechanisms that address each of
these requirements.

Ryerson University                                                                  9
           Ryerson Servers

Ryerson University recognizes the value and fosters the use of
information technology to serve the educational, clinical, research, and
administrative activities of students, faculty, staff, and administration. In order
to facilitate and foster these activities for the mutual benefit of all members of
the Ryerson community, the University provides many types of access.

Ryerson’s Intranet is comprised of Faculty/Staff only servers and
Faculty/Staff/Student servers.

Some of the faculty/staff/student only servers include:
      Matrix    E-mail server
      Turing Programming Languages Server
      Malthus Statistical Server
      Alex      Ryerson’s Web Server

Some of the faculty/staff only servers include:
      Bob       Administrative Server
      Tod       Student Records / Oracle Government Financial Server
      Carol     Firewall Server
      Marlin Novell Superserver
      Stingray NT Superserver
      Borg      Cognos Server

On-Campus Access

While on campus, Ryerson faculty, staff and students have access to all
authorized servers via a physical network connection to the Ryerson Information
Network (RIN). This RIN is comprised of fiber optic cabling linking all of its 28
buildings on the Ryerson campus to its various servers. Cabling from faculty
and staff offices have special network addresses that allows them access to
faculty/staff servers. Students have access from public computer labs,
specially-wired classrooms or the student residence to their student-only

Ryerson University                                                               10
Home or Mobile Access

More and more users are demanding to be “on-line” around the clock and
from around the world. Secured Extranet access to Ryerson’s Intranet via the
Internet is currently available to faculty and staff. They can access Ryerson’s
Intranet from either home or some other remote location using our Security
Program called Secured Access Method (SAM). See next section “What is
SAM” for more information. Students can dial into Ryerson via an Internet
Service Provider (ISP) and access student only servers.

As more applications are developed to utilize the web browser interface, access
to more systems for Ryerson faculty, staff and students becomes a reality.
Web-based technologies are not only making automated registration easier,
they are providing a scalable way to grow communications networks as more
administrative functions move online. Many campuses are rapidly escalating
their use of Web-based systems to offer wide range of electronic services like E-
mail / Internet access and to supporting administrative applications and faculty
research efforts. Basically, the Internet has introduced new ways for Ryerson to
conduct business.

Future developments include enabling:
§ people to do online donations
§ students to purchase text books online
§ students to pay for courses online
§ staff/faculty to access files from their office computer from remote sites

Also, a future consideration by Ryerson is the “single sign on” procedure. This
option will allow authorized users to locally or remotely sign-on once to the
Ryerson network and be granted access to any system that they are entitled to
across the organization. The single sign-on procedure will help keep user
passwords secure and easy to maintain, as well as reducing the time and
resources needed for users to access different types of systems.

Ryerson University                                                                11
           Secured Access Method (SAM)

What is SAM?

Remote access to Ryerson’s Extranet (i.e. extending the Intranet remotely) is
available through Ryerson’s Secured Access Method (SAM). SAM uses a
combination of security software and hardware to ensure only authorized users
are allowed onto the Ryerson Extranet. SAM utilizes a digital “certificate” that
is installed on your PC together with a login id and password.

SAM provides further security by creating a Virtual Private Network (VPN),
which is like a “secure tunnel” through which all communication between the
user PC and Ryerson must pass. All data transmissions are “encrypted” so that
they cannot be read while travelling across the Internet.

Tunneling is a method of securely transferring data from one network over to
another network. The data to be transferred (or payload) can be the frames (or
packets) of another protocol. Instead of sending a frame as it is produced by
the originating node, the tunneling protocol encrypts the payload and
encapsulates the frame in an additional header. The additional header
provides routing information so that the encapsulated payload can move
properly through the network.

The encapsulated packets are then routed between tunnel endpoints over the
network. The logical path through which the encapsulated packets travel
through the network is called a tunnel. Once the encapsulated frames reach
their destination, the frame is unencapsulated, decrypted and forwarded to its
final destination. Note that tunneling includes this entire process (encryption,
encapsulation, transmission, unencapsulation and decryption of packets). See
exhibit on next page – Sam Extranet Access

What do I need to use SAM?
  Hardware and Software Requirements
  • Pentium 166Mhz or above with at least 32 MB RAM
  • Computer running Windows 95, 98 or Windows NT
  • Your own Windows 95, 98 or Windows NT original CD
  • 10 MB of free hard disk space
  • FTP software to download SAM software OR pickup a SAM CD from
      CCS in room LB66
  • A Secured Access Method (SAM) ID and password
  • Access to an Internet Service Provider (ISP)

Ryerson University                                                            12
How do I get a SAM ID?

You must pick up a SAM ID form and Confidentiality Form from the
Computing and Communications Services (CCS) department. Another option
is to visit the CCS web site at and print off the
SAM ID and Information Policy Protection Acknowledgement forms. Once the
forms has been filled out and authorized by your immediate supervisor, it is to
be returned to CCS for processing. Within a week, you will receive an email
with the following information:

-   your SAM password
-   your SAM digital certificate
-   your SAM install instructions
-   where to get the SAM software

How do I use SAM?

1. Install the SAM software on your computer.
2. Copy your personalized SAM digital certificate file to the appropriate
   location on your computer.
3. Connect to your own Internet Service Provider (ISP)
4. Run the SAM software
5. The first time you run the SAM software, it will ask you to provide it with a
   new password. Make sure your password is minimum 8 characters in
   length and it must contain one capital letter and at least one number.
6. Once connected, you will have secured and encrypted access to any of the
   authorized Ryerson servers.

SAM is not only safe for communicating with Ryerson servers while on campus
but also ideal for home and mobile users who wants to connect to Ryerson.
With the SAM client and digital certificate installed on the home or mobile
user’s computer, the software will initiate the creation of a secure tunnel to
Ryerson in order to send and receive data.

To ensure secured and encrypted data transfers, Ryerson is encouraging the
use of SAM when accessing all Ryerson Systems.

Ryerson University                                                            13
Ryerson University   14
           Public Key Infrastructure (PKI)

As Ryerson makes more and more of its business operations available through
the Internet, it must be completely confident that all of its communications with
its staff, faculty, students and partners are completely private and can be
trusted. Today a number of security technologies are available to help build
and deploy e-Business applications on the Web with complete confidence and
thus open doors to new opportunities.

Ryerson has employed a combination of security software from Entrust
Corporation and VPN tunneling hardware and software from Nortel

Entrust PKI

Public-key infrastructure, or PKI, is a security technology that is available to
address secured transactions over the Internet. PKI technology makes it
possible to securely access highly confidential systems. The primary catalyst for
broad market interest and demand for public key encryption technology has
been fueled by the desire to use the Internet for e-commerce.

Ryerson has adopted Entrust PKI as its security software technology. Entrust
supplies software that enables a corporation to deploy security technology that
scales from departmental to enterprise-wide. Applications include network
privileges, authenticating local or remote users, establishing e-commerce-
based extranets and issuing digital certificates to online customers. Entrust has
been very active in PKI standards and has worked closely with the Internet
Engineering Task Force (IETF) on forthcoming standards.

Much like a passport proves identity in the offline world, PKI delivers ways to
prove identity in the online world. Ultimately, PKI technology gives Ryerson the
opportunity to build and deploy secure e-Business applications on the Web
with complete confidence. PKI makes it possible for Ryerson to lower
infrastructure costs by moving from costly modem pools with dedicated telecom
lines to the Internet. Digital certificates have become the essential building
block to enable broader business relationships in a connected economy.

Ryerson University                                                              15
The deployment of Entrust’s Public Key Infrastructure (PKI) security system at
Ryerson is more than technology. It is best thought of as a framework of
accepted business practices supported by systems and software. Providing
strong privacy, authentication, data integrity and non-repudiation, PKI fulfills
fundamental security requirements. See exhibit on next page – Ryerson Public
Key Infrastructure (PKI)

Advantages of using PKI

Specific advantages of implementing PKI over using simple browser security
    - Enforced password protection of private keys using centrally-defined
        rules, which makes it impossible for someone to sit down at a PC and
        assume the identity of the owner.
    - Mutual authentication by which the browser and server are
        authenticated using certificates with the private keys being properly
        protected at each end.
    - Controlled, centralized definitions of the policies and parameters
        associated with trust.
    - Immediate revocation of user’s credentials and communication to
        associated servers when a user’s rights have been discontinued.
    - Automatic certificate updates without the need for user intervention.

Entrust Background

Entrust Software has received the Common Criteria (CC) seal of approval. The
CC became ISO standard 15408 in 1999, which is aligned with other security
organizations like the European (ITSEC), US (TCSEC –Orange Book) and
Canadian (CTCPEC). The CC provides a common set of requirements for
the security functions of Information Technology products and assurance
measures applied to them during a security evaluation. For more information
on this topic, check the Entrust website at:

The Entrust software modules have been validated against the CC standard.
These validations provide Entrust users with the assurance that the services
delivered by Entrust (encryption / decryption, digital signature
creation/verification, etc) are secure and can be trusted.

Ryerson University                                                              16
Ryerson University   17
           Ryerson’s PKI Security Components
The core technologies when combined, enables ways of securely transacting
communication and business. These components include:
§ Firewalls
§ Public and private keys
§ Digital signatures
§ Certificate Authorities
§ LDAP Authentication (X.500 & X.509 standards)
§ Virtual Private Network (VPN)
§ Non-Repudiation


Generally, firewalls are configured to protect against unauthorized access from
the "outside" world. This, more than anything, helps prevent vandals from
logging into machines on your network. More elaborate firewalls block traffic
from the outside to the inside, but permit users on the inside to communicate
freely with the outside.

Firewalls are also important since they can provide a single "choke point"
where security and audit can be imposed. Firewalls provide an important
logging and auditing function; often they provide summaries to the
administrator about what kinds and amount of traffic passed through it, how
many attempts there were to break into the protected server or the firewall

 Remote User

                     Internet              Firewall           Secured Network


Ryerson University                                                            18
PKI: Public & Private Keys

The magic of PKI occurs through the use of extremely long prime numbers,
called keys. Two keys are involved – a private key, which only you have access
to, and a public key, which can be accessed by anyone. The two keys work
together, so a message scrambled with the private key can only be
unscrambled with the public key and vice versa. The more digits in these keys,
the more secure the process. See exhibit below – Public Key Encryption

Encryption is accomplished by applying a mathematical algorithm to a digital
message in order to scramble “plain text” and render the message useless to
unintended recipients. The algorithm can be customized for each use by
inserting a different sequence of bits as the variable. The variable bit sequence
is known as the key. Once the initial message is encrypted, any entity that
intercepts it will find an indecipherable sequence of bits.

            Public Key Encryption

                                    H i B ob,                   Hi Bob,
            Hi Bob,
            I have read             I have read                 I have read
            your new                your new                    your new
            contract,               contract,                   contract,

             Original     Private   Scrambled       Public        Original
              Data         Key         Data          Key           Data

Ryerson University                                                             19
Digital Signatures

Just as you prove your identity through a handwritten signature offline, you use
a digital signature to prove your identity online. But without seeing a person
sign the document, how can you prove it’s the right person? This is where
public-key cryptography comes in. For instance, a document, is run through a
complicated mathematical computation to generate a single large number,
called a hash. The original document and the hash are inextricably linked. If
either changes, the hash won’t match and the message cannot be decoded.
The process of this type of encoding is known as your digital signature.

To digitally sign a document, a hash is taken of the document and then signed
with a user’s (let’s call him Bob) private key. Data scrambled with Bob’s private
key can only be unscrambled with Bob’s public key. Any entity can verify the
validity of the document by unscrambling the hash with Bob’s public key and
checking that against another hash computed from the received data.

If the hashes match, the data was not tampered with and Bob’s digital
signature is on it. But because I didn’t watch Bob sign the document, I don’t
know that it wasn’t signed by an imposter. This issue is solved because only
Bob has his private key, and so he is the only one who could have signed the
document. See exhibit below – Using a digital signature to validate data

Digital signatures are used to authenticate the identity of the sending party and
to verify that the original document has not been altered. Digital signatures
can also be used to create a non-forgeable form of electronic identification
known as digital certificates. A digital certificate is similar to a passport or
driver’s license because it enables a party’s identity to be verified by a
recognized authority. The certificate typically contains information about the
user, such as name, public key number, expiration date, etc)

  Using a digital signature to validate data integrity

   Hi Bob,                                               Hi Bob,                     hash
   I have read                                           I have read
   your new                                              your new
   contract,                                             contract,     Algorithm
  Hashing                                  Network                                                 validate
  Algorithm                                                                                        data

   One-way       Private Key     Digital                   Digital     Public key   One-way
    hash         encryption    signature                 signature     decryption    hash

Ryerson University                                                                            20
Certificate Authorities

How do I know I have the correct key to verify the signature? This is where the
concept of trust enters the system, creating the need for a certificate authority.
The certificate authority is like an online passport office – a trusted entity that
makes the PKI system work. The private key is securely generated by Bob, and
after verifying Bob’s identity, the certificate authority signs Bob’s public key with
its own private root key. The combination of Bob’s public key and the
signature of the authority completes Bob’s digital certificate. Bob’s digital
certificate is his online passport, validated by the certificate authority’s

For example, when Bob wants to send Alice an email, he could use Alice’s
public key, stored in her certificate, to scramble the message. When Alice
receives the message, she uses her private key to unscramble the message.
Because no one else has Alice’s private key, only she can unscramble the

The role of trusted third party in the PKI is held by entities called certificate
authorities (CAs). By electronically signing a digital certificate, a CA vouches
for the certificate owner’s identity. The main function of a digital certificate is
to validate the public key of an individual or network device. However, digital
certificates can also contain information that defines user privileges, and
therefore they can play a role in managing access control. The portability and
scalability of a digital certificate supports a wide variety of applications. For
example, digital certificates and private encryption keys can be loaded onto
smart cards. Over time, digital certificate-configured smart cards will likely
become the standard for credentials such as passports, driver’s licenses and
credit cards.

Certificate authorities hold a central role in the PKI by acting as the repository
of trust from which digital certificates derive legitimacy. Digital certificates are
created, managed, administrated and revoked by the CA. Much like the
government issues and guarantees the identity of the passport bearer, a CA
acts as the guarantor of the validity of the digital certificate. The CA can be a
corporate network administrator or a recognized public entity.
            Digital Certificate Authentication


        User logs on to the Internet                Ceritificate      Server authorizes user
        and enters ID/Password                      Authority         to specific systems
        on PC with digital certificate
                                                    user’s identity
Ryerson University                                                                             21
LDAP Authentication (Lightweight Directory Access Protocol)

Central to a CA’s system is its use of directories. Directories are similar to
databases, however, directories are primarily used for reading information
rather than transactions or complex queries. In a PKI environment, directories
are used to store and distribute digital certificates, keys, cross-certification lists,
entries for distribution of certificate revocation lists (CRLs) and to retrieve keys.
Such an infrastructure must be able to support these basic functions and most
importantly, support individual customization in order to meet security
requirements while achieving business objectives.

The enabling directory technology for PKI-based systems is Lightweight
Directory Access Protocol (LDAP). LDAP standards were designed specifically
for use in an Internet Protocol (IP) environment. LDAP is interoperable with and
incorporates many of the features of X.500 while offering the advantages of
being compact, easier to implement, and flexible. The latest version of LDAP
utilizes a well-known browser standard known as Secure Sockets Layer (SSL) to
create a secure connection between the client and the LDAP directory.
Drawing upon an SSL connection and the standard API interface with LDAP, a
directory can be customized and used in concert with digital certificates to
define privileges, access and policies.

It's the Lightweight Directory Access Protocol - or LDAP - a networking protocol
that allows end users to more easily navigate the choppy, disparate directories
of the rough distributed computing waters.

At the most basic level, directories will provide a repository for customer
information. If you define your customers in a directory--instead of in every
application that needs to know who your customers are and what network
access rights they have--you can define and maintain customers and different
policies for different applications in a single place.

Ryerson University                                                                   22
Virtual Private Network (VPN)

A virtual private network (VPN) is a secure and encrypted connection between
two points across any network including the Internet. A VPN uses the open,
distributed infrastructure of the Internet to transmit data between various sites.
Because the Internet is a public network with open transmission of most data,
Internet-based VPNs include measures for encrypting data passed between
VPN sites protecting the data against eavesdropping and tampering by
unauthorized parties. Ryerson has chosen the Nortel switch to accomplish this
virtual private network.

VPNs transfer information by encrypting and encapsulating traffic in IP packets
through a tunnel then sends the packets over the Internet. This type of tunneling
is based on the IPSEC protocol. Also, there is an additional level of security
involving encrypting not only the data but also the originating and receiving
network addresses.

In addition, VPNs are not limited to corporate sites and branch offices. As an
added advantage, a VPN can provide secure connectivity for mobile workers.
These workers can connect to their company's VPN by dialing into their local
Internet Service Provider (ISP), which reduces the need for long-distance
charges and outlays for installing and maintaining large banks of modems at
corporate sites.

In VPNs, virtual implies that the network is dynamic, with connections set up
according to the organizational needs. It also means that the network is
formed logically, regardless of the physical structure of the underlying network
(the Internet, in this case). Unlike the leased lines used in traditional corporate
networks, VPNs do not maintain permanent links between the end points that
make up the corporate network. Instead, when a connection between two sites
is needed, it is created; when the connection is no longer needed, it is torn
down, making the bandwidth and other network resources available for other
uses. Thus the connections making up a VPN do not have the same physical
characteristics as the hard-wired connections used on the LAN, for instance.

Instead of using costly leased lines, the VPN offers Ryerson the same
capabilities but at a much lower cost. Phone companies have provided secure
shared resources for voice messages. A virtual private network makes it
possible to have the same secure sharing of public resources for data.

For a tutorial on VPN technology, go to web site: or

Ryerson University                                                               23

Non-repudiation is the ability to prove to a third party that :
      1.That the sender did indeed send the transaction, and
      2.That the recipient received the exact same transaction.

This involves data integrity mechanisms that ensures that the information has
not been tampered with while in storage or during transmission. To provide full
non-repudiation for both parties, the following steps must be taken:

         -    All parties must be identified and authenticated
         -    All parties must be authorized to perform the functions required.
         -    The integrity of the transaction content must be intact throughout the
              entire process
         -    Certain transaction information needs to be confidential for
              authorized users only
         -    All transactions must be fully audited.

Digital signatures are commonly used to ensure data integrity and non-
repudiation. For example, a Ryerson student might conduct several
transactions over the Internet – transferring money from his VISA account to
pay his tuition fees, purchasing a Ryerson Meal Plan and ordering a specific
book from the Bookstore. Each transaction is transparently and digitally signed
by the student, which proves to Ryerson that the student did indeed originate
and approve the transactions.

The effective use of digital signatures imposes certain obligations on the parties
involved. The signers of electronic messages must protect their private key from
compromise. This is the fundamental building block of the PKI. If a signer’s
private key is compromised, he must report it immediately to the CA so that the
CA can revoke his certificate. Certification authorities are obligated to use
due diligence to verify the identity of their subscribers and their relationship to
their public keys. The CA must also promptly suspend or revoke a certificate at
a subscriber’s request.

Ryerson University                                                                24

The combination of Entrust PKI security software and Nortel’s VPN tunneling
switch allows Ryerson to take advantage of the low-cost and ubiquitous nature
of the Internet for remote access to highly sensitive corporate materials.
Enabling access to staff, faculty, students and customers via the Internet offers
a higher level of security rather than costly dial-up services. Also, over time, e-
commerce tools based on PKI will eventually replace paper contracts, personal
signatures and even paper currency.

As Ryerson moves from Intranet to Extranet access for its staff, faculty, students
and customers, the transactions between users and applications must be
secured and trusted. By deploying PKI technology, Ryerson is starting to
achieve this standard. Not only is PKI reducing operational cost but it has
provided Ryerson with a more easily managed, scalable architecture that can
strengthen the security of current and future Ryerson applications.

Extranets are transforming enterprise networking. Rather than using proprietary
networks to exchange information, companies can now leverage their
investments in Intranet and Internet technology and use Extranets to exchange
data and share applications with staff, business partners, suppliers, and

Because Extranets are also about letting third-party users into corporate
networks, they need to be extremely secure, and access needs to be highly
controllable. Access control, authentication, encryption, and non-repudiation -
- all core elements of a secure extranet -- are most effective when tightly
integrated into a single comprehensive security and management platform.

Ryerson University                                                               25

For more information on Extranets and PKI security, please visit the following
web sites:

Ryerson University                                                               26

To top