The need for interconnecting workstations has become evident for companies of every size. VPN technology (Virtual Private Network) enables the secure exchange of data and VoIP phone calls between various sites via the public Internet. This combines the advantages of open and widely-used TCP/IP architectures with the security of formerly used leased lines.
The use of the Internet as a backbone for company-internal communication results in considerable economic gains due to the efficient usage of existing public infrastructures. On the other hand, it comes with severely increased risks regarding the authenticity of communication partners as well as the confidentiality and integrity of the data exchanged. Hence, uncomprimising security is a substantial criterion for any VPN solution.
The TURAYA.TrustedVPN solution has been developed with two principal design goals in mind:
TURAYA.TrustedVPN provides a comprehensive state-of-the-art security infrastructure as a ready-to-run and fully automatic solution. The danger of inadequate configuration settings disappears to a large extent.
When managing the system one can fully focus on the higher level of system-wide logical trust relationships between networks and users, rather than administrating individual devices and their parameter settings.
The solution consists of three main components:
The VPN appliances are designed as completely closed systems which are administrated solely from remote. For their initial commissioning a base configuration for their external network connection needs to be created in the TURAYA.TrustedObjects Manager. This data set can then with one click be exported as a signed file onto a USB storage device. Attaching this device once at the individual VPN appliance is sole operation required locally.
Once the VPN appliance has been connected to the network, it will setup a TrustedChannel to the TURAYA.TrustedObjects Manager which will take over full control of this appliance. The TrustedChannel is a mutually authenticated and encrypted link and the management system has additionally confirmed the integrity of the VPN appliance by means of a “remote attestation” process prior to accept this new link.
According to the configuration requirements of the management system the TURAYA.TrustedVPN appliances provide IPsec tunnels for a peer-to-peer connectivity to other appliances and can optionally accept access requests from mobile users on the basis of their IPsec software clients. All key material used to secure such communication links are always generated within the VPN appliances and certified by the management system.
The management system and the VPN appliances are equipped with an embedded TPM chip (Trusted Platform Module) acting as security anchor which is fully integrated in the overall system architecture up to and including the application level.
More specifically, the TPM implementation addresses within the appliances:
As a result, the total system monitors itself continuously and prevents all manipulations, whether they are attempted remotely or locally.