Important PowerPoint 2007 changes

ClearPath MCP EncryptionSteve Koss, Distinguished Engineer and Chief Architect

2012 Unisys Corporation. All rights reserved.#1The What and Why of EncryptionTerminologySymmetric Key EncryptionPublic Key Encryption (PKE)CertificatesSSL/TLS - Combines all threeWhy EncryptReduces the chance of data exposureMakes Auditors Happy

2012 Unisys Corporation. All rights reserved.#Data Privacy CapabilitiesOverviewEncryption of data across networksFile transfer via FTP/SFTP/NFT/DMVTerminal emulator sessionsTransport Layer Security/Secure SocketsIPsec packet layer encryptionEncryption of data at restTape encryptionDisk encryptionSecurity Center Key ManagementStealth

2012 Unisys Corporation. All rights reserved.#This presentation breaks down the topic of data privacy into several distinct areas. Lots of attention is being put into this area due to the increased focus on compliance and regulations (cleartext sensitive data).FTP = File Transfer ProtocolSFTP = Secure File Transfer ProtocolNFT = Native File TransferDMV = SAN DataMover3Network SecurityFile Transfer Protocols/ProductsMany different methods to transfer and protect files between MCP and other systems.FTP/FTPSSFTP (SSH) introduced in MCP 14.0Secure File Transfer (NFT)SAN DataMoverFile transfer capabilities on remote systems determine most suitable product.Security is configurable on all but SFTP (no unsecure version).To use any of these on ClearPath MCP, MCP cryptography must be available. 2012 Unisys Corporation. All rights reserved.#4The ClearPath MCP has many file transfer products that allow interchange of files over secure connections. Some of these products allow the user/administrator to specify if the transfer is secure or unsecure.

Cryptography (through CCP or Windows firmware) is required to use these with ClearPath MCP.Network SecurityFile Transfer Protocol (FTP)File Transfer Protocol (RFC 959) supported by most systemsTransfers can be secured via SSL/TLSIMPLICIT model two sets of ports (one secure, one insecure)EXPLICIT model one set of ports (usually 21/20) and there are commands to turn SSL/TLS on/offAUTHMODE controls where SSL/TLS is used IMPLICIT, EXPLICIT, EXPLICITLOGON, EXPLICITCOMMANDNew features introduced in MCP 13.1Client Certificates ability to specify an X.509 certificate for additional validationCan allow acceptance of self-signed server certificatesCan secure data port when control port is not secured.

2012 Unisys Corporation. All rights reserved.#5The FTP protocol is one of the most popular file transfer protocols on the Internet. Defined by RFC 959 (and subsequent RFCs), it is supported on most systems (even LINUX!). Transfers use two ports usually TCP port 21 for commands, and TCP port 20 for data. Transfers can be secured using SSL/TLS through a variety of methods.

IMPLICIT SSL defines two sets of ports one set for unsecure traffic (usually 21/20), and one for secure traffic (990/989). If a transfer is supposed to be secure it connects to the secure command port, otherwise it connects to the insecure command port.

EXPLICIT SSL defines only one set of ports if secure transfers are requested, there is a separate command which is sent to begin the secure negotiation (AUTH TLS). There is another command to turn off security.The AUTHMODE keyword allows the caller to control how SSL/TLS is used.

New features have been added to the MCP 13.1 release:Client CertificatesSupport for accepting Self-Signed certificatesSecuring just the data port (if the control port if unsecured).Network SecuritySecure File Transfer Protocol (SFTP)Secure File Transfer Protocol (SFTP) is part of the SSH protocol suiteDefined by MCP implementation supports version 3 (but does NOT support all of the commands yet)Interoperable with implementations which use openssh() toolkit (most flavors of Linux) and psftp (part of PuTTY).Full list at:http://www.support.unisys.com/common/matrices/ViewMatrix.aspx?pla=MCP&nav=MCP&PageID=649

2012 Unisys Corporation. All rights reserved.#6ClearPath MCP 14.0 includes the framework and infrastructure for the SSH protocol architecture. It supports the SFTP (version 3) standard for transferring files. It is interoperable with openssh() and psftp (part of PuTTY). Support for other clients is undefined at this time. The full list will be maintained on the Unisys website (URL above).SFTPConfigurationSupport for SFTP has been integrated into the FTPSUPPORT product and can be accessed from:Batch FTP Client (COPY)Interactive FTP Client (U FTP)SFTP configuration is through FTPSUPPORT configuration file (*SYSTEM/FTP/SUPPORT/CONFIGURATION)Keys and trust are configured through SecurityCenterServer public keys (management and trust)Usercode public keys (management)

2012 Unisys Corporation. All rights reserved.#7The SFTP protocol has been integrated into the FTPSUPPORT library because it shares a lot of functionality with FTP and it provides a consistent interface to the file transfer products.

Therefore, SFTP can be accessed through the same methods the Batch client (through the COPY command) and the Interactive Client (U FTP).SFTP is configured through the FTPSUPPORT configuration file.

The management of public keys (one must be created if running as a server) and trust of other public keys (if running as a client) are performed through the MCP Cryptographic Services Manager module of SecurityCenter. A new node SSH Keys has been created to manage both server and client public keys.

SFTPCopy Example #1Batch ClientCOPY FILENAME (FTPTYPE=IMAGE) TO DISK(PACK, IPADDRESS=xxx.xxx.xxx.xxx,AUTHMODE=SSH, USERCODE=GUEST/GUEST)Interactive ClientU FTPAUTHMODE SSHOPEN xxx.xxx.xxx.xxx (with GUEST/GUEST credentials)TYPE IMAGEPUT FILENAME

2012 Unisys Corporation. All rights reserved.#The first example shows a batch copy statement using the SFTP transfer service, and its interactive equivalent.

Using the batch client, AUTHMODE is set to SSH in the destination volume attribute list. This directs the execution of the COPY statement to the SFTP transfer service. In addition, FTPTYPE is set to IMAGE, which causes a binary copy without any text translation. Finally, a specific usercode and password is given, which causes password authentication to take place.

With the interactive client, you would use the commands shown here to achieve the same result as the batch COPY statement. Notice that AUTHMODE is set to SSH prior to the OPEN statement. This ordering is required to initiate an SFTP transfer with the interactive client.8SFTP Copy Example #2Batch ClientCOPY [SFTP] FILENAME (FTPSITE=SSH_CLIENT_SERVICENAME=SSH_USER)TO DISK(IPADDRESS=xxx.xxx.xxx.xxx)Interactive ClientU FTPAUTHMODE SSHSSH_CLIENT_SERVICENAME SSH_USEROPEN xxx.xxx.xxx.xxxPUT FILENAME

Remote username defaults tocalling usercode, but can beoverriddenFTP will prompt for the remoteUsername during the OPEN 2012 Unisys Corporation. All rights reserved.#In the second example, the batch COPY statement does not mention the AUTHMODE file transfer attribute. Instead, the SFTP transfer service is explicitly named in square brackets, which has the same effect (this is preferred over AUTHMODE)

The SSH_CLIENT_SERVICENAME specification causes public key authentication to take place. SSH_USER (in this example) identifies the key container for the users public/private key pair. The usercode that initiates the COPY must own the key container.

In the batch example, the remote username defaults to the usercode that initiates the COPY, but this can be overridden by a USERCODE specification in the destination volume attributes.

In the interactive example, FTP will prompt for at least the remote username. If a password is requested, you can enter a blank.9SFTPServer configurationTo configure the MCP software as an SSH Server:Create a public key for servers identity (default name is SSH_SSHKEY)Modify *SYSTEM/FTP/SUPPORT/CONFIGURATION [LIBRARY SECTION]INITIATE_SSH_SERVER = SSHSUPPORTDetailed information can be found in FAQ 5847 on the Product Support Website and in standard MCP 14.0 documentation.FAQ 5847 also contains the list of software (Interim Corrections) which must be downloaded.

2012 Unisys Corporation. All rights reserved.#10In order to configure the MCP software as a server (to offer service on the default TCP port of 22), a few steps are required:

Create a public key for the servers identity (through the MCP Cryptographic Services Manager module of SecurityCenter). The default key name is SSH_SSHKEY, but this can be changed by the NA SSH CONFIGURE SECURE_KEY_CONTAINER command.

Modify the [LIBRARY SECTION] of the FTP configuration file to indicate that incoming SSH sftp connections are to be accepted.

More detailed information about the steps required to setup the MCP environment as an SSH server can be found in FAQ 5847 on the Product Support website (URL later in the presentation). This FAQ also contains the list of software Ics (Interim Corrections) that must be downloaded.SFTP Enhancements in MCP 15.0Server support for Windows SFTP clients.The ClearPath SFTP Server transfers files with the following Windows SFTP clients.WinSCPAttachmate Reflection FTP ClientFileZilla FTP ClientWell update the compatibility matrix on the support website.Server support to append to ClearPath files.SFTP clients can append data to the end of existing ClearPath files.Example using WinSCPput -append TransactionHistory 2012 Unisys Corporation. All rights reserved.#11Network SecuritySecure File Transfer (NFT)Secure File Transfer for ClearPath MCP allows data transfer between two MCP hostsNew Feature introduced in MCP 13.1Does NOT require BNA network connectivityMCP file attributes of source file are retained across the transferCan also be secured with SSL/TLS (cryptography support required)Hazardous files controlled with the RESTRICTUNWRAP system security optionTransfers initiated with COPY [FTP] command or FTP Interactive and Batch clients 2012 Unisys Corporation. All rights reserved.#12This new product uses the FTP file transfer protocol over TCP/IP. This removes the requirement for a BNA network to transfer files via Native File Transfer.

Previous FTP transfers between two MCP hosts had to use either TEXT or BINARY transfer types. Because of this limitation, MCP file attributes assigned to the source file are lost when the destination file is stored onto the target MCP machine.

This product normally transfers files in clear text, but secure transfer (requiring SSL/TLS and the underlying cryptography system) is available, and will prevent the data from being seen on the wire.

This product supports the same security options as the current file transfer products. RESTRICTUNWRAP is a system security option on the MCP host. If the destination file is considered harmful to the MCP host being copied to, setting RESTRICTUNWRAP can prevent the file from being used without action being taken by a Security Administrator.

Secure File Transfer (NFT)Securing Hazardous Files Hazardous files (codefiles for example) are marked restricted unless:The RESTRICTUNWRAP system security option at the destination host is reset or The Library RESTRICTED option is reset by the FTP Administrator at the destination host- and -The RESTRICTED option is reset in the COPY command and the usercode at the destination host is a security administrator

2012 Unisys Corporation. All rights reserved.#The Security Administrator controls the use of hazardous files on the system by setting the RESTRICTUNWRAP system security option. When set, hazardous files are stored on the host with the RESTRICTED attribute set preventing their use on the host.

Security Administrators can reset the files RESTRICTED attribute allowing the hazardous file to be use on the host.

The FTP Administrator at the destination host can allow the file transfer user to reset the hazardous files RESTRICTED attribute when it is copied.

If the RESTRICTED option is set by the FTP Administrator in the FTP configuration file on the destination host, the file transfer user is prevented from resetting the hazardous files RESTRICTED option when the file is copied.

If the FTP Administrator resets the RESTRICTED option in the FTP configuration file on the destination host, the file transfer user can reset the hazardous files RESTRICTED option when the file is copied. This requires that the user is a Security Administrator at the destination host.13Secure File Transfer (NFT)New MCPDATA transfer typeTransfers use data transfer type MCPDATA

COPY [FTP] TEST/CASE_1/= (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = 124.39.225.14, USERCODE = SYSTEST/105639)

Copies all files under the TEST/CASE_1 directory on the remote MCP host to the local hostAll attributes, including FILEKIND, are retained at the destination host.No BNA network is required.

2012 Unisys Corporation. All rights reserved.#A new data transfer type (MCPDATA) should be used to retain the file attributes of the source file when the destination file is stored. An example is show above.14Secure File Transfer (NFT)Copying of codefiles COPY [FTP] (SYSTEST)OBJECT/TESTFILE (FTPTYPE=MCPDATA, FTPSITE=OPT - RESTRICTED) FROM TESTPACK(PACK) TO USERPACK (PACK, HOSTNAME=MCPEAST,USERCODE=ABC/ABC)The codefile (SYSTEST)OBJECT/TESTFILE on TESTPACK is copied to USERPACK at the remote MCP host, MCPEASTResetting the RESTRICTED option prevents the codefile from being marked restricted, but only if user ABC is a security administrator at MCPEAST 2012 Unisys Corporation. All rights reserved.#Code files are considered to be hazardous using the RESTRICTUNWRAP system security option. When this security option is set, hazardous files are copied with the RESTRICTED attribute set preventing their use and possibly harming the host. Security Administrators can reset the files RESTRICTED attribute to make the file usable on the host.

In addition to the RESTRICTUNWRAP security option, the FTP administrator at the destination host can control the use of hazardous files allowing the file transfer user control of the RESTRICTED attribute setting.15Secure File Transfer (NFT)Network SecurityData transmission can be secured by Secure Sockets Layer (SSL/TLS)Specify the level of security required for the file transfer (using the SSLMODE attribute)EXPLICITIMPLICITCommand and data path are secured, different control ports are used.EXPLICITLOGONEXPLICITCOMMANDAfter logon command path can be optionally unsecuredData path security is independently selected

COPY [FTP] DATADB (FTPTYPE = MCPDATA) FROM DISK (PACK, IPADDRESS = 124.39.225.14, SSLMODE = IMPLICIT, USERCODE = SYSTEST/105639)

2012 Unisys Corporation. All rights reserved.#Secure file transfers are encrypted using the SSL/TLS protocol. If SSLMODE is set to either EXPLICIT or IMPLICIT, both the control and data connection are encrypted.

If SSLMODE is set to EXPLICITCOMMAND the control connection is encrypted, but encryption of the data path is controlled by the SECURE_DATA_PORT option. If SSLMODE is set to EXPLICITLOGON, the control path is secured during the user validation and converts to clear text once the user is logged on.16Secure File Transfer (NFT)Other IssuesMCPDATA transfers are incompatible with older levels of FTPSUPPORTNon encrypted transfer speeds are similar with NFTEncrypted transfers are slower than non-encrypted transfersNon-MCP hosts running FTP can be used as store and forward hosts for MCPDATA transfersDocumented in the TCP/IP Distributed System Services Operations Guide 2012 Unisys Corporation. All rights reserved.#MCPDATA transfers are identified by the FTP client sending a TYPE M command to the remote FTP Server. Previous FTP releases do not support the TYPE M command.

If an MCPDATA transfer is initiated on the MCP host to a non-MCP host, a binary transfer is performed and the file contents are stored on the non-MCP host as a WRAPPED file. The WRAPPED file on the non-MCP host can be retrieved at a later time by performing another MCPDATA transfer. The file is stored on the MCP host with its original file attributes. The WRAPPED file can also be copied to the MCP host using a binary transfer. The file is stored on the MCP host as a WRAPPED file and can be converted to its original state using the UNWRAP command on the MCP.Non-MCP FTP clients can initiate an MCPDATA transfer by sending a TYPE M command to the FTP Server at the MCP host. Set the transfer type in the FTP client to binary. Then use the QUOTE command to send a TYPE M string to the MCP FTP Server to indicate that the MCP host should treat the file as an MCPDATA transfer.

Non-encrypted transfers will be faster than NFT transfers depending upon the number of hops between the two MCP hosts. In the case of large files which do not contain sensitive data, a non-encrypted data transfer can be used while encrypting the command path.

Encrypted data transfers will take more time and processor than an non-encrypted data transfer. The performance of encrypted data transfer will be different in each environment.17Network SecuritySAN DataMover (DMV)SAN DataMover provides an efficient way to move large amounts of disk data (local Windows environment required).Between MCP and local Windows environment,Between MCP and remote Windows, Linux or UNIX environment (by way of a local Windows environment)Offloads data transfer to Windows environment (freeing ClearPath MCP MIPS)Security Features (introduced in MCP 13.0)SSL Support Secure Communication between Windows and MCP SAN DataMover Components (requires MCP Cryptographic Services)FTPS & SFTP Support Secure Remote File TransferBoth require MCP Cryptographic Services and configuration to enable and configure secure transfers. 2012 Unisys Corporation. All rights reserved.#18SAN DataMover is used to offload file transfers to a local Windows environment to use its processing power rather than the ClearPath MCP. Users can transfer files from MCP to the local windows environment or use this local Windows environment to transfer files to external systems (MCP, Windows or Linux/UNIX).

Security can be configured into areas of the transfer. SSL/TLS can be enabled on the transfer between MCP and the local Windows environment. SSL/TLS or SFTP can be configured for remote file transfers. Enabling any security of SAN Datamover requires the cryptography environment and runtime keys.Network SecuritySecuring Terminal Emulator SessionsProtect data terminal emulator sessions to MCP servers Many options available:WebEnabler for ClearPath MCP supports a 2-tier model direct SSL connections from WebEnabler to ClearPath MCPSecure TELNET MCP Telnet can offer secure and/or unsecure sessions. Controlled via system security option (SECURECOMM)Attachmate INFOConnect and MCP Telnet can also use a custom encryption protocol SSH terminals are not supported at this time.

2012 Unisys Corporation. All rights reserved.#19Many customers require secure terminal emulator sessions from their corporate workstations to the ClearPath MCP environment. Many options are available for security administrators to customize their security environments.

The WebEnabler for ClearPath MCP product has been enhanced to support direct SSL connections between WebEnabler and the ClearPath MCP environment.

Attachmate InfoConnect and MCP Telnet also can use a custom encryption protocol to secure terminal traffic.

ClearPath MCP Secure Transport, encryption-capable hardware, and SecurityCenter are required to provide SSL/TLS functionality.

Telnet and a starter set of WebEnabler licenses are included in the operating environment.Network SecuritySecuring Print DataSecure data between MCP and Print Server Use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to protect dataMCPPRT Server (introduced in MCP 13.1)Just Specify SSL in IOHandler ParameterSee PrintS Guide (8600 1039514) EOM (Depcon) Server (introduced in MCP 13.1)Specify SSL in PC and MCP Configuration FilesSee EOM Documentation 2012 Unisys Corporation. All rights reserved.#20IP Security (IPsec)Security for the IPv6 network Can authenticate and/or encrypt each IP packet in a data streamUses policies to define security at the MCP-to-network boundary. IP packets can be:Forbidden from being transmitted unencrypted (DISCARD)Allowed to be transmitted unencrypted (BYPASS)Authenticated or encrypted prior to transmission (PROTECT)Subject to US Government export controlPackaged in the operating environment encryption optionSupports 3DES and AES algorithms for packet encryptionIPv6 ONLY (no IPv4 support)

2012 Unisys Corporation. All rights reserved.#21IP Security (IPsec) can protect data for IPv6 networks at the network layer (application are not aware that the IPv6 packets are being secured).IPsec uses policies (defined through SecurityCenter) to define the processing at the MCP-to-network boundary. Policies define Traffic can be forbidden from being transmitted unencrypted (DISCARD), allowed to be transmitted unencrypted (BYPASS), or authenticated and/or encrypted prior to transmission (PROTECT).The ClearPath MCP environment supports point-to-point policies using for authentication and the 3DES_CBC and AES_CBC algorithms for packet encryption. Only transport mode is supported (no tunnel mode support).

It is subject to US Government export control and is packaged in the operating environment encryption option.There is no support for IPsec for IPv4 networks.

Tape / DVD Encryption Enhancements 2012 Unisys Corporation. All rights reserved.#22Tape / DVD Encryption EnhancementsProvides Enhanced Security for Encrypted Tapes/CDs/ DVDsAESGCM encryption, the standard algorithm for tape encryption as specified by the IEEEESSIV scheme is used with CBC-mode to ensure each tape and each file on a tape are encrypted using a random Initialization Vector (IV)Additional data integrity checking added to encrypted data

Enhancements are known as Version 2 Media EncryptionFormat of Version 2 encrypted media is different from the original, Version 1, tape encryption format

2012 Unisys Corporation. All rights reserved.#23Tape / DVD Encryption EnhancementsExamples

COPY F/= TO BACKUPTAPE(SERIALNO=110812, ENCRYPT=AESGCM)Specifying ENCRYPT=AESGCM by definition creates a Version 2 Encrypted Tape

COPY F/= TO BACKUPCD(CD, ENCRYPT=AES256, ENCRYPTVERSION=V2) Specifying ENCRYPTVERSION=V2 forces the use of ESSIV when doing AES with CBC-mode encryption

2012 Unisys Corporation. All rights reserved.#Tape / DVD Encryption EnhancementsMigration and CompatibilityVersion 1 is used by default but Version 2 is recommendedA tape/CD/DVD created using Version 2 Media Encryption cannot be read on a system that only supports Version 1 tape encryptionSystems that support Version 2 Media Encryption can read and write both Version 1 and Version 2 tapes/CDs/DVDs Library Maintenance will not support encryption using Version 1 in software released after October 2015 but decryption of media created using Version 1 will continue to be supportedOnly Library Maintenance supports the new Media Encryption Version 2 enhancements TapeStack and DMUTILITY do not

2012 Unisys Corporation. All rights reserved.#Tape / DVD Encryption EnhancementsOperator Controls The existing LMENCRYPT SYSOP can now be set to AESGCMThus all tape/CD/DVD copies would be encrypted using AESGCM unless over-ridden in the COPY statement itself and would be in Media Encryption Version 2 format

A new LMDEFENCRYPT SYSOP can be set to V1 or V2LMDEFENCRYPT defaults to V1LMDEFENCRYPT set to V2 and LMENCRYPT set to AES256 causes ESSIV to be used along with AES256 in CBC-mode and creates the encrypted media in Version 2 formatLMDEFENCRYPT set to V1 and LMENCRYPT set to AES256 uses AES256 in CBC-mode and creates the media in Version 1 format

2012 Unisys Corporation. All rights reserved.#Disk Encryption OptionsEncryption Capable SANsEMC VMAX: newer versionsEMC VNX: newer versionsMust be done at setup time. Cant change a disk to be encryptedBitLockerFS1760 Internal DiskCan be turned on and offDMSII field level obfuscationNot true encryptionCant search, sort, index, or replicate data with DatabridgeWhat disk encryption is really for:Data protection at time of disk dispose or theft 2012 Unisys Corporation. All rights reserved.#Management & Configuration 2012 Unisys Corporation. All rights reserved.#28http://www.lifehack.org/wp-content/files/2009/09/20090921-tools-380x285.jpgSecurity AdministrationSecurityCenterSecurity CenterPreferred security administration toolPC-based GUI and wizardsEnables security administrators to define, manage, and test/assess MCP security.Replaces command line/batch tools such as MAKEUSER and SYSTEM/GUARDFILE.Microsoft Management Console snap-insSecurity Policy ManagementFile Access ManagementCryptographic Services ManagementKerberos Configuration ManagementUser Account ManagementLocum SafeSurveyLocum SecureAuditLocum RealTime Config

2012 Unisys Corporation. All rights reserved.#29The management and configuration of the ClearPath MCP environment is a very critical area. The SecurityCenter product was developed to bring together the very diverse interfaces that were used to configure pieces of the ClearPath MCP environment into one GUI (with wizards) to assist customers to configure the security of their system. SecurityCenter manages the same data as the legacy methods (E.g. MAKEUSER, GUARDFILE) but presents it in a cleaner way with on-line context sensitive help. SecurityCenter is divided into 8 major modules:Security Policy Defining policies which help manage the security of the system (System Policy, User Policy, Transaction Server User, TCP/IP Filtering, and IPsec Policies)File Management Guardfiles (including wizards)Cryptography Services Managing the cryptographic keys and certificates necessary for secure operation of the ClearPath MCP.Kerberos Configuration Helps enable and manage the Kerberos protocol on the ClearPath MCP.User Account manage user accounts, remote users, transaction server users, Java Realms. It also has real-time alerts when certain events occur.Locum SafeSurvey system assessment.Locum SecureAudit log analysis and forensics.Locum RealTime Config configure real-time security monitoringSecurityCenterCryptographic Services ManagerUsed by security administrators to perform key management (create / import / export / renew)SSL keys and certificates (used by WebTS, FTP, Sockets programs, User Programs)Tape encryption keys (introduced in MCP 13.1)IPsec keys (symmetric) SSH Keys (introduced in MCP 14.0)Also used for Certificate Management (SSL clients)Certificate StoresJAVA Certificate Stores 2012 Unisys Corporation. All rights reserved.#The cryptographic services manager is used by security administrators to perform key management functions on the ClearPath MCP system.For SSL keys and certificates (used by WebTS, FTP, Sockets and User Programs (McpCryptoAPI)), it allows the security administrator to generate up to 2048-bit RSA key pairs. It also allows them to request a certificate and install that resultant certificate with the key. It also allows the security administrator to import and export these keys between systems.For Library Maintenance keys, it allows the creation of new keysets for the system and exporting and importing of other keysets (to be able to read other tapes on this system and to read tapes created by this system on other systems).For IPsec, it allows the creation of symmetric keys for policies (SHA-1, TDES, or AES256).For SSH, it allows the creation of public/private key pairs for authentication and also the trust of public keys from remote systems (new in MCP 14.0).The Cryptographic Services Manager also allows the security administrator to manage the certificate stores used for establishment of trust (for example, with SSL clients). It also allows the management of certificate stores for JAVA.30SecurityCenterTape Encryption - Compromised Key SetsMCP-based software tape encryption can now mark a set of tape encryption keys as invalid for writing, and generate a replacement keysetThis may be done because:A key of the set is thought to be compromisedThe keysets lifetime (according to corporate policy) has been reachedCompromised keysets can still be used for decryption (retained indefinitely)Only one active keyset per system / MCP mark release. 2012 Unisys Corporation. All rights reserved.#Originally, a set of tape encryption keys at a host was fixed for the life a software release. Now, new sets can be created as needed.

This allows a site to stop using a set of keys and to begin using a new set for reasons such as:A key has been compromised (for example, acquired by an unauthorized party; lost)Site wants to limit the time or number of media for which key sets can be used

Only one key set is active for encryption at a time.

Sets marked compromised or inactive are retained, for decrypting media encrypted with those key sets.

31SecurityCenterTape Encryption - Managing Key SetsTo manage sets: Under MCP Cryptographic Services, Trusted Keys, select node: Tape Encryption Keys Sets uniquely identified byHost nameRelease levelSet number

2012 Unisys Corporation. All rights reserved.#Animations:Tape Encryption Keys arrow appears automatically, 3 seconds in.Mouse click : Host name and arrowsNext mouse click: Release level and arrowsNext mouse click: Set number and arrowsNext mouse click: Advance to next slideTo manage key sets, run Security Center. Under the MCP Cryptographic Services node, select Tape Encryption Keys. Current key sets appear in the right-hand pane.Each key set is identified by:The name of the host at which it was createdThe MCP level under which it was createdThe key set numberKey set number is unique for a given host name and MCP levelKey set number begins at 1, and is incremented as each new key set is created for that system and MCP level.

32SecurityCenterTape Encryption - Managing Key SetsIcon shows state of set:Green=ActiveRed=Inactive/CompromisedOnly the Active set for the local host is used to encryptAll sets are used for decryption. If a tape was encrypted with a key of that set, it will be automatically decrypted

2012 Unisys Corporation. All rights reserved.#Animation control:Arrow to green (active) icons appears automatically, two seconds in.Mouse click: Shows arrow to red icon (hides green)Next mouse click: Active set for local host (hides red arrow)Next mouse click: Hides arrow; talk about decryptionNext mouse click: Advance to next slideLocal host key sets and iconsOnly one key set, the local hosts single active (green) set, is used for encryption.Local host may have any number of inactive (red) key sets. They must be retained in order to decrypt media which were was encrypted with those sets, but inactive sets are NOT used to encrypt further media.Sets for other hostsAll sets for other hosts are marked active (green). Sets for other hosts cannot be used to encrypt on this host.They are used to decrypt media encrypted on the other host. 33SecurityCenterTape Encryption - Managing Key SetsCreate a set: Right-click Tape Encryption Keys node, select Create New KeysetCurrent (Highest-numbered) set is disabled, new set is createdMark set compromised: Right-click local hosts Active set, click Mark as CompromisedSelected set is disabled, new set is created

2012 Unisys Corporation. All rights reserved.#Animations:Arrow to Create New Keyset appears automatically, three seconds in.Mouse click: Shows Compromise arrow, hides Create arrow.Next mouse click : Advance to the next slide.Create a set:Right-click the node Tape Encryption KeysSelect Create New KeysetThe active key set for the local host is disabled (icon turns red)A new active (green) key set for the local host appears, with the next-higher set numberMark set compromised:Right-click on the active (green) set for the local host. Select Mark as CompromisedThe active key set for the local host is disabled (icon turns red)A new key set for the local host appears, with the next-higher set number, marked active (green)

Only the local hosts active set can be marked compromised. A set for another host cannot be marked compromised at this host,

34SecurityCenterTape Encryption - Best PracticesWhen a new keyset is generated, you must back up the keyset (via Export) and transport it to any systems that will need to decrypt tapes created on this hostEnsure that keys are stored securelyEnsure that keys are transported between systems securely 2012 Unisys Corporation. All rights reserved.#A key set is created at one host, and is unique. It cannot be recreated at the local host or at another host.

Each key set must be backed up. If a key is lost, media encrypted with it cannot be decrypted. Unisys cannot recreate a lost key, or decrypt media created with a lost key.

An encryption key must be present at any host which must decrypt media created with that key. To transfer a key set to another host:Using Security Center, Export the key set at the creating host. This creates a file with the suffix .kcd.Securely transport the .kcd file to the other host(s), using recordable media (and/or encryption) or data transmission over a secure channel.Using Security Center, Import the .kcd file at the remote host.

35Stealth Solution Suite You Cant Hack What You Cant See Changing the Security Paradigm 2012 Unisys Corporation. All rights reserved.#36

Imagine a WorldWhere your sensitive data isinvisible to hackers

And is only visible

to users you select 2012 Unisys Corporation. All rights reserved.#37Unisys Stealth Solution SuiteAn NSA certified enterprise wide security innovation,incrementally and non-disruptively implemented,that makes data communication end points invisible on a network and therefore be removed as a target for hackers.

Stealth can reduce costs through consolidation and virtualization of a network and adds unprecedented protection to enterprise information.

LAN/ Internet

2012 Unisys Corporation. All rights reserved.#Stealth Solution Key ElementsStealth consists of four important elements:4Executes Very Low in the Protocol StackProtects device from attack. No changes required to Applications.

3Virtual Communities of Interest (COI)Hides users, data and servers from non-COI members.

2Information Dispersal Algorithm & Data ReconstitutionStealth formatted messages can only be reassembled by Stealth.Cryptographic Service Module Provides FIPS 140-2 certified AES-256 encryption.1StealthDriver1. Physical2. Link3. Network4. Transport5. Session6. Presentation7. ApplicationNIC

2012 Unisys Corporation. All rights reserved.#39Enterprise wide Consistent Security Approach

Unisys Stealth Solution Suite

A Virtual Web Server B Virtual Web Server A Virtual App Server B Virtual App Server A Virtual DB Server B Virtual DB Server

InternetStealth Solution for CloudCloud Data Center

LAN/WAN/Wireless

External NetworkStealth Secure Remote Access

InternetRegional Site

Corporate Site

Stealth Regional Isolation

Email Server(unprotected)Protected App Server Protected Database Server Stealth Data Center Segmentation

Stealth protects data communication for teleworkers across the Internet superior to traditional VPN, using the Stealth driver loaded to a laptop or SSVT. Stealth cloaks the servers running sensitive applications or storing private information; these servers are not visible to anyone without the required Stealth crypto keys.Stealth secures information exchanged over public or private networks from many geographic locations.In a cloud, Stealth hides virtual workloads from unauthorized access in single or multi-tenant environments. 2012 Unisys Corporation. All rights reserved.#40Data Center SegmentationCompartmentalize data center using Communities of Interest (COI) instead of physical infrastructure Mitigate ThreatsTheft or Misuse of IPCompliance PenaltiesMinimizes scope of attacks Benefits Fosters Availability while ensuring Confidentiality and Data IntegrityEnhances application security by enforcing Least Privilege Uses existing infrastructure Security is not Port basedFacilitates regulatory complianceCost Savings potential 20%-50%Reduce data center complexity; reduce VLANs and physical segmentation Re-segment the data center using Active Directory Simplified management

Email Server(unprotected)

Enterprise Network ProtectedApp ServerProtected Database Server

ProtectedServer(Phys or VM)

Value: Protect high impact systems from intrusions on intranet 2012 Unisys Corporation. All rights reserved.#41Regional IsolationRegional Isolation prevents unauthorized access to information in the local region and on the corporate intranet Mitigate ThreatsData communication eavesdropping by regional telecommunication providers and governmentsIntrusions to corporate intranet Intrusions to local site from within the region itself BenefitsAssures only authorized access to corporate intranet Protect regional assets from rogue endpoints Segregate regional assets based onneed to know Segregate corporate assets based on need to know

EnterpriseMPLS

Stealth Cloaked Geographic RegionStealth GW

A trusted country

Enterprise Network Value: Protect corporate data assets in a global topology

2012 Unisys Corporation. All rights reserved.#42Stealth in the Cloud Stealth in the Public or Private Cloud secures and isolates communication between virtual resources in a multi-tenant environmentMitigates ThreatsTheft or Misuse of IP within a tenant and between tenantsWorkload is vulnerability to unauthorized access from inside or outside the cloud BenefitsProtection follows the workload, regardless of where it is physically executingProvides secure resource sharing within Communities of InterestIsolates workloads between different COI Integrated with Unisys Secure Private Cloud Solution for seamless deployment A Virtual Web Server B Virtual Web Server A Virtual App Server B Virtual App Server A Virtual DB Server B Virtual DB Server

InternetStealth Solution for CloudCloud Data CenterValue: Bring Stealth security to the Cloud

2012 Unisys Corporation. All rights reserved.#Stealth Solution for Secure Virtual Terminal (SSVT)SSVT secures and controls transmission over the Internet from anywhere, locking the communications channel to targeted endpoints. SSVT is deployed via a locked down SecureUSB-based device running Stealth network security software. This virus-free, trusted environment is verified at each boot. SSVT requires no change to your web enabled applicationsSSVT enables workers to securely accessTheir own desktop located in the enterprise, via an RDP sessionMicrosoft Remote Desktop Services or other VDIWeb enabled applications

2012 Unisys Corporation. All rights reserved.# Stealth Organizational ValueBusiness Benefits & PrioritiesSecurityCost ReductionAgilityCommercial OrganizationsPublic Sector /FederalClients that want to increase security for their crown jewel applications and servers.

Clients that need to protect corporate assets from regional facilities that may reside in hostile territories. Clients that want the simplicity of deployment and cost structure of public or flat networks but cannot sacrifice securityequally ideal for clients with multi-tier networks that need to contain costs while increasing security. Cost SavingsClients that want to simplify data / resource access management AgilitySecurity 2012 Unisys Corporation. All rights reserved.#45Crypto-ModuleJFCOM JILTestbed IO Range Stealth Extreme SecurityDIACAP: DoD Information Assurance Certification and Accreditation ProcessMAC: Mission Assurance Category (Level 1 is Highest) DISA: Defence Systems Information AgencyEUCOM : European CommandSOCOM: Special Operations CommandJFCOM: JOINT Forces CommandJIL: Joint Intelligence LaboratoryCWID: Coalition Warrior Interoperability DemonstrationJUICE: Joint User Interoperability Communications Exercise CECOM: Communications Electronics Command (US Army)GTRI: Georgia Tech Research InstituteDJC2: Deployable Joint Command and ControlNIST: National Institute of Standards and TechnologyNIAP: National Information Assurance Partnership2005200620072008200920102011CWID 08DISA

CWID 09DISA

JUICE 09CECOMCombined Endeavour EUCOM CWID 05USAFCWID 10SOCOM

GTRI DJC2 PMOSPAWARPrivate LabSSVT Validation: Failed to compromiseLarge IntegratorTests and fails to break Stealth IV&VNational Center for Counter-terrorism and Cybercrime SOCOMExport LicenseDept of CommerceFIPS 140-2 CertificationNISTNSA EAL4+CertificationNIAPStealthDIACAP MAC-1 CertificationCWID 10Network Risk AssessmentCWID 05AF Comm Agency

DIACAP MAC-1 CertificationJFCOM SOCOMR&D Prototype2012EmeraldWarrior 12SIPRNetIATT 2012 Unisys Corporation. All rights reserved.#46Stealth Hot Product at InterOp 2012

2012 Unisys Corporation. All rights reserved.#

Where is Stealth Deployed?

Hertz, NZ uses Stealth to facilitate PCI DSS compliance

The US Coast Guard uses SSVT for secure telecommuting

An Australian Military agency uses Stealth in a secure VDI Solution

A large Midwestern Healthcare Agency is piloting Stealth to protect servers with sensitive data We do use our own product! Unisys uses Stealth to secure and protect our high value application and database servers, and for secure remote telecommuting Many Commercial and Government pilots in progress 2012 Unisys Corporation. All rights reserved.#Unisys not only sells Stealth to clients, we use it internally too.

Stealth at UnisysData Center Segmentation:At Unisys, Stealth has been deployed to secure some of our critical multi-tier applications.With the web server, application logic and database on separate COIs, users cannot ping or even discover the existence of the application and database servers, ensuring that these cannot be tampered or hacked in any way. Users can only access the web server.

Secure Remote Access:More than 200 Unisys employees use Stealth on their laptops (with dual factor authentication) in order to securely access the corporate network when working from home or when travelling.

Unisys is deploying Stealth incrementally with our existing commercial VPN solution.

Regional Isolation:Currently in test!

Stealth in the Cloud:Unisys executes Stealth in our outsourcing Cloud environment to service our cloud clients.

2012 Unisys Corporation. All rights reserved.#Value-based Pricing ModelExample:Secure RemoteAccessExample:Data Center SegmentationExample:Regional IsolationClient pays relative to the differentiated value they receive from Stealth 2012 Unisys Corporation. All rights reserved.#50Unisys Stealth Solution ValueUnprecedented Security and ValueProtection of private corporate dataFacilitates regulatory complianceSignificant cost reductionEasy, quick deploymentIncremental implementationIdentity-based managementNo application changesHighest security performance

2012 Unisys Corporation. All rights reserved.#51

Why Unisys Security? We have a 6,000-person strong global field force (> 1,700 cleared)

100 million people use Unisys secure IDs

More than 8.1 million service events managed per year

Worlds largest RFID network (U.S. Army)Our security solutions can be found worldwide in 600+ airports, 1,500 government agencies, and in use by 200+ airlinesTo know more, visit us at www.unisys.com/stealth

and view: YouTube: Stealth SolutionYouTube: Overview of How Stealth Works Strong Performer: The Forrester Wave Managed Security Services, 2010Positive: Gartners MarketScope on Data Center Outsourcing rated Unisys as Positive, 2010.

2012 Unisys Corporation. All rights reserved.#52Thank You 2012 Unisys Corporation. All rights reserved.#