Upload
keith-jackson
View
228
Download
1
Embed Size (px)
Citation preview
Vol. 11, No. 6, Page 17
Security Bulletin, Vol. 10, No. 3, January, 1988, pp. 5-7).
Jerry Fitzgerald Jerry Fitzgerald & Associates, USA
TECHNICAL EVALUATION
HORATIUS ACCESS CONTROL SYSTEM
Developer: Originally Dowty Information Ltd,
Newbury, UK. Now Jaguar Communications, address below.
Vendor: Jaguar Communications Ltd, The Limes, 32-34 Upper Marlborough Road, St Albans, Herts. AL1 3UU, UK tel: 0727-41311.
Availability: Any remotely accessed computer using synchronous communications.
Warranty, Support: Jaguar offers a twelve month warranty,and various support options. A 4 hour response is typical, with a 2 hour
response possible near the City of London.
Cost: On application to Jaguar.
Horatius is an access control system which has been on sale for a few years now.
This technical evaluation intends to look at what Horatius offers in its present form.
Borrowing a Horatius system for a few days is rather bulky, and I do not possess a host computer with multiple input lines, so this article is the outcome of a visit to Jaguar Communications Ltd in St. Albans which now has sole rights on Horatius. For the record Horatius was originally designed and sold by Dowty Information Ltd.
Horatius resides between the host computer system and the communication
network, and acts as an intelligent gateway.
Whenever a user tries to access the host computer, Horatius intercepts the first communication and queries the user. Up to 200 users are permitted with the basic system, which can be expanded to 1500 users. A maximum of 53 modem lines can be
supported. Horatius has four different modes of querying (validating) an incoming call.
In dial-back mode, the user must first enter his ID and password. If these validate correctly, Horatius terminates the phone call and dials the user back on a prearranged telephone number. If any error is found, the user is denied access. Horatius ensures that the dial-back telephone call is always made on a different line to the incoming call. In blunt terms if you are considering the purchase of a dial-back system that does not incorporate this feature don’t buy it. It can easily be bypassed.
In challenge mode, the user first enters his ID, and is sent a random number by Horatius to which he must provide the correct response.
This response can only be calculated by a special calculator (manufactured by Sharp, modified by Jaguar), which requires the user ID, a PIN number, and the random number as
input to a program running in the calculator. Horatius challenge mode uses the Message Authentication algorithm defined by IS0 standard 8731, Part 2, to calculate the
response.
Each random number challenge is unique
and cannot be determined by reference to previous challenges. Note that the correct response requires not only the random number, but also a PIN number to gain access
to the challenge authentication process.
The calculator is claimed to be tamper
resistant against taking the case apart, and attacking the program held on internal battery backed CMOS memory. No details of the tamper resistance have been released, so I cannot comment on its worthiness. The PIN number used to gain access to the calculator is factory set, and can only be altered by Jaguar. This is unwieldy, as password (PIN)
COMPUTER FRAUD 81 SECURITY BULLETIN
01989 Elsevier Science Puhlbhers Ltd., Engiand./89/$0.00 + 2.20 No part ol’ Ibis publication may be re an
b means. elcc~ronic. mechanical, p Ii
roduced, stored in a retrieval system, or transmitted by any form or b otocopying, recording or otherwise, witbout the prior permission oft L
pu bshers. (Readers in the U.S.A.-ppleaw we special regulations listed on back cover.)
Vol. 11, No. 6, Page 18
changes should always be capable of quick by international calls when extension codes
introduction when a compromise is suspected. are added to the basic telephone number.
Every modem attached to a Horatius system can be set up in any one of four modes
by the system manager. These are the two modes described above, direct mode (Horatius requires a password within a specified time window), or a short-term password mode
where knowledge of a password permits access for a specified period of time.
Dial-back mode authenticates the telephone number (and hence the location). Challenge mode authenticates the user. A password is required by both modes. It should
be appreciated that these two modes are very
distinct requirements, and Horatius lets the system manager choose which is most appropriate for each user. It’s a shame that
they cannot be used simultaneously.
Throughout the Horatius system, passwords have a minimum length of 4, and a maximum length of 16 alphanumeric
characters. Only 3 attempts are allowed to enter a correct password. All passwords are set by the system manager. Unfortunately
Horatius passwords are case sensitive. I have
written previous technical evaluations arguing against case sensitive passwords. Case sensitivity increases the possibility of forgetting
the exact combination of upper and lower case
letters, and thus increases the possibility that the password cannot be remembered. Passwords that are not memorable tend to get
written down. This increases the risk of unauthorized password disclosure.
I believe that direct mode and the
short-term password mode should only be used for testing purposes. If used extensively they rather negate the point of having a
Horatius access control system.
Horatius is correctly positioned at the front end of the host computer. This makes it
independent of the host computer, and does not limit Horatius to any particular type of host computer. Horatius does not require software on the host computer to be altered in any way,
which is a vital advantage for sites with large complex suites of software in use, who wish to retrospectively install access control.
The main processor used within Horatius is a Motorola 6809, and all the control software is written in 6809 assembler. Jaguar hopes to convert this to ‘C’ during the next stages of
Horatius development. This software resides in PROM within the Horatius unit. Although a
disk drive can be attached to a Horatius
system, it can only be used to take copies of
the user database, and cannot be used to load the system software.
Communication with Horatius is
asynchronous only (unless protocol converters
are used). None of the many different
communications protocols are supported. This
is probably a constraint on Horatius sales, but I understand the problem facing the developers.
There are so many different protocols in
existence, just which ones do you offer? The
majority of Hayes compatible modems can be used with Horatius, and dial-back numbers of up to 20 digits are supported. Jaguar assures
me that 20 digits can sometimes be required
There is nothing beyond a cabinet and a lock to prevent in-house personnel at the host computer site tampering with Horatius. This is not too disastrous, as working on the host
computer site, they could probably bypass Horatius if they really wanted to. However it emphasizes that the security manager must
set up Horatius in secure surroundings. This
is reinforced by the fact that relevant security information is often visible on the terminal
used by the security manager. Passwords
may be invisible, but the argument for Horatius
to be used only within a secure environment still applies.
Information about each user can be
dumped to a floppy disk drive attached to Horatius. This is extremely useful for backup
purposes, and information can be restored
COMPUTER FRAUD &
SECURITY BULLETIN
01989 Elsevier Science Publishers I.td., England./89/$0.00 + 2.20 No part of this publication may be te an
6. means, electronic, mechanical, p 1
rodwed, ntorad ita a retrieval system, or transmitted by any form or b otocopying, recording or otherwise, without the prior permission oft L
pu hshers. (Readers in the U.S.A.- please see special regulations listed on back cover.)
Vol. 11, No. 6, Page 19
from disk after any hardware malfunction. However information on the disk (including all
Horatius passwords) is not encrypted, and the disks must therefore be securely stored by the system manager. The disks are written in a non standard format (claimed to be readable only by Horatius), but I believe that the caveat about keeping each disk physically secure still applies.
The system manager has to set up the Horatius system, and configure it for each individual usqr. Having seen the menu driven
package used by the system manager I feel sure that this is within the scope of any competent person. The menu prompts are easy to understand, and most aspects of the Horatius system are configurable. Setting up each user probably takes about 90 seconds. One very useful feature is that a user can be allocated to different host types, as a single Horatius system can provide access control facilities for up to four different host computers simultaneously. Up to 8 unique time windows can be defined, with each user allowed access
during a stated combination of these windows.
During routine operation, Horatius transmits information about each call, and many other events, to a printer port. This can either be printed for later inspection, or a computer can be used to capture the data. It is possible to lose logging information written to the printer port, as Horatius continues operation whether or not a printer or data logging computer is attached.
Jaguar sells a Network Management and Analysis Package which captures logging data from the Horatius system, stores it on disk, and provides many different ways of analysing the data. When I saw Horatius demonstrated, there were problems in demonstrating the data collection part of the analysis package, but I believe that these were genuine “demonstration gremlins”.
The analysis package overcomes one of the major hurdles of inspecting a system log, that the amount of data can be so large that
the log gets neatly filed away and never inspected. Jaguar estimates that a fully
populated Horatius system (or any similar access control system for that matter) can generate up to 40 Megabytes of logging data per month. Hand analysis of this amount of data is a formidable task.
Searches can be made for on any
combination of user name, time period(s) or type of entry in the log. The analysis package searches the log fairly quickly, and can be used to provide billing information. I
particularly liked the facility within the analysis package that lets data found by the search operations to be displayed in graphical (histogram) form.
So long as Horatius is installed in a secure location, and floppy disk backups of the user data are kept physically secure, Horatius offers a high degree of protection when users remotely access a host computer. The dial-back option can guarantee that a user is making the call from a specified telephone number. The challenge mode can ensure that a user has possession of a token, and knows the relevant passwords.
I first came across Horatius over two years ago, and recommended it. The facilities that are now available to analyse the log have significantly added to its capabilities.
Keith Jackson
PUBLICATIONS
COMPUTERS & SECURITY JOURNAL
Elsevier Advanced Technology, the publisher of CFSB, also publishes the major international journal Computers & Security. Eight issues are produced each year.
Each issue contains refereed articles, special features, summaries of articles
COMPUTER FRAUD & SECURITY BULLETIN
01989 Ekevier Science Publishers Ltd., England./89/$0.00 + 2.20 No part of this publication may be reproduced. stcmd in a retrieval system, or transmitted by any form or b an pu g,
means, electronic. mechanical, photocopying, recording or otherwise, without the prior permission oft L bshers. (Readers in thz U.S.A.- please. see special regulations listed on back cover.)