An ultra-secure network that actually works

by Andy Oram

Two weeks ago I strayed into the territory of secure networks with a gripe I posted about the GOVNET proposal that was floated by the Advisor for Cyberspace Security and the General Services Administration. I wasn't saying that a secure private network of that size is impossible to build (which some security experts are saying); I was mainly poking fun at what I saw as imprecise thinking in the GOVNET Request for Information. But a reader turned me on to a secure network that has been operational for six years—and one that's profitable and growing.

This successful network is called ANX. It started up to serve the automotive industry, and now connects 80% of that industry's largest companies to a huge collection of suppliers. It is also spreading to other industries. In this weblog I'll list the security characteristics that make ANX work, and draw some conclusions about what might or might not work if the government tried to build its own network.

Security in ANX

ANX is a secure private network that uses standard, open Internet protocols but carries all traffic over private lines leased from various carriers. Through IPSEC and end-to-end encryption, ANX provides secure service to its customers like that of a typical VPN. Where it's different from a typical VPN is that the routers that make up the network check every packet to make sure it comes from an IP address on the private network. Thus, nobody but customers can get into the network. Triple DES encryption protects a customer's data from the potential malicious behavior of another customer.

ANX consists of a core of ATM lines and large routers along with access points at the edge. These access points are Certified Service Providers (CSPs) and include AT&T, Worldcom, Equant, Bell Canada, Ameritech, and Ideal Technology Solutions. As the term suggests, CSPs are essentially ISPs. They sign up customers and manage connectivity like ISPs, but they have to be rigorously certified by ANXeBusiness Corp., the company that runs ANX. CSPs must also adhere to stringent service level agreements that apply end-to-end between users. In fact, Quality of Service on ANX would probably make an interesting article of its own. Among the tasks of the CSP is intrusion detection.

Development began on ANX in 1995 and the network has been in production since 1998. Security is very good; they have never had a known breach. Let's look at what they actually deliver, and what is left up to the customer.

First, the routers (typical firewall routers from Cisco, Checkpoint, etc.) at each customer end-point are configured to stop all traffic from the Internet. ANXeBusiness Corp. buys blocks of public IP addresses, but assigns them to internal or customer systems. You will never see one of these addresses on the Internet, and ANX customers will never see anything else on their ANX interfaces. Even if somebody tried to route a packet from the Internet through an ANX router to the private ANX network, the packet would get dropped.

The only way around this security is for a customer to attach a system to both the Internet and ANX—which often happens because many workstations are on an Internet-connected LAN—and for some intruder to break into a legitimate user account on an ANX-connected system. To the best of their knowledge, nobody has done this, but it clearly depends on security at the end-user.

ANXeBusiness Corp. offers "best practices" to its customers, but it cannot take responsibility for customer security failures, such as omitting to authenticate a user. "We have something you might think of as a common carrier exemption," says CTO Erik Naugle.

User authentication is a key aspect of security, and it involves policies and procedures—not just the machine activity of checking keys. ANX does not deal with end-user registration or authentication; it offers only the checks in IPSEC. "We know that Ford Motor Company really is Ford Motor Company, but we don't have user authentication," says Naugle. Rather, it is expected that customer applications will authenticate users. This is a universal task in such traditional applications as database query programs, so customers should equipped to register and validate users.

Still, if customers choose to run garden-variety applications like email over ANX and use insecure software, viruses or other abuses can spread. Right now, most customers don't face this danger because they use a small range of applications such as EDI or CAD/CAM exchanges. But Naugle said there is an evolution toward using ANX for email.

ANX is centrally managed, unlike the Internet, but it is not a monolith. The CSPs that deal directly with customers are privately managed, and in fact I was informed by Naugle and Industry Relations Manager Gregg Halberstadt that a lively competition exists among them. Prices for connecting to a CSP are comparable to business-quality connections on the Internet. A monthly fee for ANX is added on top of this, though. That pays for the certification and management activities performed from the center. According to Naugle, "The return on investment for companies using ANX comes almost immediately, because [so far as connecting to other ANX customers] they can replace the mess of many access points with a single, reliable connection to our network."

ANX scales. They now serve almost 1000 companies, and they've expanded beyond their original base in the U.S. automotive industry. ANX is now serving the aerospace industry and financial services, and they are finding particular interest among health care providers, who have particularly sensitive data and who are required by the federal Health Insurance Portability and Accountability Act to secure that data.

What we can learn in regard to a government network

An examination of what ANX tries to do, and what they shy away from, can provide some guidelines to proponents of GOVNET. This section is my personal analysis and does not contain any input from ANX.

First, the software you run and who you allow to run it is just as important as what network it travels. You can't just set up a private network and assume that everything will come up roses. Each application is responsible for security. If you allow buggy applications to run, you'll have security breaches. That applies to software that manages systems and networks, too. GOVNET is not going to be secure unless applications are specially developed or hardened for it—no ActiveX, automatic macro execution, etc.

A private network like ANX does not provide user authentication. So promise to make each application authenticate remote users. Even after you achieve that, you still have to set up a system to grant identities to users, and administrators must understand how to make sure that only trusted people get identities. These tasks are part of what I call "cyber-hygiene," and it's required on both the Internet and on any large private network.

ANXeBusiness Corp. does not threaten users with fire and brimstone if they choose to connect their LANs to the Internet. First of all, it recognizes that some communications between customers cannot be secured, so it accepts that they'll use insecure channels for those communications. GOVNET should recognize this too. It cannot provide a secure application for every activity that comes to the user's mind (instant messaging, Web browsing) and even if it could, people would want to reach sites that aren't on GOVNET. They won't want to transfer a vendor proposal from an Internet-connected system to a GOVNET-connected system by swapping disks.

The ANX solution is more realistic, and so far it's worked well. People will use the Internet and they will use the private network, all from the same computer system. The barrier is not unsurmountable to an intruder, but it creates a big double hump they have to leap without being detected.

ANXeBusiness Corp. recognizes what it is responsible for (encryption, preventing unauthorized network use) and what it cannot control. It regulates its CSPs rigorously to uphold its part of the bargain; meanwhile, the customer must be responsible for its part. GOVNET does not include any distinction between the provider and the end-user. If the proponents of GOVNET really believe they can be responsible for everything—no intrusions, no breakdowns, no viruses—they have to be prepared to train every staffer who uses an application on GOVNET. In an organization the size of the federal government that's a daunting task, even if nobody ever gets fired. (Actually, some positions experience turnover every four years.)

So that's my list of suggestions for improving government security. It's an expensive and long-term proposition, and by no means is it a perfect one. I learned it from ANX. And while ANX is a very impressive service that can't be duplicated on the Internet, its success has a lot to teach Internet users. End-to-end encryption is good; IPSEC is good; intrusion detection is good. You can improve security a lot by adopting good ANX practices even if you don't want or need ANX's private lines.

Is ANX a model for other commercial and government communications systems?