Security

Enscand, Inc. takes security very seriously. Today's competitive corporate environment, coupled with the immature, often insecure nature of modern computing makes security important for almost any business. Below is a description of Enscand, Inc.'s baseline security provisions. Client requirements exceeding the following description can generally be accomodated upon request. This description is intended to provide clients and potential clients a general idea of the level of security employed. Some details must obviously be ommitted here for security's sake. In addition, it should be noted that the information contained on this page does not itself represent a security breach. All information on this page is either academic-only, or already obtainable by any sophisticated hacker. "Security-by-obscurity" is not relied upon as a primary security strategy.

Internet Security

Internet mail, web, and application services are provided on an Intel x86 Sun Solaris platform. Failover service is provided by a Intel SuSE Linux platform. The server is located behind a hardware firewall with only http (80), https (443), ssh (22), and smtp (25) ports open to the Internet side of the firewall. All sensitive web content is served with the secure (https) Apache web server, using SSL and digital certificates for encryption and server authentication. Any client login information is encrypted, and all login pages are themselves served via https. Many websites redirect login requests via a 3rd-party secure authentication domain (e.g. OpenID, Google, Facebook), making it difficult for users to tell whether their information is indeed protected with SSL encryption. OpenSSH is used for secure command-line remote administration using SSH2 strong cryptography. No telnet or insecure FTP access is allowed, nor are any other internet (WAN) services which employ clear-text password transmissions.

Sensitive email communications are provided by using a PGP client plug-in for Outlook to encrypt message content. DH/DSS keys are used for the encryption. Keys can be downloaded here and should be verified personally via electronic thumbprint before using. Postfix Solaris mail server is used as the SMTP mail transfer agent.

Office Security

All computer systems are access-controlled via password authentication supported by the resident OS's. Primary networking is provided via 10 Mbps, 100 Mbps, and 1 Gbps ethernet. Additional network access is gained via a 802.11b Wi-Fi router. Access is restricted with both 128-bit WEP encryption as well as MAC control, and the entire Wi-Fi network is kept on an "untrusted" subnet by the Enscand Watchguard Firebox firewall.

Solaris®, Linux and Windows® file systems are regularly scanned with antivirus software, and auto-updated with signed security patches provide by Sun/Oracle, SuSE and Microsoft. Passwords are only stored in encrypted files. Systems are backed up nightly to 4mm DDS magnetic tape media or failover file servers. Only Linux and Solaris servers are allowed to run unsupervised (24/7/365). Windows® workstations are shut down or put into standby when not in use.

Virtual Private Networking is implemented on a per-application basis, exclusively using SSH2 tunneling. This uses strong cryptography for user password authentication, as well as encryption of every data packet transmitted. Compared with PPTP, this implementation is much more secure.

Physical security at the Enscand, Inc. office in Seattle is provided via a custom intrusion detection and alarm system. The custom system was choosen to accomodate flexible security needs for the home office. In addition, while all security systems have weaknesses, many of the common off-the-shelf systems available have weaknesses that are well-known to experienced criminals. While more expensive, the custom system allows for easier upgrading as future needs change. The system was also implemented as a demonstration of technical areas of expertise. Entry alarms, motion detection, video surveillance and recording, and remote monitoring/notification are all supported by the system. Backup data is locked in a hardened, fire-proof physical safe.

It should be noted, however, than any system is breachable.