Technical Library

MSG Home

General

• What do you do to ensure my site is secure?
• How are user profiles invoked?
• How many services can I allow users to access?
• What reports will you send to me?

Access Control Cards

• How does the access control card work?
• When should I change the PIN on my access control card?
• What should I choose as a PIN?
• How do I change the PIN on my access control card?
• My access control card is locked. What do I do?
• What do I do if my access control card is lost or stolen?

Packet Filtering

• What are packet filters and how do they work?
• Why are dynamic filters better than static filters?

Additional Questions

• Where can I direct questions not answered here?

What do you do to ensure my site is secure?

We will work with the Site Security Officer(s) to formulate a security policy tailored especially for the organization's specific needs. The policy will include IP packet filtering. Possibilities include static packet filtering as well as dynamic packet filtering, which provides individual security profiles. Dynamic filtering supplies remote access to resources which would normally be inaccessible to outside users. Access is granted after the user is authenticated through the SecureConnect authentication server and the user's access control card.

Additionally, MSG will perform a security audit of the customer's site, bringing any vulnerabilities found to their attention. MSG will also provide additional information regarding security announcements from organizations such as CERT to the Site Security Officer(s). All router traffic and authentication server attempts (whether successful or failed) are logged and reports will be generated for each site.

How are user profiles invoked?

User profiles are filter rules used to allow single connections from authenticated remote users. The remote user telnets to the authentication port on the router which represents the DES challenge. The user responds with the authentication string. After the router has confirmed the authentication it loads new filter rules which allow predetermined types of inbound connections.

How many services can I allow users to access?

Users can be configured to allow access to any number of services.

What reports will you send to me?

MSG will email daily, weekly, or monthly reports of router traffic and authentication server attempts to the Site Security Officer or a designee. These reports will be archived for future reference.

How does the access control card work?

The access control card requires the user to enter a PIN (Personal Identification Number) to begin a session. Once the correct PIN has been entered the user will enter the string of characters the authentication server has issued as a crypto-challenge. The access control card will then encrypt the string input with a private DES key and algorithm, to calculate and display the result. The user will then enter the result to the authentication server.

When should I change the PIN on my access control card?

You will be required to change your PIN when you first receive your access control cards. After that, the PIN should be changed if the access control card is assigned to a new user. The PIN prevents the access control card from being used by anyone but the person it is assigned to.

What should I choose as a PIN?

It is important that you do not choose a PIN that is easily guessed or obtainable by another party. For instance, you should not choose your phone number, birthday, social security number, house number, etc. Also your PIN should not be shared with others or written down.

How do I change the PIN on my access control card?

After turning on the card and entering the current PIN, the PIN can be changed by pressing the 'CPIN' key on the lower-left of the card. Once the 'CPIN' key is pressed, the card will prompt for the new PIN and request you to enter it a second time for verification.

My access control card is locked. What do I do?

Once the access control card becomes locked it must be re-initialized with the private DES key by us. The card must be returned to us for reprogramming and the customer will incur a service charge as stated in the SecureConnect service option contract.

Send the card to the following address:

PSINet Inc.
Attn: Keymaster
44983 Knoll Square
Ashburn, VA 20147

What do I do if my access control card is lost or stolen?

MSG must be notified as quickly as possible if a card is lost or stolen so the user information on the authentication servers can be changed to maintain security. MSG can be notified at spart@psi.com.

There is a charge for lost/stolen/damaged cards as outlined in the SecureConnect service option contract. Requests for replacement cards should be directed to:

PSINet Inc.
Attn: Keymaster
44983 Knoll Square
Ashburn, VA 20147

What are packet filters and how do they work?

Packet filters are installed on a customer's gateway router to specify what packets the router should pass and which packets the router should refuse to pass. Filters can be written based on the source and destination address and port numbers. This allows decisions based not only on the machines involved but the protocols as well. As an example, it is possible to allow telnet connection to only one host on a customer LAN but allow mail connections to any hosts.

Why are dynamic filters better than static filters?

Static filters are inflexible and providing access to remote users requires either intensive administration or ever present holes in the firewall. Dynamic filters can be used to open small holes in the firewall. Dynamic filters can be used to open small holes after user authentication.

Where can I direct questions not answered here?

SecureConnect customers can direct additional questions to: spart@psi.com