12.1. What level of security does ENX provide?
12.2. How does ENX provide network security?
12.3. Does the ENX network provide any application security?
12.4. What is an "ENX tunnel" or "ENX connection"?
12.5. Do I still need a network firewall if I use ENX?
12.6. How does ENX prevent DoS attacks?
12.7. What is "IPSec"?
12.8. What is a "CA"?
12.9. What is a "Certificate"?
12.10. What is a "PKI"?
12.11. What is "Traffic Separation"?
12.12. How can I get in touch with ENX experts for this FAQ chapter?
Security within ENX mainly refers to integrity, authentication and the confidentiality of data exchanged between ENX users. The ENX certified service providers have to ensure the infrastructure security within their networks in order to minimise the risks of denial of service or others attacks in the ENX network. The ENX Association has established process security by means of the certification of ENX service providers and registration procedures of ENX users.
ENX provides network security by means of security gateways. Theses security gateways are based on the IP extension IPSec (IP Security) and therefore provide mechanisms for "door to door" security.
See FAQ 12.7. What is "IPSec"?
ENX provides "door to door" security mechanisms. Any additional server-to-server encryption mechanism might be implemented indiviudally for certain applications / by certain users.
The individual ENX connection (ENX VPN tunnel) established on the access of two individual users
A definite "yes".
You need to secure and prevent your internal network as well as the ENX network from abuse.
Denial-of-service attacks are possible within the ENX network - as they are in all other networks.
But due to two ENX-specific reasons this does not happen:
- The ENX network is a closed user group.
Only companies which have registered at the ENX Association are entitled to get an ENX access at all and the ENX network is not connected to the public internet.
- The ENX concept is based on 1:1 communications.
All communications between any two business partners are encrypted in its own separate IPSec tunnel. Before such a tunnel is established by the certified service provider(s) both business partners have to bilaterally agree on this set up. Therefore, the ENX access of any given user can only be reached by his selected communication partners.
Due to the ENX concept of encrypted 1:1 communications and as a matter of principle "distributed" denial-of-service attacks (via "botnets") are impossible within the ENX network.
In the unlikely event of a denial-of-service attack it is very easy to take effective countermeasures by simply shutting down the respective tunnel. Furthermore, the originator of the attack can be easily identified.
This situation is one of ENX's many unique advantages over the public internet.
Definition: A denial-of-service attack is an attack on a server with the aim to render one or more of its services unavailable. Usually this is achieved by flooding the server with more requests than it can handle.
The IP extension "Internet Protocol Security" (IPSec) is a robust standard that covers authentication and encryption of data traffic over IP-based networks such as ENX or the public Internet in order to create so-called "Virtual Private Networks (VPN)".
VPN technology employing IPSec will encrypt all outgoing data and decrypt all incoming data so that a public network, like the internet, can be used as a transportation media.
Source and more information about IPSec:
FAQ 7.5. How do I establish a tunnel?
FAQ 12.4. What is an "ENX tunnel" or "ENX connection"?
In cryptography, a certificate authority (CA) is an entity that issues digital identity certificates for use by other parties. It is an example of a trusted third party. CA's are a characteristic of many PKI schemes.
A CA is usually a company that, for a fee, will issue a public key certificate. This certificate is the CA's confirmation that the public key contained in the certificate belongs to the person (or organisation) noted in the certificate. A CA's obligation in such schemes is to verify andd confirm an applicant's identity. That way users can trust that certificates issued by that specific CA belong to the people identified through it along with the data it contains (as most usually, a public key), and not to an imposter. The idea is that once the user trusts the CA and can verify the CA's signature, he can also verify that a certain public key does indeed belong to whoever is identified in the certificate.
Source and more information:
In cryptography, a public key certificate (or identity certificate) is a certificate that uses a digital signature to bind a public key to an identity - information such as a the name of a person or an organisation, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
ENX is based on a Public Key Infrastructure (PKI):
PKI arrangements enable users to be authenticated to each other, and to use the information in identity certificates (i.e., each others' public keys) to encrypt and decrypt messages sent and received.
A PKI generally consists of client software, server software (such as a certificate authority), hardware as well as sets of pre-defined operational procedures. A user may digitally sign messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority within the PKI).
This enables two ENX users to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance.
FAQ 12.8. What is a "CA"?
Traffic separation prevents end-users from eavesdropping the traffic of other endusers.
It also separates services and other service provider traffic, giving the network operator
full control of who communicates with whom, thereby guaranteeing that only authenticated users use network resources.