Vendor Name: Data Fellows

Product Name and Version: F-Secure VPN+ 3.0

Date of Publication: May 29th 1998

2. Executive Overview

F-Secure VPN+ secures mission critical networking between remote offices, business partners, telecommuters and traveling salespersons. This centrally managed enterprise security solution is composed of following components fulfilling each and every networking need:

Business VPN+
Partner VPN+
Remote Office VPN+
Traveling VPN+
Service VPN+
As a European product, F-Secure VPN+ is not restricted by the US export regulations, and is available with strong encryption worldwide.

3. Product Information

F-Secure VPN+ advantages:

Full key length encryption guarantees uncompromised security worldwide.
Router and firewall independent solution.
The F-Secure VPN+ product family covers all aspects of modern corporate communication.
F-Secure VPN is easy to set-up, configure and maintain.
Complete transparency guarantees unobtrusiveness to the end user.

The F-Secure VPN+ networking solution.

Business VPN+

Business VPN+ is a cost-effective security solution for intranet connections between corporate sites. It encrypts in-corporate communication with powerful F-Secure VPN+ gateways regardless of the network technology.

Partner VPN+

Partner VPN+ provides strong authentication and filtering for extranet connections between an organization and its partners, subcontractors, or distributors. It keeps unwanted users out and facilitates secure communication no matter where the data goes.

Remote Office VPN+

Remote Office VPN+ supports telecommuting as a method of working. It offers a scaleable and cost effective solution to securely use the Internet for communications for the Small Office and Home Office.

Traveling VPN+

Traveling VPN+ secures the extension of the corporate network to employees on the road. Typical remote networking applications, such as e-mail, can be secured transparently.

Service VPN+

Service VPN+ is suitable for organizations offering systems management services. It ensures that only the authorized systems manager can access the remote system. Service VPN+ also enables Internet Service Providers to offer VPN based services or hybrid customer networks with VPN links. Its powerful mangement features help the operator in maintaining the customer network.

3.1 Security Configuration

F-Secure VPN+ is centrally managed with F-Secure Policy Administrator. This Java application is capable of creating IPSec security policy databases and distributing them.

F-Secure Policy Administrator application.

3.2 F-Secure VPN+ Features and Functionalities

Provides compliance with the IETF standard IPSec protocol.
Additional Policy Management tools to help build scaleable architectures and transparent operation and effective VPN management for any workstation, server and security gateway.
Support for Simple Network Management Protocol (SNMP): 3Q1998.
F-Secure VPN+ products:

F-Secure VPN+ Client
F-Secure VPN+ Server
F-Secure VPN+ Gateway
Authentication algorithms:

HMAC-MD5-96
HMAC-SHA1-96
Encryption algorithms:

3DES (168 bit)
DES (56 bit)
Blowfish (40-446 bit)
CAST128 (40-128 bit)
Key exchange choises:

ISAKMP/Oakley, pre-shared keys
X.509 certificates with DSS signatures
RSA signatures
RSA encryption
Available for:

Window 95
Windows 98
Windows NT
Solaris Sparc
Solaris x86

4. Product Security Architecture

F-Secure VPN+ security architecture consists of two separate software components:

An IPSec software component supporting the ISAKMP/Oakley key exchange for VPN+ servers, clients and security gateways.
A Policy Management console that can be used from a remote policy management workstation to set a global policy or individual policy decision on each IPSec client, server or security gateway.
The F-Secure VPN+抯 IPSec software component fully conforms to the Internet Engineering Task Forces (IETFs) IPSec standards.

4.1 F-Secure VPN+ network architecture

F-Secure VPN+ products (client, server and gateway) can route, filter, encrypt and authenticate IPSec and plain-text communication.

An F-Secure VPN+ security gateway can route, filter, encrypt and authenticate IPSec and plain-text communication and host multiple local area networks on a single gateway machine with multiple network interfaces. The F-Secure VPN+ client and server versions support a single network interface configuration.

Secure client-to-server communication (host-to-host encryption).

Secure client-to-gateway communication, this is the case of the traveling salesperson securely accessing the company network through Internet.

Secure gateway-to-gateway communication, this is the case of securely connecting remote LANs together.

4.2 Security Management

The Policy Management console is a 100% Pure Java application allowing the management tasks to be performed from any workstation. The administrator can create different security policies for hosts or deploy a single policy over a large domain of hosts. The policy can be distributed over a network to the workstations, servers and security gateways in a LAN. The security policy defines the contents of the IPSec security policy database on each machine. This security policy database is used as the basis to allow or deny for the connections between F-Secure VPN+ hosts. Security policy databases are signed with DSS.

5. Product Default Operations

F-Secure VPN+ Setup requires administrator privileges to install the network encryption drivers on Windows NT 4.0 and on Solaris root privileges are required to install the network device drivers.

The default encryption and authentication methods can be set by the administrator for all hosts in the policy database that is distributed to each host. The administrator can also configure whether to accept or deny non encrypted and authenticated data to and from the hosts. For default operation several policy templates are supplied to help the administrator set up his/her network.

By default F-Secure VPN+ logs all rejected network connections.

F-Secure VPN+ key management relies on the ISAKMP/Oakley standard to provide fully automatic, policy based key management using X.509 certificates for VPN+ client, server and security gateway. By default the hosts only need to be set up a host key pair for authentication and install the company CA public key certificate for certificate path-verification. No other keys are needed. This results in F-Secure VPN+ being independent on any specific X.509 public key infrastructure.

6. Product Testing Methodology

The cryptographic library used was developed by experienced developers in the tradition of other F-Secure encryption products. The algorithm implementations are known to correspond to the reference implementations.

The IPSec traffic security protocols ESP and AH and the Internet key Exchange protocol have been interoperability tested with other vendors products making F-Secure VPN+ products highly interoperable with different IPSec vendors.

Implementation of the non-cryptographic software modules will done as an ordinary software project. The modules are first tested individually by the developers and integration testing is performed separately in the Data Fellows testing laboratory. Many of the modules will be only slightly adapted from F-Secure SSH, providing a reliable code base for regression testing.

7. Product Performance Attributes

F-Secure VPN+ products are much faster than most LANs transmitting Ethernet traffic, which means that network performance is not affected greatly. The estimated effective troughput of the F-Secure VPN+ devices is 3-8 Mbit/s on a normal 166Mhz to 200Mhz Pentium machine.

8. Product operational assumptions

F-Secure VPN+ is a software solution, working on Windows NT 4.0 and Solaris Sparc. Later also on Windows 95, Windows 98, Windows 95 and Solaris x86.

The product does not depend or require any special network topologies or network components to work with.

9. Product Operational/Management Requirements and Interface

The F-Secure VPN+ products do not contain any special operational requirements or interfaces. The operation is governed by a security policy that is being managed centrally and deployed to all policy domains in a corporation.

When ever new F-Secure VPN+ installations are performed the software required keys and certificates to be generated for the host to be able to communicate between other F-Secure VPN+ devices. The administration is host certificate administration together with periodical security policy updates that reflect the changes in the corporate security policy.

F-Secure VPN+ products are centrally managed with the F-Secure Policy Administrator. This Java application is capable of creating IPSec security policy databases and distributing them.

10. Product Customer Support

Data Fellows and its authorized Business Partners offer various support plans and options to cater for different customer needs and requirements. The standard F-Secure Support Plans available are the following:

Gold Support

unlimited, free support through email and fax
complimentary maintenance updates ("dot releases) during the subscription period
complimentary access to Data Fellows product and technical support information on the Web
Platinum Support

unlimited, free support through email, fax and phone
complimentary updates and upgrades of all releases
betas and pre-releases of forthcoming releases
priority access to senior technical support and product development personnel
complimentary access to Data Fellows product and technical support information on the Web
reduced rates for on-site support
Premium Support

all the benefits of Platinum Support
extended phone support hours with seasoned technical support personnel
personal F-Secure Support ID code for priority access

11. Product Interoperability Considerations

F-Secure VPN+ is highly interoperable with other key vendor抯 IPSec based products that use ISAKMP/Oakley (The Internet Key Exchange) as their key negotiation protocol. F-Secure VPN+ supports the latest IETF IPSec and ISAKMP/Oakley standards for Internet Protocol Security.

12. Vendor Information

Data Fellows is one of the world抯 leading developers of data security products. It has offices in San Jose, California, and Espoo, Finland, as well as distributors in over 70 countries all around the world. Its products have been translated to over 30 languages.

The Company develops, markets and supports anti-virus, data security and cryptography software products for personal computers and corporate networks. Brands include F-PROT™ anti-virus products and F-Secure™ anti-virus and data security products and the CounterSign™ security architecture.

The products of Data Fellows have already won numerous international tests and competitions, including the 1996 European Information Technology Prize; Data Communications Magazine抯 Hot Product of the Year 1997; SVM Magazine, May 1997, Best Anti-Virus; and SECURE Computing抯 Editor抯 Choice. In 1998 the Company received the President of Finland抯 Export Award. This award is granted annually to the most outstanding export companies in the country.

Data Fellows?target market is business-to-business, medium and high-end corporate, governmental, and educational market. Its prospective customers typically are organizations that have implemented enterprise wide networks, and value highly network independent management and administration tools that Company抯 products incorporate. Today Data Fellows has tens of thousand of customers in more than 100 countries. Reference customers include NASA Headquarters, US Air Force, Lawrence Livermore, 5 out of 10 largest banks in the world, IBM, Microsoft, Hewlett-Packard, DEC, Unisys, Siemens-Nixdorf, EDS, Cisco, Nokia Group, Telecom Finland, UUNet Technologies, Boeing, Bell Atlantic, MCI, Telecom Italy.

The Company抯 annual growth in net sales has been over 80% since it was founded in 1988. Turnover has reached FIM17.9 million, FIM40.9 million and FIM73 million in the 1995, 1996 and 1997 fiscal years, respectively. Net profit margin has exceeded 30 per cent during the last four fiscal years, resulting in profits of FIM4.2 million, FIM12.8 million and FIM22 million in the 1995, 1996 and 1997 fiscal years, respectively. The projected annual growth rate for the next three years should exceed 100 per cent. The Company is privately held.

13. Contact Information:

USA
Europe

Contact Business Hours:
8 AM to 6 PM PST
8 AM to 6 PM EET

Contact telephone number:
(408) 938-6700
+358 9 859 900

Contact FAX number:
(408) 938-6701
+358 9 8599 0599

Contact Email address:
US-sales@DataFellows.com
f-secure-sales@DataFellows.com

Contact Web URL:
http://www.DataFellows.com/
http://www.Europe.DataFellows.com/

Contact postal address:
675 N. First Street, 8th floor

San Jose, CA 95112

USA
Pyyntitie 7, PL 24

FIN-02231 Espoo

Finland

Data Fellows Inc. reserves the right to modify specifications cited in this document without prior notice.