SECOM Co. Ltd., Japan's largest provider of corporate security services, maintains an Intranet of some 10,000 computer systems. These systems comprise everything from desktop workstations to high-end MIS servers. Consequently, SECOM is confronted with the daunting task of managing and controlling the information and resources within this massive network.

SECOM adopted a strategy of utilizing a high-performance, secure Intranet replacement approach based on DASCOM's IntraVerse technology, which uses DCE from The Open Group.

SECOM's Intranet is partitioned into four distinct functional areas which, for business organizational reasons, are directly aligned to MIS management domains. These are:

1. SECOM Information Systems,
2. Group Headquarters,
3. Information Systems Research, and
4. SECOM Internal Network.

The original architecture proved problematic in the following areas:

• Access to the internal Web server was coarse grained. There was no way to control access to a page based on the user's identity.
• The subsidiary Web servers were visible to the Internet at large, but there was no provision in the original security model to provide fine-grain access control over these resources.

• The conventional firewalls provided only packet-level filtering capabilities.
• Consistent audit information was not centrally available.
• No centralized security management architecture existed.
• No mechanism existed to provide privacy and a high level of data integrity on selected, sensitive network resources.
• It was inherently difficult for network administrators to align the corporate security policy to the software configuration.

In light of the above problems, SECOM adopted an Intranet replacement strategy based on the following requirements:

• The infrastructure must facilitate client/server mutual authentication and privacy.
• The network must be capable of being separated into multiple logical or physical secure administrative domains.
• The secure domain must be able to be managed from a central location.
• The infrastructure must be capable of providing high levels of security over existing legacy Internet services.
• The infrastructure must enable existing client/server applications to coexist in a binary compatible manner.
• The infrastructure must provide a mechanism to ensure privacy and a high level of data integrity on selected, sensitive network resources.
• Client license management must be simple.

The replacement Intranet architecture was introduced in two phases. In phase one, the existing public and internal Web servers were secured using DASCOM's DCE-based IntraVerse Web server as a secure front-end to provide centralized, fine-grain access control over each of the Web spaces. Four distinct IntraVerse Web servers were installed as security front-ends to the existing Web servers in each of the four administrative domains.

This approach had the advantage of enabling the Webmasters of each secure domain to maintain their existing document space with an instant fine-grain access control mechanism.

Clients wishing to gain access to restricted portions of the newly-secured document space now do so via the IntraVerse WebSEAT DCE-based security client (available for download from each of the Web servers). The WebSEAT software provides a mechanism for commercial off-the-shelf browsers to gain secure access to restricted document spaces.

In phase two, the conventional firewalls are replaced with DCE-based IntraVerse NetSEAL distributed firewalls. NetSEAL software enables network administrators of a secure domain to maintain a high level of secure access to existing, legacy Internet services (FTP, Telnet, News etc.).

In addition, the WebSEATs deployed in phase one are replaced by NetSEAT software to provide mutual authentication between clients and servers for every Internet service across the organization.

In summary, the DCE-based IntraVerse product set enabled SECOM to migrate their network infrastructure to a complete security architecture incorporating existing legacy TCP/IP-based services and more modern Intranet resource servers with built-in security. The IntraVerse software also enabled a mapping of SECOM's security policy to the DCE access control framework, something not possible with existing firewall technologies.