No device that resides on a corporate network can afford to be without some form of security. Edge devices such as routers, firewalls, VPN servers and Intrusion Detection Systems provide hardened protection from brute force attacks, denial of service attacks and restrict the number of inbound remote connections to the corporate network.

However, it is no longer possible to operate with a closed door approach to the Internet. The rise in Teleworking and the need to communicate with disparate systems has meant that companies have had to punch holes in the fortified walls that surround their corporate networks. With the increasing rise in hackers using social engineering to gain access to usernames, passwords and other security codes, system administrators must be ever more careful to ensure that systems within their corporate network are locked down tight.

It is on a company's internal corporate network that the Tracker can help to keep the network secure. The Tracker may be adding security to devices that have either limited or no security. It might provide the gateway to access the admin interface of IP equipment located on a different subnet. Although not strictly a security issue, it should be noted that the Tracker may also be used to put devices onto the IP network that have no native IP interface.

The Tracker has the following security functionality:

Auditing
The auditing functionality gives system administrators the capability to check who has been logging on to the Tracker, when they logged in and what their activities were. Alarms can be sent automatically when users log on and a system administrator could, if they choose, login themselves and disconnect a user.

Dial-up (Out-Of-Band) Access
Where no IP network is available, remote access over standard telephone lines via a modem is the best alternative; for some purposes, it may even be the simplest solution. However, it also represents the easiest way to bypass any IP security and gain a foothold on an IP network. Consequently, in addition to a standard username and password, the Tracker features:

Restricted Answering
Utilising the Caller ID or ANI service, the modem within the Tracker will only answer the call if it is from a pre-programmed number.

PPP
The Tracker is capable of connecting a user to the IP network using PPP, the industry standard networking protocol.

Two Factor Authentication
This is the most secure option available and requires a Tracker 2720 modem at the calling end. The 2720 can be used as a normal modem. It is pre-programmed with a secret and a unique identity number (ID).

When it is used to call a Tracker that has been configured to use two factor authentication, the called Tracker will issue an encrypted challenge using its secret. Only an encrypted response using the same secret will authenticate; this is the first stage. The second stage involves the receiving Tracker checking that the ID of the calling 2720 appears in its Access list. If it does then it is granted access to the system. If it does not appear in its Access list or is found in its Deny list, then access will be refused. This authentication process is completely transparent to the user and makes the system easily integrated into an existing IT infrastructure.

The Tracker 2700, 2720 and 2730 products have received Information Assurance Accreditation from the US Government's Defense Information System Network (DISN)  Security Accreditation Working Group. 

IP Access
There are two options available for IP access; in-band and side-band.

In-band
In-band access is a straightforward connection to the IP address of the Tracker. In addition to the standard username and password, the Tracker includes a packet filtering firewall. This can be used in addition to the corporate firewall to ensure that access can only be gained by users with a specific IP address to specific ports.

Side-Band
Side-band access creates an encrypted tunnel to the Tracker, through which all the keystrokes and any other data passes. This makes it impossible for packet sniffers to determine what data is being passed between the Tracker and the Client.

The Tracker will support the standard SSL protocol for telnet and FTP access. This will enable a client such as a system administrator/engineer to use their PC to establish a completely secure connection to the Tracker. This connection could be routed out of one corporate network, over the Internet and onto a second corporate network. The only requirements on the second corporate network would be to allow the SSL tunnel through the corporate firewall.

The Tracker also supports VPN connections using the strong 128-bit Microsoft Point-to-Point Encryption (MPPE) to create a secure tunnel. This is suited to situations that demand a more permanent connection to the Tracker.

To our knowledge, there have been no successful hacking attempts on a Tracker that is out in the field. We continue to update the Tracker so that our customers feel confident in allowing the Tracker onto their corporate networks.