FirstClass® Communications Platform Security FirstClass is an inherently secure design. The information provided below describes some of the inherent security features of the product and details the strategies and standards FirstClass® utilizes to provide a secure environment.
FirstClass combines a robust message store and access control system with an encrypted client-server connection to ensure that messages are secure. FirstClass employs a stream-cipher to implement secure log-ins and data communications. The encryption scheme uses a 3-way handshake with keys exchanged by the server and client at link startup, to ensure that the encryption is different each time. Everything from user activity, address books, messaging and chats are encrypted over the link. The public keys are stored in the directory, and for internal FirstClass users, the process of sending a secure message is transparent.
Encryption at this level provides secure transmission for not only passwords, but for every message, calendar item, and address book entry. Notification and authentication are provided using MD5 for excellent account security. Packet level encryption is inherent to FirstClass and as such, works regardless of whether the system is communicating using TCP/IP, IPX, AppleTalk, ISDN, or even by modem.
In addition, FirstClass also offers packet-level encryption. Essentially, this means that every portion of every message transmitted between the client and the server is significantly more difficult to successfully intercept. Almost all network applications, from file sharing to printing to sending messages, expose content directly to anyone utilizing a simple packet analyzer program. Packet level encryption ensures secure message transfer regardless of connection type.
In addition to the encryption of content traveling between the client and server, FirstClass® provides 5 layers of security.
Layer 1: UserID and Password The user ID and password is first level of security. All users must have a valid UserID and password to log on to the server. Password restrictions can be customized to ensure that user’s accounts are not easily accessible. In addition, most conventional email systems accomplish user log-in by making use of the user’s mail address, which is public information. Within the FirstClass environment however, UserIDs and email addresses are unrelated to each other, unrelated to the user’s password, and also unrelated to the name.of the actual user. Using this private information makes it far more difficult to break into a FirstClass User’s mail account than conventional email systems.
Password Security within FirstClass® Unified Communications: Users have two sets of user ID’s and passwords – one for access to the FirstClass server via the PC or web (Internet Services), and one for access through the phone (FirstClass Voice Services). Accounts can be created and deleted on an individual basis or via Batch Administration commands for larger groups of users. When provisioned with a new account, users are assigned a unique username and password, subject to the strengths of the FirstClass security features outlined here. New users can be notified of their new username and temporary password via two separate emails (for security purposes), and instructed to change the temporary password to a different alphanumeric password, subject to FirstClass’ password rules.
For PC or web access, Administrator(s) can set the password restrictions for all users on the system. If the Administrator does not set any password restrictions, FirstClass sets default restrictions according to User Group settings. More specifically, the Administrator can set: • Password Expiry period • Allow or disallow recent passwords • Password minimum character length • Password use of alphanumeric characters • Password encryption (Password length is masked – Password field will completely fills with ‘*’ instead of the actual password, regardless of password’s actual length) • 1 minute Timed Lock-Out after 3 failed attempts at login.
Layer 2: User Privileges The second layer encompasses the user's privileges within FirstClass. With over 30 different user privileges, the administrator can control everything from the user’s ability to create private mail to the ability to publish a home page.
Layer 3: Directory Security The third level of security is the Directory. Administrators can configure a different view of the Directory for each user group. If a conference name is not in the Directory, the user cannot send mail to the conference. If a person's name is hidden from view, the user cannot send email, view the personal calendar, or see the person's web page. The contents of a directory controls the users ability to access any conference or any other user.
Layer 4: Conference Subscriptions Conference subscriptions are the fourth security layer. If a user is placed on a subscription list to a particular conference, that conference folder will appear on his/her desktop. The user is then able to interact within that conference based on his/her access permissions. If a conference is not on a user's Desktop, or accessible in a sub-layer of a conference that appears on the user’s desktop, the contents cannot be accessed. Unlike most mail systems, FirstClass offers a complete user and group access control system, and provides this at both the system and the conference level. It is possible to maintain the utmost control over access to specific information, conferences, and folders by allowing the administrator to assign discrete levels of access permissions for individual users, or groups, based on their requirements. An individual’s access is secured through their unique User ID and password, which, as discussed above, is difficult to compromise.
Layer 5: Access Permissions The final level of security is the ability to set access permissions. The conference controller can customize access permissions for each participant or user group. Access permissions can also be applied to Calendars. Access permissions encompass 16 levels of permissions that can be assigned to individual users or groups. In addition to the Five Layers discussed above, security may additionally be broken down into three components: • Content security (making sure that data on the server is secure) • Network security (making sure that the data flowing between the client and server is secure) • Attack security (making sure that the system is protected against viruses and denial of service attacks) FirstClass® addresses each of these components.
Content Security: FirstClass stores all user data in a secure Collaborative Store. This data is managed by the server, and provides a complete history and audit trail of data movement. This ensures that users and administrators know exactly who is creating, sending and accessing content. Every message and file stored is encapsulated, so raw files are never written to the Post Office. This avoids any possibility of viruses running on the server machine. The Collaborative Store may also be mirrored to another backup Post Office to ensure that user content is secure against hardware failure or disaster.
Network Security: The connection between the FirstClass Server and the FirstClass client is made using a secure network connection. FirstClass uses an advanced streaming cipher to provide protection against network sniffers. As described above, all data is encrypted, as compared with some systems, which encrypt only the body of the message. In addition, FirstClass has an additional level of encryption for passwords, ensuring that passwords are double-encrypted.
Security risks from outside the local area network are generally associated with a remote access solution such as remote IPX or TCP/IP routers, ARA and terminal servers. These can easily expose a network to outside and potentially damaging access. FirstClass is an excellent network firewall. It allows connections directly to the server machine via both direct modem and remote TCP/IP protocols. There is no method for such a connection to bypass the server machine, access the network or access anything other than the FirstClass server, as controlled by the users’ permissions.
In the event that a user has gained knowledge of the Administrator’s password (perhaps through observing the login process or other physical means) there is still no facility to have access to the server machine’s file structure or the network.
One of the reasons for this is that FirstClass connections employ entirely proprietary protocols that are designed to run on top of inherently secure operating systems. Windows NT and the Macintosh O/S (both used as FirstClass Servers) are not susceptible to intrusive O/S level access.
With FirstClass, users are completely locked into an environment that cannot be accessed or bypassed from within that environment. If a user, in an attempt to break in, were to attempt to bypass FirstClass by somehow disabling FirstClass (which is not something the system is susceptible to), the user would be instantly disconnected when the server ceased working. FirstClass, because it handles all of the communication protocols internally, is the only element handling the connection and no connection will exist when it ceases to function.
The FirstClass Post Office files all reside on locked volumes, so the files themselves cannot be accessed from the network, except when logged in as a FirstClass user. This, as discussed above, strictly controls the level of file access. This contrasts with several well-known email products that require that their mail users have read AND write access to their post office files that must reside on an accessible volume on the file server. This allows completely free ability to edit, corrupt or even delete selected files. The standard method suggested to protect against this eventuality is to frequently back up the files in question so that restoration is more easily accomplished. While providing some protection against data loss, this in no way prevents intruders from gaining access to the information contained within the mail system.
Attack Security: FirstClass is highly resistant to attack security, for two reasons. First, on the server, all data (including files, messages and attachments) are encapsulated, which ensures that any viruses will pass harmlessly through the server. Second, since the FirstClass client has no user data stored locally, any virus that does run on a client machine will have no ability to access client data (such as messages and address book entries), and thus will be unable to reproduce itself.
A History of Supporting Secure Communications For over a decade the designers of FirstClass have emphasized security as the most important aspect of a messaging system, avoiding the security problems found in systems that emphasize features over security. Open Text maintains close ties to security-monitoring standards and is committed to addressing any security concerns as quickly as possible.
Additional information on MD5 can be found at: http://www.faqs.org/rfcs/rfc1321.html
Version 8 Security Enhancements Enhanced security: The FirstClass 8.0 server introduces a number of important security improvements. These include server support for S/MIME configuration and enhancements to the FCP encryption scheme. In addition, administrators are now able to improve overall system security by forcing the use of encrypted connections and by disallowing the use of saved passwords.
Password change disable: This feature enables administrators to prevent users from changing their passwords. This is typically required when enabling the new External Authentication option in FirstClass Directory Services.
New FCP Encryption using CAST-128: FirstClass has always included the ability to encrypt the connection between the client and server, using an advanced proprietary encryption method. As part of our continued goal of delivering the most secure experience possible to our customers, we have enhanced this facility by adding an additional standards-based encryption option. This is based on CAST-128, a public-standard encryption algorithm, fully described in RFC-2144 of the Internet Engineering Task Force (IETF). Full details may be found at http://www.ietf.org/rfc/rfc2144.txt. We believe that this is an excellent choice, being both cryptographically strong and high performance.
Secure Connection Option: FirstClass has always provided the ability to use a secure, encrypted connection between the client and server, but this choice has been made by the end user. To better meet the needs of security-conscious organizations FirstClass 8.0 enables the administrator to configure the server to automatically turn on encryption for all client connections.
Enforce Minimum Client Version: FirstClass 8 enables the administrator to (optionally) enforce a minimum client version for connecting to the server.
Upload Restrictions: In FirstClass 8.0, the former "Download Restrictions" feature has been expanded to include restriction on file uploads as well. These restrictions combined enable administrators to prevent the uploading or downloading of certain file types. Restricting the download of common computer virus file types can help prevent virus infection of users' computers, even if they attempt to open the email attachment. By restricting the uploading of such file types, administrators can prevent viruses from entering the system and spreading to others.back to top // End Statement // 04/14/2015