Wind River Security

Wind River IPsec and IKE
Wind River IPsec and IKE are Wind River's implementation of IPsec and IKE as speciﬁed by the IETF. They provide for authentication, data integrity, and encryption of any network trafﬁc on the IP layer, and IPsec and IKE support both IPv4 and IPv6, a powerful management API, as well as a ﬂexible hardware interface for encryption acceleration.

IPsec and IKE provide extensive statistics gathering and logging, giving developers access to a vast array of information on security sessions that are created or attempted. This can be used to monitor for potential network problems, as well as determine potential network threats and attacks.

IPsec supports the standard Authentication Header (AH) and Encapsulation Security Payload (ESP) functions, as deﬁned by the IETF. Both tunnel and transport mode are supported, with an application interface that allows users to support other tunneling protocols. IKE main mode and quick mode are supported, allowing for dynamic negotiations of security associations. The Oakley protocol is used for key exchanges between negotiating peers.

Wind River IPsec and IKE can utilize a broad suite of encryption and hashing algorithms, allowing the developer to make the necessary trade-offs between strength of the security algorithm and system performance.

Wind River Firewall and Wind River NAT
Wind River's solution for implementing a ﬁrewall within a device is based on Wind River NAT and Wind River Firewall. Wind River NAT is a full-featured implementation of the industry-standard Network Address Translation protocol for use in routers, ﬁrewalls, DSL and cable modems, and residential gateways. A device running Wind River NAT can connect an entire department or a small ofﬁce to the Internet using only a single global IP address. Address mapping effectively conceals the size and topology of the private network from the outside, providing a basic level of security.

Wind River NAT supports the two most widely used NAT modes. Basic NAT performs one-to-one mapping of private IP addresses to a preallocated block of external IP addresses. The more commonly used NAPT maps port numbers in addition to IP addresses. NAPT allows multiple private addresses (up to 64,000 address/port combinations) to be multiplexed on a single public address, providing the full beneﬁt of address conservation and security.

NAT provides basic security by blocking all incoming connection requests that don't map to recognized address translations. Wind River NAT is conﬁgurable through use of Wind River SNMP, CLI, or Web interfaces. Wind River NAT can be used in conjunction with Wind River's IPsec and IKE software, and is also fully integrated with the Wind River Firewall.

The Wind River Firewall provides a powerful ﬁltering engine that allows device manufacturers to optimize their software, enabling advanced features that protect the user's valuable data. This ﬁltering engine is ideally suited to a wide range of products, including SOHO routers, broadband access devices, and small to medium-sized enterprise devices.

Wind River Security Libraries
Wind River Security Libraries is a collection of functions that are used or available for use by other components, including the Common Crypto Interface (CCI), which is a library of crypto algorithms (encryption and hashing). CCI is used by other components needing access to crypto functions. The Crypto Provider Interface (CPI) provides a mechanism for developers to add other crypto libraries or interface to hardware-based crypto functions.

Wind River Security Libraries also includes an implementation of X.509 digital certiﬁcates. Digital certiﬁcates can be used by a variety of other components, including Wind River IPsec and IKE, Wind River Wireless Security, Wind River Web Server, and Wind River Web Services.

Wind River SSH
Wind River SSH (Secure Shell) is a client server protocol creates a secure terminal connection between an SSH client and an SSH server. This allows embedded systems to communicate at the application level over a connection that is encrypted and provides data integrity and replay protection. This eliminates eavesdropping, connection hijacking, IP spoofing and other network-level attacks. Additionally, SSH provides several secure tunneling capabilities which may be used to create Virtual Private Networks (VPN). A variety of authentication methods are also supported.

Wind River SSL
Wind River Secure Socket Layer (SSL) is a client server technology used to secure any higher layer protocol that uses sockets, such as securing HTTP connections (HTTPS) for e-commerce. Security is provided through privacy, using data encryption; authentication, using digital certiﬁcates; and message integrity, using message digests.

Wind River RADIUS Client
Wind River RADIUS Client is a full-featured implementation of the industry-standard Remote Authentication dial-in user protocol. This implementation supports a complete set of functions for authentication, accounting, and security, and it has been veriﬁed against several commercial RADIUS servers, ensuring compatibility for a wide range of applications. Wind River RADIUS Client includes standard MIB support integrated with Wind River SNMP, and it is integrated with the Wind River Wireless Security component to enable the authentication of the supplicant.

Wind River RADIUS Client allows the network to determine if the user is allowed access (authentication). Authentication is also used to determine that a message has not been altered in transit or fabricated. Authorization determines which network resources the user may access, and the accounting functions provide a record of the usage.

Wind River Wireless Security
Wind River Wireless Security is a suite of security protocols employed in a wide range of wireless devices. The suite includes both supplicant and authenticator for the 802.1X, Wi-Fi Protected Access (WPA), and 802.11i protocols.

The Wireless Security authenticator is integrated with the Wind River RADIUS Client, Wind River Learning Bridge, and Wind River Wireless Ethernet Driver, providing all the core functionality for typical authenticator products, such as wireless access points. Although integrated and validated with the Wind River Wireless Ethernet Driver, the Wind River Wireless Security implementation can be used with any wireless chipset with an appropriate driver that includes WPA/802.11i low-level support.

Both supplicant and authenticator can be used in the same product, providing for greater flexibility and a wide range of application support. Multiple EAP (Extensible Authentication Protocols) types are supported. The security implementation includes pre-shared keys, TKIP (Temporal Key Integrity Protocol), and Michael Countermeasures. A range of encryption and hashing algorithms are available to give developers flexibility in trading off security level versus performance. Integration with Wind River SNMP is included to interface with the 802.1X MIB.

Wind River WPASUP (Wireless Supplicant)
Available for Wind River Linux, WPASUP handles all 802.1x messages and interfaces with the Wind River Network Stack and a wireless driver. It runs in Linux user space. It is integrated with WPA and WPA2 and works with several EAP methods, as mandated by the Wi-Fi Alliance.