February 16, 2002
Andrei A. Porodko is a member of the 3rd Eye development team.
If you have a comment about the content
of this article, please feel free to vent in the
OS/2 eZine discussion forums.
There is also a Printer Friendly version of this page.
|
|
An Introduction to Security Part 2
After my previous article was published, I received several
e-mails from OS/2 users in which they pointed me to the existence of
one other product for transparent data encryption. This
product is AEFS.
We will return to it for a more detailed
examination of such programs a bit later.
Our current task is to finish up some theoretical questions.
Data inside communication lines (networks)
The most common
methods for data protection inside wires are cryptographic
methods. They protect data against disclosure and partially from
distortion. You might ask - what about destruction and complete
distortion protection? The fact of the matter is that we are
crossing here the invisible edge between data security and data
transportation. I'm sure, we should treat some data transfer
protocols characteristics, such as data correction, reliable
delivery, quality of service, as a part of the whole picture of
the information security but I won't stop on these particular
characteristics. There are enough good books devoted to this
side of information technologies. I just want to remark that
during the system design process we shouldn't forget that
communication protocols play their own role in data protection.
All networks are based on one of several protocols. Which
protocols do we have in OS/2? Almost all of them exist at the present
time. Let's list the most important supported protocols and appraise
them from the point of view of our topic.
Note. All modern network protocols supply reliable delivery and
error correction.
- Netbios is an unrouted protocol for small networks. It doesn't
provide any methods for data security (except cipher passwords.)
LAN Server and Warp Server don't provide any safety for data flow
when they use the native Netbios protocol. So we can only use Netbios
if we don't have any critical data sent inside the network or we
are protected against physical (including electromagnetic fields)
access to our cable system.
- IPX/SPX. This protocol set was included in OS/2 for Novell
Netware compatibility. In most cases an OS/2 station is only a
client workstation in an IPX/SPX based network. Novell Netware
has special abilities for data flow encryption, but because this
security level is provided by Netware servers' facilities, we
skip it. There is lots of good informaion on this in the literature.
- TCP/IP and Netbios over TCP. First of all it is necessary to
say that Netbios over TCP has the same security advantages and
disadvantages that TCP/IP does because it uses TCP/IP as a rider
uses a horse.
Protection in TCP/IP networks is supplied in a traditional
way with modern cryptographic algorithms. They guarantee that
data will be secure and that we have a deal with the particular
person we want. The most widely used algorithm is RSA (cryptography
with asymmetric keys). But RSA itself is a rather resource-intensive
method. So, industry implementations use different
combinations of RSA and other, more lightweight algorithms.
Let's consider how it looks in practice. Data in the TCP/IP
networks could be defended on several different levels:
- encrypt information within protocol bounds (for example secure
http protocol - https);
-
encrypt the whole data flow (tunneling);
-
encrypt separate messages (e-mail for instance).
Secure Sockets Layer (SSL)
The first way is also known as Secure Sockets Layer (SSL) protocol.
Practically all Internet protocols have their SSL doubles. This
approach allows you to protect standard data flow between client and
server. The most typical specimen is HTTPS, which is used by an Internet
browser and HTTP server to establish a special encrypted channel. In
OS/2 all current browsers (Netscape, Mozilla etc., except Links)
support the HTTPS protocol. What about servers, they are:
- Apache/SSL (two independent ports avn.nicoil.ru and
silk.apana.org.au), which are kept up to date by their
porters;
-
IBM Internet Connection Secure Server (ICSS), support for the OS/2
version was abandoned several years ago, this is a commercial
product, the last version is 4.2.X;
-
IBM Web Traffic Express (http/proxy server), support for OS/2
version was abandoned several years ago, this is a commercial
product too, last version is 1.1.2;
-
Lotus Go HTTP Server, it is possible sometimes to find new
builds of this server on http://testcase.boulder.ibm.com, the
last version known to me is 4.6.2.8;
-
Lotus Notes Domino, its HTTP part also supports the SSL protocol,
this is a commercial product and it is still in development.
There are SSL realisations for other Internet protocols in Unix,
but for OS/2 I only know of parts of Lotus
Notes Domino (SSL variants of POP3, SMTP, NNTP etc.). If you
know about any implementation of POP3S, SMTPS etc. in OS/2 let
me know, please.
For OS/2 developers this link might be useful
www.openssl.org. It is the open-ssl library and its OS/2 port is at
avn.nikoil.ru
Tunnelling
Under tunnelling we create a channel
(for all network traffic) between two points, this channel
is absolutely transparent for users on both ends of this
channel. If for the previous method we had to have a special
client with SSL support, here it is not necessary to have any
special software as both ends are equal. The classical example
of tunnelling is a Virtual Private Network (VPN). VPN is used when
you need to connect two offices' local networks through
an unprotected network, such as a leased line or the Internet. In this
case it doesn't matter which topology these connecting networks
have, which addresses they use. VPN also could be used inside
one company for protected connection creation between two
machines.
VPN is common technology. There are hardware
implementations in network routers and switches produced by
Intel, Cisco, 3Com etc. There are a lot of different software
products for VPN (and PPTP - is its variety) for Unix, Windows
and also for OS/2. VPN support is built into the OS/2 TCP/IP stack
beginning from version 4.1. F/X Communications continues
developing series of products under the common name InJoy
(www.fx.dk). A free PPTP client for OS/2 is available from
home.wanadoo.nl/~rwklein/pptp.htm. If you need more
information about virtual networks you can try to find "A
Comprehensive Guide to Virtual Private Networks" IBM's document
(p/n SG245201 on www.redbooks.ibm.com.)
There is also an intermediate solution, which resides between
tunnelling and protocol based ciphering. This solution allows you to
tunnel only particular TCP ports without concern for what
protocol it is for. I know two Unix products which have been
ported to OS/2, they are SSH (available from
Hobbes) and STunnel (available from
avn.nikoil.ru.) Such an approach requires special add-ons on
the client's side.
socksd with Tunnelling
As a conclusion for this part I'd like to introduce a new product
which accumulates all the best parts of OS/2 TCP/IP - it is
socksd with a tunnel plugin. This new program allows you to
establish secured connections between two networks via
unprotected lines for certain TCP/IP ports, but thanks to
built-in socks support in the OS/2 TCP/IP stack, the client doesn't
have to have any additional software to use this connection.
This program is coming soon. For additional information ask
Nickk.
When should we use a VPN, and when do we use tunnelling for a certain port?
If you want to connect two networks and you have an
Internet connection leased especially for this purpose, the pure
VPN solution is better. If you already have the Internet
connection and just want to connect two networks via Internet
with a secured channel as an additional service, I think it is
better to use tunnelling for certain ports, that will allow you
to keep the rest of the TCP/IP ports free for ordinary Internet
operations.
E-mail Message Encryption
We considered how to protect
continuous data flow in the network. But sometimes we need to
defend separate messages we are sending. As a rule these
messages are e-mail. The only reliable and available, in my
humble opinion, tool to do that is Pretty Good Privacy
(PGP). PGP is shipped often in source code, so everybody can
build their own tool. Luckily for us, it's not necessary, there
is an OS/2 native version and a corresponding set of tools
available from the Hobbes
file archive. The current (as far as I know)
version for OS/2 is 5.0. This program allows you to encrypt and sign
files with a digital signature, which you can then send over the
internet or some other way. I can't say that it is very
convenient to switch between e-mail client and pgp constantly,
so some e-mail client programs understand and support PGP. For
example - PMMail (note, it requires you to have the PGP package
installed for proper functioning and key management.) Lotus
Notes mail client also can encrypt and sign messages, it uses
Notes' embedded cipher algorithms.
Note. We haven't touched on the important problem of security key
management. I suppose we will find time to do that later.
As you can see, the subject of data security is very wide and boundless.
Only this brief description took a lot of our time. Next I'm
going to consider computer and computer data protection against
external attacks, i.e. how to limit access to the certain
computer from Internet.
To be continued...
Based on materials kindly given by Stepan Kazakov (AKA Zuko).
|