OS/2 eZine - The Best OS/2 Reading Anywhere!

February 16, 2002

Buy the CD 'This Space for Rent' by Pete Grubbs

An Introduction to Security Part 2

After my previous article was published, I received several e-mails from OS/2 users in which they pointed me to the existence of one other product for transparent data encryption. This product is AEFS (http://pcpc.xs4all.nl/files/pub/os2/OS2SYS/AEFS021.ZIP). We will return to it for a more detailed examination of such programs a bit later.

Our current task is to finish up some theoretical questions.

Data inside communication lines (networks)

The most common methods for data protection inside wires are cryptographic methods. They protect data against disclosure and partially from distortion. You might ask - what about destruction and complete distortion protection? The fact of the matter is that we are crossing here the invisible edge between data security and data transportation. I'm sure, we should treat some data transfer protocols characteristics, such as data correction, reliable delivery, quality of service, as a part of the whole picture of the information security but I won't stop on these particular characteristics. There are enough good books devoted to this side of information technologies. I just want to remark that during the system design process we shouldn't forget that communication protocols play their own role in data protection.

All networks are based on one of several protocols. Which protocols do we have in OS/2? Almost all of them exist at the present time. Let's list the most important supported protocols and appraise them from the point of view of our topic.

Note. All modern network protocols supply reliable delivery and error correction.

Netbios is an unrouted protocol for small networks. It doesn't provide any methods for data security (except cipher passwords.) LAN Server and Warp Server don't provide any safety for data flow when they use the native Netbios protocol. So we can only use Netbios if we don't have any critical data sent inside the network or we are protected against physical (including electromagnetic fields) access to our cable system.
IPX/SPX. This protocol set was included in OS/2 for Novell Netware compatibility. In most cases an OS/2 station is only a client workstation in an IPX/SPX based network. Novell Netware has special abilities for data flow encryption, but because this security level is provided by Netware servers' facilities, we skip it. There is lots of good informaion on this in the literature.
TCP/IP and Netbios over TCP. First of all it is necessary to say that Netbios over TCP has the same security advantages and disadvantages that TCP/IP does because it uses TCP/IP as a rider uses a horse.

Protection in TCP/IP networks is supplied in a traditional way with modern cryptographic algorithms. They guarantee that data will be secure and that we have a deal with the particular person we want. The most widely used algorithm is RSA (cryptography with asymmetric keys). But RSA itself is a rather resource-intensive method. So, industry implementations use different combinations of RSA and other, more lightweight algorithms. Let's consider how it looks in practice. Data in the TCP/IP networks could be defended on several different levels:

encrypt information within protocol bounds (for example secure http protocol - https);
encrypt the whole data flow (tunneling);
encrypt separate messages (e-mail for instance).

Secure Sockets Layer (SSL)

The first way is also known as Secure Sockets Layer (SSL) protocol. Practically all Internet protocols have their SSL doubles. This approach allows you to protect standard data flow between client and server. The most typical specimen is HTTPS, which is used by an Internet browser and HTTP server to establish a special encrypted channel. In OS/2 all current browsers (Netscape, Mozilla etc., except Links) support the HTTPS protocol. What about servers, they are:

Apache/SSL (two independent ports http://avn.nicoil.ru and http://silk.apana.org.au), which are kept up to date by their porters;
IBM Internet Connection Secure Server (ICSS), support for the OS/2 version was abandoned several years ago, this is a commercial product, the last version is 4.2.X;
IBM Web Traffic Express (http/proxy server), support for OS/2 version was abandoned several years ago, this is a commercial product too, last version is 1.1.2;
Lotus Go HTTP Server, it is possible sometimes to find new builds of this server on http://testcase.boulder.ibm.com, the last version known to me is 4.6.2.8;
Lotus Notes Domino, its HTTP part also supports the SSL protocol, this is a commercial product and it is still in development.

There are SSL realisations for other Internet protocols in Unix, but for OS/2 I only know of parts of Lotus Notes Domino (SSL variants of POP3, SMTP, NNTP etc.). If you know about any implementation of POP3S, SMTPS etc. in OS/2 let me know, please.

For OS/2 developers this link might be useful http://www.openssl.org. It is the open-ssl library and its OS/2 port is at http://avn.nikoil.ru

Tunnelling

Under tunnelling we create a channel (for all network traffic) between two points, this channel is absolutely transparent for users on both ends of this channel. If for the previous method we had to have a special client with SSL support, here it is not necessary to have any special software as both ends are equal. The classical example of tunnelling is a Virtual Private Network (VPN). VPN is used when you need to connect two offices' local networks through an unprotected network, such as a leased line or the Internet. In this case it doesn't matter which topology these connecting networks have, which addresses they use. VPN also could be used inside one company for protected connection creation between two machines.

VPN is common technology. There are hardware implementations in network routers and switches produced by Intel, Cisco, 3Com etc. There are a lot of different software products for VPN (and PPTP - is its variety) for Unix, Windows and also for OS/2. VPN support is built into the OS/2 TCP/IP stack beginning from version 4.1. F/X Communications continues developing series of products under the common name InJoy (http://www.fx.dk). A free PPTP client for OS/2 is available from http://home.wanadoo.nl/~rwklein/pptp.htm. If you need more information about virtual networks you can try to find "A Comprehensive Guide to Virtual Private Networks" IBM's document (p/n SG245201 on http://www.redbooks.ibm.com.)

There is also an intermediate solution, which resides between tunnelling and protocol based ciphering. This solution allows you to tunnel only particular TCP ports without concern for what protocol it is for. I know two Unix products which have been ported to OS/2, they are SSH (available from Hobbes (http://hobbes.nmsu.edu)) and STunnel (available from http://avn.nikoil.ru.) Such an approach requires special add-ons on the client's side.

socksd with Tunnelling

As a conclusion for this part I'd like to introduce a new product which accumulates all the best parts of OS/2 TCP/IP - it is socksd with a tunnel plugin. This new program allows you to establish secured connections between two networks via unprotected lines for certain TCP/IP ports, but thanks to built-in socks support in the OS/2 TCP/IP stack, the client doesn't have to have any additional software to use this connection. This program is coming soon. For additional information ask Nickk (mailto:nickk@mail.ru).

When should we use a VPN, and when do we use tunnelling for a certain port? If you want to connect two networks and you have an Internet connection leased especially for this purpose, the pure VPN solution is better. If you already have the Internet connection and just want to connect two networks via Internet with a secured channel as an additional service, I think it is better to use tunnelling for certain ports, that will allow you to keep the rest of the TCP/IP ports free for ordinary Internet operations.

E-mail Message Encryption

We considered how to protect continuous data flow in the network. But sometimes we need to defend separate messages we are sending. As a rule these messages are e-mail. The only reliable and available, in my humble opinion, tool to do that is Pretty Good Privacy (PGP). PGP is shipped often in source code, so everybody can build their own tool. Luckily for us, it's not necessary, there is an OS/2 native version and a corresponding set of tools available from the Hobbes (http://hobbes.nmsu.edu/cgi-bin/h-search?key=PGP) file archive. The current (as far as I know) version for OS/2 is 5.0. This program allows you to encrypt and sign files with a digital signature, which you can then send over the internet or some other way. I can't say that it is very convenient to switch between e-mail client and pgp constantly, so some e-mail client programs understand and support PGP. For example - PMMail (note, it requires you to have the PGP package installed for proper functioning and key management.) Lotus Notes mail client also can encrypt and sign messages, it uses Notes' embedded cipher algorithms.

Note. We haven't touched on the important problem of security key management. I suppose we will find time to do that later.

As you can see, the subject of data security is very wide and boundless. Only this brief description took a lot of our time. Next I'm going to consider computer and computer data protection against external attacks, i.e. how to limit access to the certain computer from Internet.

To be continued...

Based on materials kindly given by Stepan Kazakov (AKA Zuko).

Andrei A. Porodko (mailto:andy@cbs-edu.chel.su) is a member of the 3rd Eye development team.

This article is courtesy of www.os2ezine.com. You can view it online at http://www.os2ezine.com/20020216/page_13.html.