Mediator Security Features-final

8/7/2019 Mediator Security Features-final

1/7

Mediator Security Capabilities

Product Information Note

Richards-Zeta Building Intelligence, Inc.

June 20031


2/7


3/7




June 20033

Overview

This Product Information Note contains a high-level description of the security capabilities of

the Richards-Zeta Mediator 2500. These capabilities are based on the version of the Linux operating

system that runs on the Mediator.

The Mediator is an embedded system designed to perform a specialized function: running the

Mediator Framework application in a Richards-Zeta system. The Linux operating system that runson the Mediator has been optimized for that purpose. Because Linux is scalable, it allows some

components normally included on a general-purpose system to be omitted. Some have been omitted

because they are insecure, and in some cases these have been replaced with secure components that

perform the same functions. In addition, some components have been omitted because they are not

necessary, allowing Linux to require as little of the Mediators resources as possible

Note: Some of the features described in this document are not included in the standard Mediator systemconfiguration, but can be specified by the customer.

Configuring some of the features requires advanced technical expertise. Some customers whose staffs include

personnel extensively experienced in Linux installation and configuration may be able to handle tasks of this

level of difficulty. Most will require the assistance of Professional Services.

Packet Filtering Firewall

A firewall is a device that connects an internal TCP/IP network to the Internet and provides

security by controlling the type of messages it will allow to enter the internal network. The Mediator

provides firewalling by implementing the Netfilter packet-filtering subsytem built into the Linux

operating system. A packet-filtering firewall examines all of the IP data packets that arrive from

outside and determines their disposition according to user-configured rules.

In addition, Netfilter provides stateful inspection. It can associate all of the data packets of an

existing connection, based on user-configured rules, and deny or reject packets not belonging to that

connection. The states on which rules can be specified include:

New (a packet is attempting to establish a new connection)

Related (a packet is related to the existing connection, and is passing in the original direction)

Invalid (the packet does not match any existing connections)

Established (the packet is part of an existing connection)

Related+Reply (the packet is not part of an existing connection, but is related to one).

Secure Shell (SSH)

The Secure Shell (SSH) protocol defines programs that allow users to securely log onto another computer over a

network, execute commands remotely, and move files between machines. It provides strong authentication and secure

communications over insecure networks such as the Internet.

The Mediator uses the OpenSSH implementation of the SSH protocol specification. OpenSSH is an open-source

package included in the Linux Operating System installed on the Mediator. OpenSSH provides a secure replacement for

the standard remote session and file transfer tools that support interactive login sessions, remote execution of

commands, forwarded TCP/IP connections, and forwarded X11 connections, including telnet, rlogin, rsh, and rcp.


4/7




June 20034

SSH provides a virtual private connection at the application layer, including both an interactive login protocol as well as

a facility for the secure transfer of files. SSH encrypts the username and password in a remote login session, and

supports remote host authentication, reducing the threat of client impersonation through IP address spoofing or DNS

manipulation. In addition, SSH supports several secret-key encryption protocols, including DES, Triple DES, IDEA,

RSA, and Blowfish, to help ensure the privacy of the entire communication.

Note: The OpenSSH packages require prior installation of the OpenSSL package. OpenSSL installs several

important cryptographic libraries that help OpenSSH provide encrypted communications.

SSL (Secure Socket Layer)

Secure Socket Layer (SSL) is an open protocol originally published by Netscape to allow encrypted transmission of data

between Web browsers and Web servers. SSL is based on private key encryption technology and provides data

encryption, server authentication, message integrity, and client authentication for TCP/IP connections.

Programs implementing TCP/IP (the Transmission Control Protocol/Internet Protocol) control the transport and routing

of data over the Internet. Applications based on other protocols use the services provided by TCP/IP. For example, web

servers that implement the HyperText Transport Protocol (HTTP) use TCP/IP to support the display of web pages.

TCP/IP is structured in interacting software layers. The SSL protocol layer runs between the TCP/IP transport layer and

programs based on higher-level protocols such as HTTP, which run in the application layer. It allows an SSL-enabled

server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both

machines to establish an encrypted connection.

SSL is frequently used in communications between Web browsers and Web servers. URLs that begin with https

indicate an SSL connection. SSL provides privacy, authentication, and message integrity. In an SSL connection, each

side must have a Digital Certificate, which each sides software sends to the other. Each side then encrypts what it sends

using information from both its own and the other sides Certificate, ensuring that only the intended recipient can decryptit, and that the other side can be sure the data came from the place it claims to have come from, and that the message has

not been tampered with.

SSL requires digital certificates to facilitate the public key exchange that is required to enable an SSL connection. A

digital certificate is an attachment to an electronic message used to verify that senders are who they claim to be, and to

provide the receiver with the means to encode a reply.

A company or individual who wants to use SSL to send encrypted messages requests and receives a digital certificate

from a trusted issuing source, such as a Certificate Authority (CA). The user configures a list of certificate issuers that

the users Web browser can recognize. The encrypted digital certificate contains the users public key and a variety of

other identification information, including the users name, a serial number, expiration dates, a copy of the certificate

holders public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-

issuing authority so that a recipient can verify that the certificate is real. The certificate issuer makes its public key

readily available through sources including print the Internet.

The recipient of an encrypted message uses the public key to decode the digital certificate attached to the message,

verifies it as issued by a recognized issuer, and then decodes the senders public key and identification information from

the certificate. Using this information, the recipient can send an encrypted reply.


5/7




June 20035

IPSec (Internet Protocol Security)

The Mediator uses FreeS/WAN, an open-source implementation of the IPSec protocol suite for Linux. The IPSec

protocols provide security in network-to-network connections. It provides access control, data integrity, authentication,

and confidentiality, allowing secure private communication across insecure public networks such as the Internet. IPsecprovides encryption and authentication services at the packet level. Because IPSec works further down in the layers of

the TCP/IP protocol structure than other security protocols, such as SSH and SSL, it does not require programs at the

higher application layer to be able to handle encryption and authentication.

IPSec includes three protocols:

AH (Authentication Header), which provides a packet-level authentication service

ESP (Encapsulating Security Payload), which provides encryption plus authentication

IKE (Internet Key Exchange), which negotiates connection parameters, including keys, for the other two

The FreeS/WAN implementation has three main parts:

KLIPS (kernel IPsec), which implements AH, ESP, and packet handling within the kernel

Pluto (an IKE daemon), which implements IKE, negotiating connections with other systems

Various scripts that provide an adminstrators interface

IPSec is one of the technologies most widely used in the implementation of Virtual Private Networks (VPNs) VPNs

typically are IP-based networks (usually the Internet) that use encryption and tunneling to create a network that is as

reliable and secure as a private network, such as a LAN or WAN, but as economical and extensive as the Internet.

A VPN allows multiple sites to communicate securely over an insecure network such as the Internet by encrypting allcommunication between the sites. Implementing a technique called tunneling, IPSec encapsulates a packet by wrapping

another packet around it and encrypting the resulting packet-within-a-packet. This encrypted data stream forms a secure

tunnel across an otherwise insecure network.

IPSEC uses strong cryptography to provide both authentication and encryption services. Authentication ensures that

data packets received are actually sent by the expected party and have not been altered in transit. Encryption prevents

unauthorized persons from reading the contents of data packets.

These services allow you to build secure tunnels through insecure networks. Everything passing through the insecure

net is encrypted by the Mediator using IPSec and decrypted by the IPSec-enabled device at the other end. The result is a

VPN - a network that is effectively private even though it may include nodes at several different sites connected by the

insecure Internet.

Data Logging

Linux includes extensive logging capabilities. While logging cannot prevent security breaches

from happening, it can tell you when unauthorized persons have attempted to gain access to the

system, and whether or not they were successful. Linux provides logging at the network, host, and

user levels.


6/7




June 20036

Among other functions, it keeps logs of the following:

All system and kernel messages.

Each network connection, its originating IP address, length, and other data about attempts to enter the system.

Remote users file requests.

Repeated authentication failures.

And others. In addition, Linux can be configured with intrusion detection tools that take user-

specified actions such as setting off an alarm when unauthorized entry is attempted.

Omitting Insecure Components

The full Linux operating system includes components that are not secure. In many cases, the

security of the Mediator has been enhanced by simply omitting non-essential services or by replacing

them with secure operating system components that perform the same or similar functions. For

example, as was noted above, insecure remote session and file transfer services including telnet,

rlogin, rsh, and rcp have been omitted and OpenSSH secure replacements have been installed in-stead.

Future Enhancements

The following paragraphs describe a number of security features that are not currently included

in the standard system but are planned for future releases or may be added upon customer request.

Linux currently supports these features. Implementation requires downloading, installation, and

configuration.

Access Control Lists (ACLs)

ACLs allow an authorized user, such as an administrator or group leader, to extend file anddirectory access permissions beyond those possible using the basic Linux permission assignments. It

allows more flexibility in granting read-write-execute permissions without compromises to system

security that might be incurred using only the basic tools.

Password Shadowing

Linux normally stores user passwords in a file that is universally readable. Even though the

passwords are encrypted, they potentially can be accessed by unauthorized persons and decrypted,

thereby compromising the security of the system. Password Shadowing puts placeholders in the

default password file and stores the actual encrypted passwords a file that is only readable by the

root user. Using Password Shadowing ensures password security as long as the integrity of the rootis protected from compromise.

Pluggable Authentication Modules (PAMs)

PAMs allow the system administrator to set an authentication policy without having to

recompile authentication programs. Using PAMs allows control of how particular authentication

modules are plugged into a program by editing that programs PAM configuration file.


7/7




June 20037

Implementing PAMs provides the following benefits:

PAMs can provide a common authentication scheme that can be used with a wide variety of applications.

PAMs can be implemented with various applications without having to recompile the applications to specifically

support PAM.

PAMs allow great flexibility and control over authentication for the administrator and application developer.

Application developers do not need to develop their program to use a particular authentication scheme. Instead,

they can focus purely on the details of their program.

PAMs include four different types of modules for controlling access to a particular service:

An auth module provides the actual authentication such as asking for and checking a password,

and sets credentials, such as group membership.

An account module checks to make sure that access is allowed for the user (the account has not

expired, the user is allowed to log in at this time of day, etc.).

A password module is used to set passwords.A session module is used after a user has been authenticated. A session module performs

additional tasks needed to allow access (for example, mounting the users home directory or making

their mailbox available).

These modules may be stacked, or placed upon one another, so that multiple modules are used.

The order of a module stack is very important in the authentication process, because it makes it very

easy for an administrator to require that several conditions exist before allowing user authentication

to occur.

xinetd (Extended Internet Service Daemon)

xinetd (Extended Internet Service Daemon) is a secure replacement for inetd, the standardLinux internet server process. . xinetd acts as a super-server that runs continuously and monitors all

of the ports for the services it manages. When a connection request arrives for one of its managed

services, xinetd starts up the appropriate server for that service. xinetd can be used to provide

access only to particular hosts, to deny access to particular hosts, to only provide access to a service

at certain times, to limit the rate of incoming connections and/or the load created by connections,

etc.

Documents

Mediator Security Features-final