Safety in Cyberspace: Planning Effective Web-to-Host Access Security
There is a revolution happening in the enterprise … a revolution in data access. Sharing core enterprise data with employees, alliance partners and customers is becoming a prerequisite for successful business activities in the new electronic economy. The traditional boundaries of enterprise computing are expanding beyond internal and external Web sites to include wide area intranets, extranets and the Web. As management, LOB users, business partners and customers demand Web access into vital enterprise systems, security is fast becoming the number one concern facing IT professionals.
Because so much enterprise information resides on mainframe host systems, one very attractive way to extend data access is through "Web-to-host" technologies. These alternatives to traditional green screen access can provide significant cost of ownership advantages. [See "Thin-Client vs. Fat-Client in the Host Connectivity World," December 1998 ESJ.] They also raise security concerns. Web-to-host access opens up business-critical enterprise data and applications to new communities of internal and external users, and may move sensitive, private information over the public Internet.
Given the tremendous business potential of Web technologies, however, the question is not whether to use these technologies, but how to use them with the right security controls. This calls for Web-to-host solutions that address both the opportunities and the challenges of Internet computing – solutions that allow you to quickly convey information to trusted individuals and still secure every host connection.
A Web-to-host security solution must fulfill security fundamentals. It must provide privacy, user authentication and connection integrity. Depending on architecture, it must provide authorization at a gateway server, at the host, or both. And it must be built on appropriate components, such as strong cryptography. For a good recent overview on these topics, read "Your Security Umbrella: Integrating Encryption, Authentication and Access Control," in the April 1999 issue of ESJ (page 54).
Another very important consideration is that Web-to-host security also needs to fit into your security policy management, strategic technology direction and current infrastructure.
Leveraging Legacy Security
To create a cost- and time-effective Web-to-host security solution, you need to leverage your legacy investment in security just as you leverage legacy applications and systems as a backend for new Web information access demands. For direct mainframe access, the preferred management and control point is still trusty RACF, ACF or TopSecret – supplemented by granular data access controls embedded in legacy application logic, DB2, CICS and other systems. For other legacy hosts, using the native management and access controls may also be your best choice, unless you are building a completely new Web application integrating multiple backend sources.
The problem is that none of these legacy access control methods are very well-suited to the extended Web-oriented access environment, at least without some changes and additional protection. They have relied heavily on cleartext login ids and passwords for user authentication. High-security environments have used token devices based on time synchronization and challenge-response technology for strong two-factor user authentication. Finally, traditional firewalls attempted to define a rigid perimeter boundary, with very limited access across it. Extending access on the Web requires some changes.
Public Key Infrastructure (PKI), strong user authentication with smart cards and X.509 certificates, and unified or synchronized enterprise directories using Lightweight Directory Access Protocol (LDAP) for managing authentication have great future potential. But few organizations can wait for all these technologies to mature, be integrated with legacy environments for access control or be fully deployed. Most enterprises need to start extending Web access to host systems and applications now.
Choosing Technology Needs to Fit the Purpose
Current security technologies vary widely in maturity, adoption and vendor support. In most cases, you will need to use multiple technologies and consider tradeoffs based on manageability, scale, intended users, risk and cost issues.
One issue you need to consider is how separated security should be from user interaction and applications. It is desirable to hide underlying security from user interaction and application dependencies. But limited user interaction and standardized application awareness can add significant security benefits, particularly for user (vs. device) authentication and granular application control.
For example, the VPN concept includes a variety of technologies for general purpose protection of bulk network traffic in transit over non-trusted networks. In most cases, VPNs operate at a network layer that isolates them from users and applications. The IP Sec family of standards is emerging as the preferred VPN platform, and has attracted major vendor support. It will become ubiquitous for those environments where it fits well, such as for remote office connections and tightly integrated supply-chains.
But, it is not clear when or whether it will become commonplace for individual remote access protection. IP Sec and other VPN technologies have limitations for individual authentication and end-to-end connections. It also is not well-suited to granular, application-dependent control.
An example from the specific purpose end of the spectrum is the Secure Electronic Transaction (SET) specification. While not yet widely supported, in part because of its application dependencies and need for better integration with legacy financial transaction infrastructure, it can provide excellent protection of financial transactions over their entire life cycle, covering all of the parties to the transaction. It does this function far better than any general purpose security technology operating at lower layers.
SSL and TLS Standards
For Web-to-host applications, the leading security service is the Secure Socket Layer (SSL) protocol and its latest evolution in the IETF, Transport Layer Security (TLS). SSL v3 is the de facto standard for HTTP-based security and is the established basis for security interoperability on the Web. TLS extends SSL v3 slightly, and incorporates it into the Internet’s open standards process. TLS has been chosen by IBM, Microsoft and others on the IETF for session-oriented protocols (notably TN3270 and TN5250). Web-to-host solutions include multi-tier and direct-connect architectures, which may use HTTP translation or native host session datastreams to a Web thin client. All the leading vendors either provide SSL or TLS support with their Web-to-host products or rely on Web server and browser SSL support.
SSL/TLS, combined with legacy host access control, provide an immediate solution to the most pressing Web-to-host security problems. Users can authenticate via logon in the traditional way, under host control, but the userid and password can be protected by encryption from the client all the way to the host or to the host-access gateway. SSL/TLS also provides for integration of strong authentication based on PKI with client-side digital certificates. SSL/TLS is a good complement to any VPN technologies that may be deployed on some network segments that lie underneath.
It particularly complements IPSec for those who are planning a PKI-based infrastructure. But it does not depend on deployment of a VPN or PKI to provide effective encryption and user authentication for Web-to-host systems.
In some cases, particularly for broader consumer access, you may want to move primary user authentication and access control for a new Web application off the host. If you need multiple backend data sources on multiple platforms for a newly integrated application, a Web application server or other middleware may provide the best control point. In this environment, host access and database middleware connectors provide legacy data access using traditional security controls, while SSL protects Web server/browser connections for selective user authentication and encryption.
Depending on the distributed architecture and requirements of such applications, you may also need more network-oriented mutual authentication and encryption between the host and the middle tier.
IBM and other vendors are beginning to integrate SSL/TLS and PKI directly on the host – providing useful additions to legacy security methods. For this type of application, it makes sense to use an LDAP directory as the central, reusable repository of user authentication information. LDAP directory access can also be protected using SSL/TLS protocol, among other methods. Authorization and access controls will usually be linked closely to the specific application.
The user interface for most applications will still involve a user ID and password. Several vendors offer useful products in this area. For less-sensitive applications, use of Web cookie-based authentication can provide adequate identification. This approach has the benefits of minimal user interaction and high scalability. Where host access is involved, however, carefully review such applications for risks to host security. For high value, high-sensitivity transactions with a limited user population, consider early deployment of PKI and smart cards or a two-factor token system.
Firewall Security Strategies
One of the key requirements for Web-to-host access is manageable firewall traversal. This requires managing the inherent limitations of a perimeter defense security model, and should be combined with sound user authentication and control of access to resources. SSL/TLS proxy servers located behind the firewall can provide effective security and scalability, when combined with intrusion detection software and logging. They should provide flexible port configuration capabilities to permit avoiding well-known ports (e.g., Telnet on port 23) which are frequently probed by attackers.
As in many security choices, there are trade-offs. Some advocate using a single well-known port (e.g., HTTP) for all traffic, regardless of protocol, to minimize holes in the firewall.
Others counter that this circumvents some security policies and screening techniques. They argue that with newer, more easily configured firewalls, and sophisticated intrusion detection software, additional monitored holes in the firewall may be a better and safer choice.
This choice assumes that you have centralized configuration control of client access requests. Several vendors offer this capability, but in some broad deployment situations it will not be possible to control client configurations centrally. Port configuration capabilities should be flexible enough to handle any of these scenarios.
Other Security Deployment Considerations
Scalability must be considered for any large-scale deployment. Among the many issues are use of multiple proxies or gateways with cryptographic coprocessors for computation-intensive work, and potential additional load on the host. Management tools should include log and trace facilities. A direct connect architecture can help avoid potential bottlenecks inherent in some multi-tier approaches. A direct connection Web-to-host client should include tightly integrated security, just as a browser does.
And easy, automated Web deployment tools can make a very large difference for any client components. Most IT shops will require multi-platform support. A platform independent implementation, such as in Java, can smooth the way to successful rollout and provide scalability across platforms from a Pentium to a high-end OS/390.
The Bottom Line
Every IT professional knows the significance of security. It’s a problem that’s never completely solved and one that underlies every deployment decision. By taking the time to review requirements for current and future security policy and infrastructure, you can make sound architecture and technology choices.
Smart planning will go a long way toward taking the worry out of real-time, Web-based host access and allowing you to take advantage of the benefits Web-to-host can provide – lower cost of ownership than traditional host access for new user groups and a new way to gain a competitive advantage through leveraging your legacy applications and data serving to business partners and customers.
About the Author: Bruce Thompson is a Strategic Marketing Manager at WRQ Inc. (Seattle).