ePKI enabled legacy application

Posted on 2003-02-20
Medium Priority
Last Modified: 2010-04-11
(1) By non-web protocol, what do you mean?  What specific protocols are you excluding?  HTTP?
        If web enabled application, we can use ssl. I want to secure some tcp services running
on remote machine.
(2) Does the proxy have prior knowledge of the protocol being used between the client and server?
(3) Do you have any control over the client/server applications?  Can you modify the client code before introducing your proxy?
       I have to write the client code.
(4) Calling your application a proxy implies (to me) that the client and server are to be unaware of the proxy's existance.  Is this true?
       my proxy is not transaparent proxy.
(5) Finally, is your project an attempt to demonstrate a 'man-in-the-middle' attack?
      yes, I have to provide a middleware to secure the remote machine.
suppose we have one application server(security unaware) which is running on
port X. application client(security unaware which means message transfered
in plain text) should make request to the server machine on port X.

Apllication                   Application    
client        -------------->   Server (port x)

Host A                    Host B

we are planning to put a proxy server or service between the application
client and application server.
The proxy is not transparent proxy. The client should make inital request
to the proxy service instead of directly connecting to the
application server.I have to write the client application also to enable
the same. ie.

1. The user should use my client program to use the service from
remote machine.
2.  My client program will make inital request to proxy service instead
of application server.
3. The proxy will do the client authentication and provide encrypted
channel between client and proxy.
4. After completing the above process, the proxy will accept the
encrypted packets from the client, decrypt it and then send to the
applicaiton server.
5. The communication channel between proxy and application server may be in
plain text(since within intranet).
6. The proxy service can be run on different machine or may be
in the same machine(in which application server running) with different

Client                Proxy                    Application
Program  --------->     Service(Port Y)---------->    Server(Port x)

Host A                    Host B

     In short, my project is a middleware which should secure
the services(security unaware) running on remote machine.

please give some useful pointer to proceed in optimum way.

Thank you

Question by:tamilselvi
  • 2

Accepted Solution

Jason_Deckard earned 80 total points
ID: 7993160

There seems to be a belief that SSL cannot be used if the information at the application layer is not thought of as a "web protocol", and this is incorrect.  You can use SSL to secure the connection between the proxy and the client, because SSL is indifferent to the application (and presentation) layer data being sent.  Unless it is a restriction placed on your project by the instructor, SSLv3 or TLSv1 could be used.  In fact, I recommend using SSL or TLS in this situation.

You have absolute control over the client and proxy (you're writing both), so it seems you are simply taking any server application and providing a mechanism for data confidentiality, entity authentication, and data integrity.  You can achieve this with SSL (or TLS) if your proxy always requests a client side certificate during the SSL/TLS handshake, and if your proxy compares the distinguished name (DN) of the client certificate against a list of acceptable names.  A client should not be given access simply because it provides a valid certificate, it should provide a valid certificate of an entity the proxy trusts.  If the client provides a valid certificate, but the DN is unknown to the proxy, the proxy should terminate the session with the client.

This may be outside the scope of your project, but consider what methods you would use to prevent an attacker from connecting directly to the server (instead of the client).

I hope this is enough to get you started on your project, and good luck :)

Jason Deckard


Expert Comment

ID: 7993183
Correction:  I asked you to consider methods for preventing an attacker from connecting directly to the server (instead of the client).  That should read "consider what methods you would use to prevent an attacker from connecting directly to the server (instead of connecting to the proxy)."  I think 'firewall' is an obvious answer, but be prepared for the question during the review of your project.

Expert Comment

ID: 9816059
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: Jason_Deckard{7993160}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question