ePKI enabled legacy application

Posted on 2003-02-20
Medium Priority
Last Modified: 2010-04-11
(1) By non-web protocol, what do you mean?  What specific protocols are you excluding?  HTTP?
        If web enabled application, we can use ssl. I want to secure some tcp services running
on remote machine.
(2) Does the proxy have prior knowledge of the protocol being used between the client and server?
(3) Do you have any control over the client/server applications?  Can you modify the client code before introducing your proxy?
       I have to write the client code.
(4) Calling your application a proxy implies (to me) that the client and server are to be unaware of the proxy's existance.  Is this true?
       my proxy is not transaparent proxy.
(5) Finally, is your project an attempt to demonstrate a 'man-in-the-middle' attack?
      yes, I have to provide a middleware to secure the remote machine.
suppose we have one application server(security unaware) which is running on
port X. application client(security unaware which means message transfered
in plain text) should make request to the server machine on port X.

Apllication                   Application    
client        -------------->   Server (port x)

Host A                    Host B

we are planning to put a proxy server or service between the application
client and application server.
The proxy is not transparent proxy. The client should make inital request
to the proxy service instead of directly connecting to the
application server.I have to write the client application also to enable
the same. ie.

1. The user should use my client program to use the service from
remote machine.
2.  My client program will make inital request to proxy service instead
of application server.
3. The proxy will do the client authentication and provide encrypted
channel between client and proxy.
4. After completing the above process, the proxy will accept the
encrypted packets from the client, decrypt it and then send to the
applicaiton server.
5. The communication channel between proxy and application server may be in
plain text(since within intranet).
6. The proxy service can be run on different machine or may be
in the same machine(in which application server running) with different

Client                Proxy                    Application
Program  --------->     Service(Port Y)---------->    Server(Port x)

Host A                    Host B

     In short, my project is a middleware which should secure
the services(security unaware) running on remote machine.

please give some useful pointer to proceed in optimum way.

Thank you

Question by:tamilselvi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Jason_Deckard earned 80 total points
ID: 7993160

There seems to be a belief that SSL cannot be used if the information at the application layer is not thought of as a "web protocol", and this is incorrect.  You can use SSL to secure the connection between the proxy and the client, because SSL is indifferent to the application (and presentation) layer data being sent.  Unless it is a restriction placed on your project by the instructor, SSLv3 or TLSv1 could be used.  In fact, I recommend using SSL or TLS in this situation.

You have absolute control over the client and proxy (you're writing both), so it seems you are simply taking any server application and providing a mechanism for data confidentiality, entity authentication, and data integrity.  You can achieve this with SSL (or TLS) if your proxy always requests a client side certificate during the SSL/TLS handshake, and if your proxy compares the distinguished name (DN) of the client certificate against a list of acceptable names.  A client should not be given access simply because it provides a valid certificate, it should provide a valid certificate of an entity the proxy trusts.  If the client provides a valid certificate, but the DN is unknown to the proxy, the proxy should terminate the session with the client.

This may be outside the scope of your project, but consider what methods you would use to prevent an attacker from connecting directly to the server (instead of the client).

I hope this is enough to get you started on your project, and good luck :)

Jason Deckard


Expert Comment

ID: 7993183
Correction:  I asked you to consider methods for preventing an attacker from connecting directly to the server (instead of the client).  That should read "consider what methods you would use to prevent an attacker from connecting directly to the server (instead of connecting to the proxy)."  I think 'firewall' is an obvious answer, but be prepared for the question during the review of your project.

Expert Comment

ID: 9816059
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: Jason_Deckard{7993160}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Make the most of your online learning experience.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question