Mediator Security Capabilities

Product Information Note

-%$)!4/2
3ECURITY&EATURES

Richards-Zeta Building Intelligence, Inc. 1

June 2003
 Mediator Security Capabilities
Product Information Note

Richards-Zeta Building Intelligence, Inc. 2

June 2003
 Mediator Security Capabilities
Product Information Note
Overview
This Product Information Note contains a high-level description of the security capabilities of
the Richards-Zeta Mediator 2500. These capabilities are based on the version of the Linux operating
system that runs on the Mediator.
The Mediator is an embedded system designed to perform a specialized function: running the
Mediator Framework application in a Richards-Zeta system. The Linux operating system that runs
on the Mediator has been optimized for that purpose. Because Linux is scalable, it allows some
components normally included on a general-purpose system to be omitted. Some have been omitted
because they are insecure, and in some cases these have been replaced with secure components that
perform the same functions. In addition, some components have been omitted because they are not
necessary, allowing Linux to require as little of the Mediator’s resources as possible

Note: Some of the features described in this document are not included in the standard Mediator system
configuration, but can be specified by the customer.

Configuring some of the features requires advanced technical expertise. Some customers whose staffs include
personnel extensively experienced in Linux installation and configuration may be able to handle tasks of this
level of difficulty. Most will require the assistance of Professional Services.

Packet Filtering Firewall

A firewall is a device that connects an internal TCP/IP network to the Internet and provides
security by controlling the type of messages it will allow to enter the internal network. The Mediator
provides firewalling by implementing the Netfilter packet-filtering subsytem built into the Linux
operating system. A packet-filtering firewall examines all of the IP data packets that arrive from
outside and determines their disposition according to user-configured rules.
In addition, Netfilter provides stateful inspection. It can associate all of the data packets of an
existing connection, based on user-configured rules, and deny or reject packets not belonging to that
connection. The states on which rules can be specified include:
• New (a packet is attempting to establish a new connection)
• Related (a packet is related to the existing connection, and is passing in the original direction)
• Invalid (the packet does not match any existing connections)
• Established (the packet is part of an existing connection)
• Related+Reply (the packet is not part of an existing connection, but is related to one).

Secure Shell (SSH)

The Secure Shell (SSH) protocol defines programs that allow users to securely log onto another computer over a
network, execute commands remotely, and move files between machines. It provides strong authentication and secure
communications over insecure networks such as the Internet.

The Mediator uses the OpenSSH implementation of the SSH protocol specification. OpenSSH is an open-source
package included in the Linux Operating System installed on the Mediator. OpenSSH provides a secure replacement for
the standard remote session and file transfer tools that support interactive login sessions, remote execution of
commands, forwarded TCP/IP connections, and forwarded X11 connections, including telnet, rlogin, rsh, and rcp.

Richards-Zeta Building Intelligence, Inc. 3

June 2003
 Mediator Security Capabilities
Product Information Note

SSH provides a virtual private connection at the application layer, including both an interactive login protocol as well as
a facility for the secure transfer of files. SSH encrypts the username and password in a remote login session, and
supports remote host authentication, reducing the threat of client impersonation through IP address spoofing or DNS
manipulation. In addition, SSH supports several secret-key encryption protocols, including DES, Triple DES, IDEA,
RSA, and Blowfish, to help ensure the privacy of the entire communication.

Note: The OpenSSH packages require prior installation of the OpenSSL package. OpenSSL installs several
important cryptographic libraries that help OpenSSH provide encrypted communications.

SSL (Secure Socket Layer)

Secure Socket Layer (SSL) is an open protocol originally published by Netscape to allow encrypted transmission of data
between Web browsers and Web servers. SSL is based on private key encryption technology and provides data
encryption, server authentication, message integrity, and client authentication for TCP/IP connections.

Programs implementing TCP/IP (the Transmission Control Protocol/Internet Protocol) control the transport and routing
of data over the Internet. Applications based on other protocols use the services provided by TCP/IP. For example, web
servers that implement the HyperText Transport Protocol (HTTP) use TCP/IP to support the display of web pages.

TCP/IP is structured in interacting software layers. The SSL protocol layer runs between the TCP/IP transport layer and
programs based on higher-level protocols such as HTTP, which run in the application layer. It allows an SSL-enabled
server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both
machines to establish an encrypted connection.

SSL is frequently used in communications between Web browsers and Web servers. URLs that begin with “https”
indicate an SSL connection. SSL provides privacy, authentication, and message integrity. In an SSL connection, each
side must have a Digital Certificate, which each side’s software sends to the other. Each side then encrypts what it sends
using information from both its own and the other side’s Certificate, ensuring that only the intended recipient can decrypt
it, and that the other side can be sure the data came from the place it claims to have come from, and that the message has
not been tampered with.

SSL requires digital certificates to facilitate the public key exchange that is required to enable an SSL connection. A
digital certificate is an attachment to an electronic message used to verify that senders are who they claim to be, and to
provide the receiver with the means to encode a reply.

A company or individual who wants to use SSL to send encrypted messages requests and receives a digital certificate
from a trusted issuing source, such as a Certificate Authority (CA). The user configures a list of certificate issuers that
the user’s Web browser can recognize. The encrypted digital certificate contains the user’s public key and a variety of
other identification information, including the user’s name, a serial number, expiration dates, a copy of the certificate
holder’s public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-
issuing authority so that a recipient can verify that the certificate is real. The certificate issuer makes its public key
readily available through sources including print the Internet.

The recipient of an encrypted message uses the public key to decode the digital certificate attached to the message,
verifies it as issued by a recognized issuer, and then decodes the sender’s public key and identification information from
the certificate. Using this information, the recipient can send an encrypted reply.

Richards-Zeta Building Intelligence, Inc. 4

June 2003
 Mediator Security Capabilities
Product Information Note

IPSec (Internet Protocol Security)

The Mediator uses FreeS/WAN, an open-source implementation of the IPSec protocol suite for Linux. The IPSec
protocols provide security in network-to-network connections. It provides access control, data integrity, authentication,
and confidentiality, allowing secure private communication across insecure public networks such as the Internet. IPsec
provides encryption and authentication services at the packet level. Because IPSec works further down in the layers of
the TCP/IP protocol structure than other security protocols, such as SSH and SSL, it does not require programs at the
higher application layer to be able to handle encryption and authentication.

IPSec includes three protocols:

• AH (Authentication Header), which provides a packet-level authentication service

• ESP (Encapsulating Security Payload), which provides encryption plus authentication

• IKE (Internet Key Exchange), which negotiates connection parameters, including keys, for the other two

The FreeS/WAN implementation has three main parts:

• KLIPS (kernel IPsec), which implements AH, ESP, and packet handling within the kernel

• Pluto (an IKE daemon), which implements IKE, negotiating connections with other systems

• Various scripts that provide an adminstrator’s interface

IPSec is one of the technologies most widely used in the implementation of Virtual Private Networks (VPNs) VPNs
typically are IP-based networks (usually the Internet) that use encryption and tunneling to create a network that is as
reliable and secure as a private network, such as a LAN or WAN, but as economical and extensive as the Internet.

A VPN allows multiple sites to communicate securely over an insecure network such as the Internet by encrypting all
communication between the sites. Implementing a technique called tunneling, IPSec encapsulates a packet by wrapping
another packet around it and encrypting the resulting packet-within-a-packet. This encrypted data stream forms a secure
tunnel across an otherwise insecure network.

IPSEC uses strong cryptography to provide both authentication and encryption services. Authentication ensures that
data packets received are actually sent by the expected party and have not been altered in transit. Encryption prevents
unauthorized persons from reading the contents of data packets.

These services allow you to build secure tunnels through insecure networks. Everything passing through the insecure
net is encrypted by the Mediator using IPSec and decrypted by the IPSec-enabled device at the other end. The result is a
VPN - a network that is effectively private even though it may include nodes at several different sites connected by the
insecure Internet.

Data Logging
Linux includes extensive logging capabilities. While logging cannot prevent security breaches
from happening, it can tell you when unauthorized persons have attempted to gain access to the
system, and whether or not they were successful. Linux provides logging at the network, host, and
user levels.

Richards-Zeta Building Intelligence, Inc. 5

June 2003
 Mediator Security Capabilities
Product Information Note

Among other functions, it keeps logs of the following:

• All system and kernel messages.
• Each network connection, its originating IP address, length, and other data about attempts to enter the system.
• Remote users’ file requests.
• Repeated authentication failures.
And others. In addition, Linux can be configured with intrusion detection tools that take user-
specified actions such as setting off an alarm when unauthorized entry is attempted.

Omitting Insecure Components

The full Linux operating system includes components that are not secure. In many cases, the
security of the Mediator has been enhanced by simply omitting non-essential services or by replacing
them with secure operating system components that perform the same or similar functions. For
example, as was noted above, insecure remote session and file transfer services including telnet,
rlogin, rsh, and rcp have been omitted and OpenSSH secure replacements have been installed in-
stead.

Future Enhancements
The following paragraphs describe a number of security features that are not currently included
in the standard system but are planned for future releases or may be added upon customer request.
Linux currently supports these features. Implementation requires downloading, installation, and
configuration.

Access Control Lists (ACLs)

ACLs allow an authorized user, such as an administrator or group leader, to extend file and
directory access permissions beyond those possible using the basic Linux permission assignments. It
allows more flexibility in granting read-write-execute permissions without compromises to system
security that might be incurred using only the basic tools.

Password Shadowing
Linux normally stores user passwords in a file that is universally readable. Even though the
passwords are encrypted, they potentially can be accessed by unauthorized persons and decrypted,
thereby compromising the security of the system. Password Shadowing puts placeholders in the
default password file and stores the actual encrypted passwords a file that is only readable by the
root user. Using Password Shadowing ensures password security as long as the integrity of the root
is protected from compromise.

Pluggable Authentication Modules (PAMs)

PAMs allow the system administrator to set an authentication policy without having to
recompile authentication programs. Using PAMs allows control of how particular authentication
modules are plugged into a program by editing that program’s PAM configuration file.

Richards-Zeta Building Intelligence, Inc. 6

June 2003
 Mediator Security Capabilities
Product Information Note

Implementing PAMs provides the following benefits:

• PAMs can provide a common authentication scheme that can be used with a wide variety of applications.
• PAMs can be implemented with various applications without having to recompile the applications to specifically
support PAM.
• PAMs allow great flexibility and control over authentication for the administrator and application developer.
Application developers do not need to develop their program to use a particular authentication scheme. Instead,
they can focus purely on the details of their program.
PAMs include four different types of modules for controlling access to a particular service:
An auth module provides the actual authentication such as asking for and checking a password,
and sets credentials, such as group membership.
An account module checks to make sure that access is allowed for the user (the account has not
expired, the user is allowed to log in at this time of day, etc.).
A password module is used to set passwords.
A session module is used after a user has been authenticated. A session module performs
additional tasks needed to allow access (for example, mounting the user’s home directory or making
their mailbox available).
These modules may be stacked, or placed upon one another, so that multiple modules are used.
The order of a module stack is very important in the authentication process, because it makes it very
easy for an administrator to require that several conditions exist before allowing user authentication
to occur.

xinetd (Extended Internet Service Daemon)

xinetd (Extended Internet Service Daemon) is a secure replacement for inetd, the standard
Linux internet server process. . xinetd acts as a super-server that runs continuously and monitors all
of the ports for the services it manages. When a connection request arrives for one of its managed
services, xinetd starts up the appropriate server for that service. xinetd can be used to provide
access only to particular hosts, to deny access to particular hosts, to only provide access to a service
at certain times, to limit the rate of incoming connections and/or the load created by connections,
etc.

Richards-Zeta Building Intelligence, Inc. 7

June 2003