The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

Bitkoo’s SecureWithin™ - How does it work?

Contributed by Bitkoo
 Author:  Doron Grinstein

 

Introduction:

SecureWithin™ enables organizations to securely expose firewall-protected internal network resources to Internet clients.  The focus is on organizations that wish to expose various services without requiring clients to use VPN software or hardware. Especially in cases of web services, web applications, FTP or similar services.  Clients in this context may mean humans using applications such as web browsers or email applications; or machines consuming web services, or other network technologies to obtain services from other machines.  Network resources range from SOAP based web services to intranet-hosted web applications or Exchange Servers and everything in between that relies on TCP/IP.

Historically, to bring internal applications to Internet clients, organizations deployed replicated instances of their internal systems on a DMZ accessible from the Internet and then had to grapple with synchronizing the data between the internal and external instances. These duplicate instances often included database servers, application servers, directory servers, etc. This approach, while in use by many organizations is extremely costly, not only in terms of the redundant hardware, software licenses and such, but also because the IT labor involved in correctly configuring all the services, maintaining them, patching them and writing the data synchronization code correctly and securely. The hardware, software licenses and labor costs involved in exposing web application or web service to the Internet is often extremely high, ranging in the high tens of thousands to hundreds of thousands of dollars and in some cases more!

SecureWithin™ is a product that leverages your existing investment and simplifies the deployment of your internal systems to the Internet securely. Using SecureWithin™, security is never compromised and your time to Internet is minutes, not months while keeping costs low.

SecureWithin™ was designed with the following core requirements:

1.      Provide uncompromising security

2.      No network changes or firewall re-configuration (no “poking holes”)

3.      High performance and scalability

4.      Optional no new hardware and no client-side software

5.      Ridiculously easy to use

6.      Priced at a small fraction of any alternative approaches to deliver maximum value

7.      Work with any platform - Windows, Linux, Unix, Apple or any other TCP/IP based platform

The product consists of software and optional hardware appliances. In lieu of a hardware appliance, customers can install the software on their existing hardware and  alternatively, use Bitkoo’s hosted services.

Regardless of deployment option (appliance, virtual appliance (software only) or hosted service), the SecureWithin™ software is deployed on both the internal network and on the public Internet (either by the customer or hosted by Bitkoo).

The core software is comprised of two collaborating gateways - internal (on the LAN) and external (on the Internet). Before collaborating with the external gateway for the first time and periodically on a configurable time interval, the internal gateway communicates with the Bitkoo metadata service to retrieve data that contains, among other things: information about internal endpoints/services to expose, security requirements, optional data transformation and  on which external gateways to make the services available. The metadata is defined by customers on Bitkoo’s secure website.

Any metadata changes made by customers are logged in a detailed audit trail. Customers must authenticate using a user Id assigned by Bitkoo and a strong password chosen by the customer. In addition, when calls are made to the Bitkoo metadata service by gateway devices, the calls are authenticated using an X.509 certificate residing on the calling device.

Once the internal gateway receives its applicable metadata, it is aware of which internal endpoints to make available to outside clients and what security rules apply to the endpoints. It also knows on which external gateways to expose the endpoints to Internet clients. It calls the external gateway(s) using HTTPS (SSL) over port 443. The usage of this protocol and port is typically allowed by most organizations and firewall configurations permit the traffic to flow freely. If an organization does not allow SSL traffic for some reason, SecureWithin™ can handle communications to the metadata service and the external gateway over port 80 with the HTTP payload encrypted.

A set of persistent connections is established between the internal gateway and the external gateway. The external gateway exposes TCP/IP ports as defined by the customer. When defining how endpoints will look to external clients, the customer may indicate the exact port number, service name and host name. To Internet clients, the newly exposed external gateway looks exactly like the internal endpoint which it expose or alternatively, if a transformation was specified - looks completely differently.

The external gateway receives its configuration data by contacting (on a configurable periodic basis) the Bitkoo metadata service. It too authenticates itself to the metadata service using X.509 certificates.

Internally, as calls are made from Internet clients to the external gateway, they are queued in memory and pulled by the internal gateway that already  established a persistent connection earlier over SSL. The internal gateway evaluates the request against a set of security rules to ensure that the request is valid, non-malicious and legit. If it passes the security validation step, it is optionally logged. The logging can be configured to record the entire request/response, just the request or the response, key elements about of request, just the origin and timestamp, etc.

Invalid requests are logged as well, with identical requests being logged intelligently as to avoid exhaustion of the storage device. Algorithms are in place to defend against denial of service attacks or intrusion attempts. The software actively protects against such attacks by blocking subsequent requests from suspect clients. In addition, the software alerts Bitkoo personnel and designated customer personnel of attacks in real time via multiple configurable channels (Email, Web Services or SMS messages).   

When a request is determined to be valid, the internal gateway calls the LAN-based endpoint using the appropriate credentials. The original request is optionally transformed. The optional transformation is defined as part of the customer-defined metadata.

Upon a response from the endpoint, depending on the type of endpoint and how the metadata was defined, the request is sent back to the external gateway over the already established communications channel and the external gateway correlates the response to the correct caller and sends the response to the client. A transformation step can optionally occur at this stage as well and as described before the transformation is an aspect defined in the customer definable metadata.

From all described thus far, the SecureWithin™ architecture extends the internal network to the external Internet (or other networks) by marshalling all requests/responses via an existing firewall using well known and allowed ports, without having to re-configure or poke holes in the firewall.  Sophisticated algorithms are used to guarantee security and high throughput.

This provided a 30,000-foot view of the SecureWithin™ architecture. In the sections below we will provide more detailed information about various aspects of the product.

High performance

Different endpoints behave differently depending on the protocol being used and other factors. SecureWithin™ utilizes numerous algorithms to optimize the performance, availability and throughput of its exposed endpoints. For example, in applications where a persistent connection must be established between a client and a service, such as in the case of streaming audio or video, SecureWithin™ tunnels the client and server via SSL after the initial connection was established from within the internal network to the external gateway.

Security

The SecureWithin™ software allows organizations to expose services and applications (endpoints) to the Internet. Endpoints may have built-in security customers may wish to leverage; An example may be an intranet-based web application using Windows® authentication with Active Directory or a set of web services that use Netegrity’s SiteMinder® or TransactionMinder®. Organizations needing to leverage existing internal security mechanisms, without requiring the duplication of their security infrastructure to the Internet (i.e. deploying Active Directory or another LDAP directory to a DMZ server farm) can breathe a sigh of relief. When users (either human or machines) on the Internet call SecureWithin™ exposed endpoints, they must provide the applicable credentials, which are then passed to the internal endpoints. Authentication and authorization is controlled by the internal applications. In other instances, organizations may have insecure endpoints, or may determine that an extra degree of protection, in addition to their internal controls is warranted. For these requirements, SecureWithin™ offers a plethora of options:

1.      Client user id and password

2.      Client X.509 certificate

3.      2-factor authentication using third-party devices such as RSA’s SecureID®

4.      Custom authentication token for clients that have non-standard authentication mechanism

5.      Biometric scan device integration for fingerprint, retina scan and other biometric devices

6.      Kerberos

7.      Windows NTLM

8.      Siteminder tokens

A variety of combinations comprising the above authentication solutions may be combined, required or be optional in order to allow/deny access to certain endpoints. For example, if an organization has two endpoints - one that provides hours of operation for the business (low security threat) and a second which provides the social security number of its employees (high security threat): An administrator is able to specify that for the first endpoint, Windows authentication is sufficient, but for the second service a caller must be a specific Windows user and also poses an issued X.509 certificate corresponding to a certain public key. This illustrates a single use-case, but the product can support  countless other use cases to fit the exact demands of the situation. Reporting is provided to let auditors and other authorized personnel know which endpoints require which degree of security.

Security rules are also used to govern what constitutes valid requests, and what is suspect and hence blocked. For any protocol an authorized administrative application user may specify what is the valid range of data is for every field, parameter, cookie, etc. SecureWithin™ can distinguish between a valid request and a buffer overflow attempt or other hacking/suspect activity.

Rules control various aspects of requests such as:

  • How many requests a client can send within a given time period
     

  • After how many failed authentications to block out a client
     

  • What is the minimum and maximum total size of a request
     

  • What schema must a request comply with
     

  • What is the minimum and maximum size of individual data elements within a request
     

  • What data elements are allowed within individual elements of a request
     

  • What specific IP addresses or ranges of IP addresses are allowed to call certain endpoints

          Any endpoint

Bitkoo’s SecureWithin™ can securely expose:

  1. Web Services hosted on any platform (SOAP and REST)
     

  2. Web Applications hosted on any platform (HTTP/HTTPS) - web applications may include streaming   audio and video, AJAX technology, Flash content, etc.
     

  3. Windows WCF Services (formerly known as Indigo)
     

  4. .NET Remoting (over any channel)
     

  5. DCOM
     

  6. Java RMI
     

  7.  FTP, SFTP
     

  8. Telnet
     

  9. SMTP
     

  10. Exchange Server
     

  11. Active Directory
     

  12. SunOne LDAP directory
     

  13. CORBA based services
     

  14. SQL Database Server
     

  15. Oracle Database Server
     

  16. Sybase Database Server
     

  17. MySQL Database Server
     

  18. Any TCP/IP port and protocol
     

  19. Any UDP port and protocol

Visit the Authors Web Site

Website URL:

 http://www.bitkoo.com
Your Name:
Company Name:
E-mail:

Inquiry Only - No Cost Or Obligation


 

 3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star
 

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.

Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description

Home    Calendar    The Business Forum Journal     Features    Concept    History
 Library     Formats    Guest Testimonials     Client Testimonials    Experts    Search
News Wire      Join Why Sponsor      Tell-A-Friend      Contact The Business Forum

The Business Forum
Beverly Hills, California U.S.A.
 Tel: 310-550-1984
 [email protected]

webmaster: bruceclay.com