Search
Friday, September 10, 2010 ..:: Solutions » Technology unit » Software » Kouton CTBS » Skyfire Application Security Gateway ::.. Register  Login
 Kouton CTBS Minimize
  
 Solutions Minimize
  
 Skyfire Application Security Gateway Minimize

Being a part of the terminal access system (TAS), Skyfire is an application security gateway based on the secure socket layer (SSL) protocol. It integrates communication technologies, pin technologies and modern authentication technologies, including mainly the tunneling technology (tunnel protocol) and security technologies.
 
 
1、Tunnel Protocol
  
The tunnel protocol is a key technology adopted in building the virtual private networks (VPNs). On the interface between the source local area network (LAN) and the public network, the tunnel protocol is used to encapsulate data as loads into a data format to be transmitted in the public network. On the interface between the destination LAN and the public network, the tunnel protocol is used to decapsulate data and take out loads. The logic path taken in transmitting encapsulated data packets in the Internet is called a “tunnel”.
Skyfire adopts the tunnel protocol to set up a highly secure VPN. The tunnel protocol enables detailed access control. That is, on the network layer, the protocol permits or rejects data packets only according to the source and destination IP addresses. The tunnel protocol offers many control measures, and can be used together with some lower-layer protocols, for example IPV4, IPSec, point-to-point tunneling orotocol (PPTP), and layer 2 tunneling protocol (L2TP). The proxy server can be used to hide the network address structure. The tunnel protocol can offer the “plug-in unit” module for authentication, encryption and key management, so that users can freely adopt needed technologies. The tunnel protocol can filter data flows according to rules, including JavaApplet and Actives control. For such reasons, the tunnel protocol is suitable for the client-server connection mode, and is applicable for external VPNs and remote access VPNs.
 
2、Security Technologie
  
VPNs always communicate with other networks in the insecure Internet. As the communication contents might involve confidential data of the enterprise, the security of VPNs is of vital importance. Security technologies for VPNs normally include encryption technologies, authentication technologies, and key exchange and management technologies. Authentication technologies are mainly used to avoid the forgery and distortion of data. An “abstract” technology is always adopted for authentication. This technology makes use of the hash function to convert a long message and map it to a short message, or abstract. According to the feature of the hash function, it is impossible for two messages to have the same abstract. As a result, the “abstract” technology can be used for data integrity authentication and user authentication in VPNs. Encryption technologies adopted for VPNs include the data encryption standard (DES) and the triple DES (3DES). For key exchange and management technologies, key distribution and management are very important. Two methods are always used for key distribution. One is to distribute keys via manual configurations; the other is to dynamically distribute keys by using the key exchange protocol. The manual configuration method is only applicable for simple networks, because keys can hardly be updated in this way. The key exchange protocol dynamically generates keys via the software mode, and is applicable for complicated networks; this protocol enables fast updating of keys, and can greatly improve the security of VPNs.
 
Skyfire can offer application layer-based access control. It provides data encryption, integrity check and authentication mechanisms. The client of Skyfire requires no software installation, and can be easily configured and managed. Skyfire is suitable for safely access remote users.
 
The SSL protocol is a security protocol based on Web applications. It specifies the security mechanism for data exchanges between application protocols, (for example HTTP, Telnet and FTP) and the TCP/IP protocol, and provides TCP/IP connections with data encryption, server authentication, and optional client authentication.
 
  
The SSL protocol comprises the SSL record protocol, handshake protocol, key exchange protocol, and alarm protocol. All these protocols jointly provide authentication, encryption and anti-distortion functions to application access connections. The SSL handshake protocol is mainly used for the mutual authentication between the server and the client. The negotiation encryption algorithm and the message authentication code (MAC) algorithm are used to generate encryption keys in SSL records.
The SSL record protocol provides basic security services to higher-layer protocols. Its working mechanism is as the follows: Each application program message is divided into several manageable data blocks, with the data to be zipped, and a MAC message is generated; the data blocks and the MAC message are encrypted and a new file head is added in; all the data is transmitted via the transfer control protocol (TCP). The receive end decapsulates the received data, authenticate, unzip and regroup the data before the data is finally submitted to higher-layer applications. The SSL key exchange protocol comprises a message; it is used to copy the uncertain status as the current status, and update a key group used for the current connection. The SSL alarm protocol is to transmit SSL-related information to peer bodies; alarms transmitted are classified into three levels: warnings, major alarms and critical alarms.
 
Workflow of the handshake protocol
1)The SSL client sets up a connection via the TCP and sends the ClientHello message to initiates a handshake;
 
2) The SSL server responds with a SeverHello message;
 
3)After the two steps, the protocol version, session identifier, zipping method and encryption algorithm for the current communication can be determined.
 
4) If the client requests authentication, the server sends its certificate to testify its identify. At the same time, the server sends the ServerKeyExchange message. If the server requests authentication, it sends Certification message to the client;
 
5)The server sends the ServerHelloDone message, indicating that the Hello message for the handshake protocol negotiation phase is completed;
 
6)Upon receiving the CertificationRequest message from the server, the client responds with a ClientCertification message; at the same time, the client sends the ClientKeyExchange message;
 
7)The client sends ChangeCipherSpe and Finished messages;
 
8)The server sends ChangeCipherSpee and Finished messages.
 
Now the SSl handshake protocol is completed. The two parties in communications reach agreement about the session key and start sending the application-layer data.
 
As an application-layer protocol, the SSL adopts the public key mechanism and the X.509 digital certificate technology to protect the integrity and confidentiality of information transmission. SSL security components include three parts: authentication (on both sides of the connection, authentication is made on the server, or on both the server and the client); encryption (communication is encrypted; only two encrypted parties can exchange information and identify each other); and integrity check (information contents are checked to avoid being distorted).
 
3  Technical Features of Skyfire
 
SKYFIREworks between the application layer based on the hyper text transfer protocol (HTTP) and the TCP layer. It is applicable for safely accessing remote, distributed mobile users.
 
 
Direct Topology of Skyfire
 
● Security
 
• Supporting wide-range certification modes, including Ukey, X.509, authentication system of the National Cipher Management Committee Office, LDAP, RADIUS, WindowsNTDomain, ActiveDirectory, UNIXNIS, and double factor authentication (including ActivCard and ActivPack);
 
• Integrated management, supporting WEB, C/S application program, and server authorization;
 
• A TCP port is used to receive communication traffic, which guarantees network security;
 
• The administrator can configure physical random ID information access requesting remote equipment;
 
●  Application support
 
•  Web protocols: HTML/DHTML, HTTP/HTTPS, and VB description language;
 
•  File protocols: Windows/CIFS and UNIX/NFS;
•  Client /server application programs: Windows applications and UNIX software by IBM/SUN;
•   Standard email protocol: SMTP, POP, IMAP;
•  Remote control VNC: The administrator can remotely control and manage remote equipment;
•  Compatible with most technologies and products;
 
● Manageability
 
•  Simple and quick configurations
    Needing no installation, configuration or setup of application program software;
    Needing no change on the network resource configurations;
    Needing no change on the network address structure;
    No problem concerning network structure and compatibility with the customer 
    operation system
 
•  Status monitoring
    Supporting the simple network management protocol (SNMP);
 
•  Auditing report
    Supporting the auditing reports on user events, application programs, time and  accidents;
 • Recorder for remote supports and adjustments;
 
● High reliability
 
• Supporting load balancing on up to 16 equipment
 Print   
Copyright 2009 by E.Mation Technologies   Terms Of Use  Privacy Statement Hosted by Webhost4life