DCOM Explained
by Rosemary Rock-Evans Digital Press ISBN: 1555582168 Pub Date: 09/01/98 |
Previous | Table of Contents | Next |
To decide which mechanisms we should use to protect ourselves, we need to take a first step and decide which services or functions we need. There are six main functions used to protect the distributed application from the risks I have described.
Two further services do existthe guaranteed delivery service we described earlier in the chapter on MSMQ and the error reporting services we looked at in an earlier chapter on Communication services. I will add a small note on these to show how they are relevant to the security area.
Authentication-This mechanism ensures that the process or user requesting access to a system is the process/user it claims to be. Authentication is thus a test of proof of identity, a particularly difficult service to implement in distributed applicationsespecially if they also operate across the Internet. The principals in a transaction must be able to prove who they are, whether they are outside or inside the organization. Ideally, authorization should be bilateralthe client should know who the server is and the server must know the client.
Theoretically, the user should be authenticated each time a new message is sent from that same user, but in practice once the process has been authenticated, most authentication services issue the user or process with a code or ticket that can be used for the duration of processing. The ticket is attached to the messages within the conversation so that authentication does not have to be repeated over and over again. This ticket has a lifetimeto avoid other users, attaching themselves to the network on the same ticket.
Authorization-Is a service which ensures that the user or process, once it has proved it is authentic, is allowed to request the specific service or resource it has requested. Thus, authorization establishes whether an authenticated principal is entitled to use a service (application) or access defined information.
Privacy-This service aims to protect the confidentiality of data en route or on file. The way this is achieved in practice is by using encryption. Encryption is a way of encoding data that makes it unintelligible to any casual browser of the system using normal tools. The data is encrypted and decrypted by special purpose secure routines. Encryption methods include:
Integrity checking-Where a message has to be divided into blocks for transmission, or even when only one block is sent, a check is needed to ensure the information has not been changed in transmission. It is important to understand that network software does not necessarily do this for you (it does depend on the network software). Since distributed applications are designed to run across many network protocols, the developer has to assume the worstthat at least one of the network software products being used wont do integrity checking.
Nonrepudiation-Works at the level of an individual message, once the principal has been authorized and authenticated. Nonrepudiation provides a means of authenticating each messageprotecting against the forging of a message or denial of transmission or receipt of a message. This capability is especially important for electronic commerce. It ensures, for example, that a user does not deny the transmission of a commercial transactionan order, for example, or receipt of goods.
Audit-Whereas the other functions in this list are preventative measures designed to stop abuse before it actually happens, audit is aimed at detecting any abuse if it has slipped through the net. Audit is thus a monitoring activity. The subfunctions of audit include the collection of all transmission datanot just alarmsthe storage of the data, functions to help in analysis, and functions to help in archival of the data.
Guaranteed delivery and error reporting-We saw that, in general, a middleware product can either report on the nondelivery of a message by using error reporting, or it can provide services which actually help to guarantee delivery. What I did not explain is why these services are needed at all. Most network software provides a best effort delivery service. TCP/IP and the IP protocol is not designed, for example, to guarantee quality of service. It will do its best to deliver the packet, but if the packet is lost en route, it is lost en route. There is a reason for this in a product like TCP/IP.
TCP/IP divides the message the sender gives it into packets, which then follow logical rather than physical paths through the network. The service is connectionlessin other words, the network ignores which pairs of end systems have entered into the communication. Each machine forwards the packet on using information in the packets header until it reaches its final destination. No acknowledgments of receipt are sent to the sender when a packet is received. It is relatively easy to intercept packets as they pass through a machine en route to their destination and remove them, alter their address (all it needs is a change of the header), alter their contents, and so on. Network software therefore does not provide any protection for the sorts of risks we saw were associated with data en routehence the need for services in the middleware.
Functions and risks
Which functions protect against which risks? In the table below I have provided a chart to suggest which services are used to protect against which risks.
As you can see, authentication and authorization services are always used together to protect against unauthorized access to services or data on a machine. Whereas encryption and integrity checking are the primary services for ensuring the message is transported across the network without interference, coupled with the error checking and guaranteed delivery services we have already described.
Remember that the application and data I include in this table could be not only business applications but systems software and vendor-provided software. So, for example, we could have protection for Web servers (an application) and the pages on the Web server (data) probably defined at the page level.
Previous | Table of Contents | Next |