Our CEO, Klaus Brandstätter, explains in detail how the HOB Web Secure Proxy functions and how it differs from the architecture of the Apache Web Server. While the Apache Web Server (httpd) was designed to only manage short-living half-duplex Web transactions, the HOB WebSecureProxy is capable of handling long-living full-duplex VPN connections.
1. The Apache Web Server
The Apache Web Server was originally created in 1995. It was based on and derived from the earlier NCSA server, written by the National Center for Supercomputing Applications (which also developed the Mosaic browser, predecessor to most of today's browsers, with a direct line to Netscape and Mozilla, and considerable influence over others, including MSIE). The first production server under the Apache name was version 1.0.0, released in December 1995.
The Apache Web Server is developed in the C programming language.
The Apache Web Server (httpd) consists of different modules which are loaded at start-time. These modules are Dlls (Dynamic-link library) or shared objects (.so). Since httpd version 2.0, most of these modules need certain load points defined thru the precompiler macro AP_MODULE_DECLARE_DATA.
The original World-Wide-Web worked as follows:
The client = browser creates a TCP connection to the Web server and sends an HTTP request. In the HTTP request, the URL (Uniform Resource Locator) contains the path and file-name on the disk of the Web server. The Web server just reads the file from disk, makes an HTTP header before the content, and sends all this back to the client = browser. In this form, HTTP is half-duplex, meaning the client sends a request and the server sends the response. The Apache Web server, from the ground up, is made for these short-living half-duplex requests.
The memory management of the Apache Web server has pools for the memory acquired. Components of the Apache Web Server, modules, get memory from one of the pools, but there is no explicit "free" command to get rid of this memory again. Freeing of memory in the Apache Web Server works the way, that at certain points, the memory of a complete pool is freed. The pool which has the shortest live-time is the pool associated with the request, meaning the request lives from the time the server has received the HTTP header from the client till the time the server has completely sent the response to the client. During the live-time of a single request, memory is not freed.
For the Apache Web Server, there are choices for the Multi-Processing-Module (MPM). Unix systems did not have threads for a long time. Only within the last few years have threads become available in Unix systems. So the original Apache Web Server used processes (forked) for processing parallel HTTP requests. For the lifetime of an HTTP request, the same process was used. This was common praxis in Unix, and the Apache MPM prefork works this way. As fork() never existed on Windows, the Apache Web Server used threads in Windows.
Newer Apache MPMs also support threads on Unix.
When the Apache Web Server / HTTP processes long-running Web transactions, for each of the long-running Web Transactions = connections, a process or thread stays in use. This means, that the operating system (Unix / Linux / Windows) needs to handle a large number of processes or threads, giving quite some overhead.
When multiple processes are used by the Apache Web Server (httpd), there needs to be communication between these processes - so-called inter-process-communication (IPC). Shared memory and Mutexes are used. In the older Unix systems, shared memory was always backed-up by a disk-file, so when bytes in the shared memory were changed, there had to be slow access to the disks.
Also the kernel needs to get involved in interprocess communication, and context switches are necessary. This also results in an additional penalty for performance, which would not be needed when a single process would be used.
Overall, using multiple processes for an advanced server means quite some overhead.
For server applications, the memory subsystem is an important design point. Also, copying of the data means high CPU-usage. With Apache httpd 2.0, the concept of filters and bucket brigades were introduced. By using bucket brigades, copying of memory can be avoided in many places.
The complete Apache Web Server (httpd) version 2.4.x, with all the modules distributed by the Apache Software Foundation (ASF), consists of something between 500 and 600 thousand lines of code.
Newer requirements, which implement a Rich Client over the public Internet, require full-duplex communication. For this full-duplex communication, WebSockets were created and implemented. But for the Apache Web Server, all this full-duplex communication does not fit to the concepts of the Apache Web Server, especially not for the memory management and also process and thread handling.
When the Apache Web Server is used with SSL (HTTPS), mostly mod_ssl is used. mod_ssl includes OpenSSL.
HOB has developed mod_hob_ssl for the Apache Web Server. mod_hob_ssl includes the highly secure HOB-SSL. mod_hob_ssl can be used in Linux Apache Web Servers, starting from version 2.0. mod_hob_ssl replaces mod_ssl. mod_hob_ssl is closed-source, not open-source.
2. The HOB WebSecureProxy (WSP)
Development of the HOB WebSecureProxy (WSP) started in the year 2000. The first versions of the WSP were used for 3270 (IBM mainframes) and RDP (Microsoft Remote Desktop Protocol for WTS = Windows Terminal Servers).
Before HOB developed the WSP, starting in 1982, HOBCOM, an IBM mainframe application, was developed by HOB. HOBCOM was made for Rich Clients, meaning full-duplex communication over SNA (IBM Systems Network Architecture). HOBCOM was already made to manage terminals and printers, also providing HOBTEXT, word processing on the IBM mainframe. HOBCOM was able to handle hundreds or even thousands of parallel connected devices.
HOB learnt techniques for handling multiple clients from the IBM transaction managers CICS (Customer Information Control System) or IMS (Information Management System). CICS and IMS are still widely in use.
So HOB uses the concept of a transaction manager in HOBCOM and also in the newer WSP (WebSecureProxy). CICS and IMS are also made for half-duplex communication, so HOB changed parts of the concept for full-duplex communication.
The WSP is mostly built around non-blocking APIs. In the WSP, there is a variable number of networking threads. These networking thread handle sockets for listen, TCP-sessions or UDP. One networking thread handles n sockets, for example 60. So, when a client has no associated server over TCP, one networking thread handles around 60 clients when n is 60. When the WSP session with the client also has a TCP connection with a server, one networking thread handles around 30 clients (when n is 60).
APIs in Unix permit these networking threads to handle more sockets, but then these networking threads could become a bottleneck (since a thread can run only on a single CPU core), and for the user, the solution would get less reactive.
When there is a networking event, or any other event in the WSP for a certain WSP session with a client, a work thread (some call it worker) is scheduled and the work thread processes what needs to get done. The work thread is left after the actual instructions, leaving the work thread waiting for other WSP sessions with clients.
As the work threads always use a CPU core, not waiting for blocking APIs, the number of work threads configured for the WSP should relate to the number of CPU cores in the server.
When all work threads are busy, and there is more work to do, the work goes to a certain backlog and is processed as soon as one of the work threads gets free.
Usage of the memory subsystem is an important design point for big applications. In the WSP, there are buffers of a certain fixed size which are used for networking buffers and also intermediate data. These buffers are called work areas. These work areas are acquired from the C library (malloc()), but not freed after usage (which is mostly for a short time only). In the WSP, these work areas are recycled. So, when work areas are needed, the caller mostly gets a recycled work area of fixed size. WSP sessions use these work areas, and when work is done (work processing a single event), a small garbage collector, in the context of a single WSP session, returns work areas which are no longer being used, back for recycling.
The WSP uses lock-free queues, something that can only be programmed in Assembler language.
The WSP uses gathers, similar to the Apache bucket brigade, to avoid frequent copying of data. When gathers are used, input data (or after SSL decryption) may be sent directly to the server without being copied.
The WSP maintains end-to-end flow-control for all types of sessions (TCP or other) thru the WSP.
The WSP always, or mostly, works with SSL connections; SSL on server side and sometimes also SSL on client side. The WSP is not made for a specific protocol like HTTP. But as a base functionality, the WSP knows the protocol going thru the SSL tunnel, like RDP, 3270, HOB-PPP-T1, SSTP or HTTP.
There is the base WSP, and, as the WSP follows the concept of a transaction program manager (TPM), there are different kinds of external components. These external components are Dlls or .so (shared object), loaded when the WSP is started. One type of these external components is called Server-Data-Hook, short SDH. A SDH follows a similar concept as the Apache filter. Another important component is the Authentication Library.
When there is an incoming TCP connection to the WSP, after the SSL handshake, the client sends something so that the used protocol (inside the SSL tunnel) is defined. This protocol may be HTTP, but it also may be any other protocol. With the WSP, when, for example, RDP for Windows Terminal Servers is tunneled thru SSL, there is not any HTTP involved. Inside the SSL there is just plain RDP, meaning no additional overhead.
To find out the protocol, and to determine what the WSP does for a certain client, mostly an extended version of the protocol Socks 5 is used. The client sends the protocol, and there is authentication and selection of the server over the WSM protocol - WebSecureProxy socks mode. No HTTP or HTML is involved.
That the client first sends the protocol is very important, since a client that uses the RDP protocol (for Windows Terminal Servers) cannot connect to an IBM mainframe, which normally uses the protocol telnet 3270.
The basic WSP supports authentication against:
- configured users
Authentication against SAML is in the pipeline. The Authentication Library or a Server-Data-Hook uses the authentication support built into the basic WSP. The WSP supports multitenancy, meaning the users can be organized in groups, and each group can authenticate differently. Any number of Radius servers, LDAP servers or KDCs (Kerberos Key Distribution Center) can be configured and is supported. The WSP also supports any number of input points (called "connection" in the XML configuration), meaning Internet address and associated TCP ports (normally 80 and 443), each with certificates for SSL. But at this moment, the configuration tool (WSP-GUI) is limited here; the configuration can still be done by manual XML configuration.
On Unix (including Linux), the WSP needs to call APIs which require superuser rights. This includes bind and listen for well-known ports like 80 and 443. For the WSP on Unix, there is a so-call Listen-Gateway. The WSP is connected to the Listen-Gateway over Unix-domain-sockets and sends commands for special APIs which require superuser rights. The communication is encrypted and protected against replay-attacks. The small Listen-Gateway needs to run with superuser rights, and so the WSP itself can run without superuser rights and is more secure.
The HOB RD VPN version 2.1 on Linux, including the WSP and its external components, and also the Java application HOBLink JWT (RDP client), are certified according to Common Criteria EAL 4+. Of special interest in the Common Criteria certification was HOB-SSL including the Random-Generator. So HOB can prove that the WSP and HOB-SSL are really secure.
The WSP has numerous diagnostic and trace facilities, called WSP-trace. The WSP-trace can make finely grained recordings of single events or a single client. The WSP-trace is designed in such a way that it also can be used in production environments.
When the configuration of the WSP is changed, it is not necessary to stop and restart the WSP. The WSP can take over the new configuration on the fly. In this way, sessions which were started before the configuration change continue to use the old configuration. Sessions with the WSP, that are started after the configuration change, use the new configuration parameters.
A single WSP can serve more than 100,000 clients simultaneously, depending on the server it runs on. More than 100,000 simultaneous clients have been successfully tested on a server with 4 sockets for Intel CPUs. Each client produced the load of a typical RDP connection, equivalent to a VPN connection between a client and a gateway.
The WSP has cluster functionality, with load-balancing, to find the WSP with the least load for a client. There is communication over TCP between the cluster members, including the load of the WSP. Any number of WSPs can form a cluster, giving a single image for any number of clients.
The WSP is developed in the C and C++ programming languages with small parts in Assembler language.
The Apache Web Server (httpd) was designed and developed to manage short-living half-duplex Web transactions. The HOB WebSecureProxy was designed and developed for Rich Clients, for long-living full-duplex VPN connections.
Recently, HOB succesfully tested the operation of 100,000 concurrent RDP sessions with the highly performant and Common Criteria EAL 4+ certified HOB WebSecureProxy (= WSP). The WSP is part of the highly secure and comprehensive SSL Remote Access Suite HOB RD VPN.
Description Of The Test Arrangement: Test makes use of 3 machines (equal hardware – Power edge R930 – list price: 91.327€ per Server). Operating system on all machines: Linux - Ubuntu 14.04.3 LTS 64-bit).
The WSP has 2 network adapters in separate networks. The other 2 machines are connected to the WSP via 10Gbit Ethernet.
To setup 100.000 sessions via WSP, test tools xbttcp95 & xbttcp23 were used. xbbttcp95 establishes an SSL connection to WSP and sends test data which are forwarded to the test server xbttcp23. The amount of data sent in every connection are typical for an RDP connection. Each instance of xbttc95/23 made 500 connections (so 200 instances of each tool are started). For load-balancing reasons, 100 instances of both tools are started on both machines called „Server/Client“.
After all 100.000 sessions are running, network thruput is measeured on WSP machine using nload is meassured. Additional „real“ RDP connection is set up using JWT 3.3 to a Windows 2012R2 terminal server to get an subjective impression of performance.
100.000 were setup successfully and running for several hours. Network thruput was 3.3 Gbit/s. Using real RDP connection it was possible to login and work on terminal server in an acceptable manner.
Cipher suite used in test AES256_SHA256. There was no significant difference of the thruput when AES-NI was enabled or disabled.
The servers where the data and applications reside are becoming fewer but more powerful. What was a supercomputer in the past will now be a server for the applications accessed by laptops, thin clients, tablets or smartphones. Using less, but more efficient servers also helps achieve Green IT, which saves energy both for the servers directly, as well as that used for cooling them, thus helping the environment. These servers can also be referred to as the "cloud."
Cloud services, where the name "cloud" is given to what we have long known as accessible servers, are becoming ubiquitous and manifold. Even small enterprises and freelance organizations, such as those of doctors, dentists or lawyers, will start to deploy their own personal clouds, which means their computer systems will be accessible from their owners over the public Internet.
For more on HOB's predictions and insights for 2012, please visit: http://www.virtual-strategy.com/2011/12/15/2012-prediction-hob-inc
Posted by Dietmar Schmidt on Monday, 31. May 2010
HOB has created a flexible complementary operating system platform which can be added to the HOB server and security products called HOB Secure Communications Server (SCS).
For quite some time HOB has thought about supplying a secure and stable operating system with their high quality, specially developed products.
In 2006 the HOB Operating Systems department was founded with this goal in mind. HOB Operating Systems predominantly deals with open source operating systems, primarily GNU/Linux and FreeBSD.
Although FreeBSD has some advantages over GNU/Linux, GNU/Linux is used as the basis for SCS because it has more driver support (alternatively the FreeBSD application is currently being considered).
During the initial development of HOB SCS, there were thoughts of customizing an existing Linux distribution. Several Linux distributions are available. DistroWatch lists over 600 varieties which are almost all customized to existing distributions.
Thoughts of customizing an existing distribution were quickly thrown out because the distributions either looked too broad or too inflexible for our use. The well-known Linux builders like SuSE Studio or rPath do not offer the amount of flexibility that we desired either. For this reason HOB SCS was completely redeveloped by using the available source codes. The process of creating a standalone operating system without including an available distribution is certainly more tedious but for HOB the decision won’t be regretted because we have managed to get the maximum possible influence over our operating system.
HOBmin was developed for administration and configuration of HOB SCS. Managing the HOB SCS operating system using a browser is an option because of HOBmin. This way the connection to the administration interface is encrypted with SSL.
After a good two years of development, in November 2008, the time had come. It was possible to deliver HOB SCS together with HOB RD VPN, the HOB software solutions family for remote connectivity access.
The reaction on the market was absolutely positive. HOB SCS combined with HOB RD VPN become a software appliance which can be used just like any other SSL VPN solution with the advantage of being free of choosing which hardware to use. HOB SCS with RD VPN, unlike all other SSL VPN appliances, isn’t a hardware solution but instead just software based. Another advantage of software appliances is the ability to be a virtual machine. This is why HOB SCS is offered with VMware tools to import for VMware vSphere in Open Virtualization Format (OVF).
The availability of the operating system SCS provides HOB (and thereby also its customers) with many advantages such as nearly eliminating problems caused between the operating system and the application. The customer receives patches, updates, and add-ons all from one source.
At the moment HOB SCS is actively being further developed. The next version (which should be made available in a few weeks) along with the updated packages are going to be integrated with other HOB products (HOBLink VPN, HOB RD VPN Compact etc.). Additionally, HOBmin, our administration service, will have significantly broader functions making sure to grant every wish.Translated by I. Peterson on Monday, 19. September 2011
According to recent statistics, telecommuting roles are expected to increase by 65 percent by 2012. Additionally, numerous studies continue to confirm the importance of flexible hours and workplaces in today's economy. Simply put, organizations today are looking to provide employees with flexibility via anytime, anywhere secure remote access. Those who can benefit include employees on business trips and sales representatives or service personnel who are required to work off-site. Many enterprises also want or need to integrate customers or partners into their corporate networks in order to ensure faster and improved service performance.
Although Windows-based computers make up the largest portion of the overall PC market, the consistent growth of Macs can't be ignored. Per new NPD data cited by Barclays Capital, Mac sales grew by 26 percent in the United States in July, a healthy surge, compared with PCs, which saw only a four percent rise in unit sales that same month. From graphic artists to office employees, there is clearly a need for businesses to securely and remotely access Macs on the road or at home. Another issue is security. Since many agencies utilize freelancers, data protection is paramount. With secure remote access, all data is safely and centrally stored on company networks. One technology solution meeting this business need is HOB MacGate.
With HOB MacGate, an employee can access his or her company's Mac from any remote computer (for example, from the employee's own personal Mac). Once logged in, users see the desktop of the remote system on the client computer, and can work with it as if they were in the company.
A great advantage of HOB MacGate is that users need not install any software on the client. A remote desktop session to the Mac is launched seamlessly through a Web browser. In addition, access to Macs is possible from any client platform including Windows, Linux or even from another Mac. Moreover, in contrast to other desktop-on-demand solutions, HOB MacGate includes a “hidden screen-mode”, i.e. the screen of the remote computer displays the login screen, preventing people in the company from reading along. HOB MacGate is powered by the company’s HOB Remote Desktop VPN.
For more information, please visit: http://www.hobsoft.com/products/connect/macgate.jsp.
Brandenburg Secretary of the Interior, Rainer Speer, Resigns!
Keeping Confidential Data Confidential
If money from banks were transported in laundry baskets then put in the back seats of convertibles and driven across the country, everyone would marvel and realize that something here was definitely being carelessly dealt with. The carelessness with which personal and confidential data is dealt with over mobile devices isn’t perhaps as obvious as a convertible filled with loose cash but is, in current common practice, comparable.
The notebook affair which surrounds Rainer Speer who recently resigned as Brandenburg’s Secretary of the Interior, is only one example of many involving irresponsible dealings.
The former Secretary of the Interior of Brandenburg, Rainer Speer’s notebook was stolen. A fate shared by many, around 10,000 notebooks per week are stolen in U.S. airports alone and the trend is growing. This situation, in which some of the data in the minister’s notebook were opened including numerous emails, certainly caused unpleasant repercussions to his political career.
Why do people treat their confidential data so carelessly, carrying it around on PDA’s and notebooks while going for a walk? Why don’t they ask the responsible IT specialists who have advanced technical knowledge to prevail against disaster? The desire to use mobile devices won’t go away and that is a fact even though the results could be unpleasant. Data encryption and password protection of mobile devices are widely used protection methods but they don’t prove to be any kind of insurmountable obstacle for the experienced computer specialist.
There is only one effective and reasonable protection – confidential data doesn’t belong on mobile devices!
Of course all data, even confidential data, should always be accessible at any time and be workable but it shouldn’t be possible to save it on these mobile devices. Confidential data belongs on storage media on the central computer in locked, secure spaces behind firewall systems. Responsible IT personnel put in a lot of effort and businesses invest a great deal of money for the security of data.
It is entirely enough to limit these efforts to secure central storage of data because there is no need to carry data around on decentralized mobile devices. If data is just carried around, then the security of confidential data can no longer be ensured.
The employee, who can potentially let confidential data get out in the open, even though involuntarily and carelessly, takes full responsibility simply because notebooks or PDA’s are easy to steal.
HOBLink Mobile and HOBCOM Universal Server. A highly secure, extremely effective solution whenever using mobile devices which allows access to data and applications just as if they were saved locally to the storage media of the mobile device itself. All alterations to the data which are made over the mobile device will remain but will be saved, no matter at what time, in the central computer.
25.10.10 Klaus Weinbrenner
Translated on 16.09.2011 by I. Peterson
Do you use your smartphone for business purposes and need to access company resources, e.g., e-mails or data, at any time without restrictions? An outage – such as the one reported by the BlackBerry manufacturer RIM yesterday – is not acceptable (http://on.wsj.com/pl18Qy) ? Since yesterday, users of BlackBerry have to bear with huge disruptions , amongst others when trying to access e-mails. This holds true for customers in Europe and other parts of the world. RIM stated that the disruptions have been caused by a breakdown of a main switch within RIM´s infrastructure. A backup does not work properly, either. When the problem will be solved completely is not yet known.
With HOBLink Mobile you may deal with such situations really stress-free. You do not need to fear an interruption of your business continuity. HOBLink Mobile allows for a fast, secure and around-the-clock access via a smartphone to company e-mails, for example.
HOBLink Mobile is based on two components which communicate with each other. The HOBLink Mobile Client is installed on the smartphone. The second component, HOBCOM Universal Server, is placed within the DMZ or in the company LAN. This solution allows for secure access to data, without downloading any data to the smartphone. Only the data that are currently needed are sent to the smartphone. In addition, this has the major advantage that data are never stored on the smartphone, i.e., in case of loss or theft sensitive data will not get into wrong hands.
This provides the user with a great amount of independence. Service disruptions on the part of your service provider will not worry you in the future. Learn more about our HOB solution HOBLink Mobile at http://www.hobsoft.com/apps/apps.jsp.
Today´s interview deals with ensuring business continuity in the event of (natural) disasters and the importance of this topic for companies. We are very pleased to chat with Domenick Cilea, president of Springboard, marketing, public relations and social media agency based in New Jersey. To keep the agency fully operational, Springboard had to ensure that its business activities were not interrupted by the recent hurricane - “Irene.” Domenick Cilea (and his employees) experienced the hurricane first-hand and is therefore able to assess this topic from a personal perspective.
Hurricane Irene hit the U.S. East Coast last weekend. In advance of the impending hurricane, state and local officials ordered evacuations of more than two million residents in coastal areas. Furthermore, many flights were cancelled and mass transportation was halted. In the aftermath of Hurricane Irene, experts are estimating the damage to reach billions of dollars from flooding and fallen trees. Three million customers lost power in the days after the hurricane and many more are still without access to electricity. In this context, the question arises: How do you ensure business continuity in event of a nature disaster?
How did you personally experience Irene?
Unfortunately, the aftermath of Hurricane Irene – trees and floods damaging distribution lines – impacted electrical service at my home and office. While our agency office’s lost power for most of one business day, my home did not get restored until four days later.
Did you think of what to “do” with your clients and how to fulfill your business tasks during this time?
Absolutely. In advance of the storm, we provided all employees with updates on the availability of our network resources. In fact, we shut down all of our virtualized servers as a precaution. Because the storm took place over the weekend, the shut down did not impact our ability to service clients. On Monday morning, when realizing there were widespread outages throughout New Jersey, we quickly mobilized employees to alert clients of our situation. Each employee worked remotely using their laptops, tablets and smartphones and they were able to use several cloud-based applications to ensure business operations.
Springboard’s corporate email was not accessible as a result of the power outage but employees leveraged Gmail and social media services such as Twitter to communicate internally and with clients.
How did the option to remotely access your company data ensure business continuity?
Because our file server was unavailable (during the power outage), employees were able to access backed up files which are stored in the cloud.
Where do you see major advantages for companies to have a disaster recovery plan including a remote access solution?
Without a disaster recovery plan, a company’s business is at significant risk. In the event of a disaster, network failure or other disruptive events, business continuity must be ensured from both a data protection and remote access perspective.
In order for a business to maintain operations, employees should have access to pertinent IT resources.
In addition to application, network and file availability, organizations must also consider the connectivity options associated with remote access. Both physical and wireless connectivity should be built into business continuity initiatives in order to give employees access to their applications and data.
Natural disasters, data center outages and pandemics – these are unfortunate words that have been popping up in the media way too often in the past. Recently, hurricane “Irene” hit the US East-Coast. A state of emergency prevailed across the entire coastal area, many people were evacuated. For hours, public life at Washington stopped and there was no train or bus service in New York; air travel also came to a standstill, as many flights were cancelled. In this case the question arises: How to maintain business continuity if one cannot get to the company or your home office is flooded or must be evacuated?
Many outside influences can negatively impact business processes and thus interrupt a company's business continuity. These outside influences cannot, unfortunately, be controlled or foreseen by any company. The best solution is to be prepared for any disaster or data center outage.
With a disaster recovery plan in place, organizations can ensure business continuity even in emergency situations. The capability to leverage remote data centers and co-location facilities allows organizations to safeguard their technology resources and spread them across multiple locations, ensuring business continuity and mitigating the risk of an outage. For example, important e-mails can be answered remotely via an Internet browser and deadlines can still be met.
By leveraging secure remote access solutions, enterprises are also better equipped to recover from all types of disasters and emergencies.
The only way to be sure that your data is safe, is by deploying a remote access solution before disaster strikes; only then can the full benefits of secure, smooth and uninterrupted business continuity be expected.
For more information on disaster recovery, please visit: http://www.hobsoft.com/solutions/pandemic_preparation.jsp.