HOB WebSecureProxy and Automatic Configuration Update

Posted by hob Mon, 12 Nov 2007 13:10:00 GMT
The HOB WebSecureProxy is the security gateway for many organizations. It is used to access internal applications over the Internet.
The HOB WebSecureProxy is configured through one (and only one) XML configuration file. XML has the advantage that it is human readable. It is the proven way to simply exchange information between the administrator and the machine (computer).
There is a Java based configuration tool which is used to enter the necessary information. But this XML configuration file can also be edited with every common text-based editor.
The XML configuration file can be viewed with Web Browsers and their built-in XML functionality, the hierarchy of the definitions can be seen.

We all know that sometimes administrators call all users of certain services and tell them they have to leave the application at a certain time because the configuration is going to be updated then and the application will have to be restarted.

The HOB WebSecureProxy can dynamically update its configuration by reading a new version of the XML configuration file.
This means, users that have logged on before the configuration update keep their old configuration until they log off.
Users who log on after the configuration update automatically get the new parameters. The service is not interrupted.

The problem of users having a part of their configuration parameters from the old configuration, and the other part of their configuration comes from the new configuration does not exist.

Which techniques are used to enable this scenario?

In Windows the WebSecureProxy is the program IBIPGW08. IBIPGW08 automatically gets notified when the XML configuration on disk (that was used when IBIPGW08 was started) is changed and then reads in the new parameters.

In Unix and Linux the WebSecureProxy is the program NBIPGW08.
When the XML configuration has been changed, the administrator can start a new instance of NBIFGW08. The new instance of NBIPGW08 notifies the already running old NBIPGW08; the already running old NBIPGW08 closes its sockets which listen for incoming new connections.
Now the newly started NBIPGW08 can listen on the same ports again and users who log on from now on automatically get connected to the newly started NBIPGW08.

The already running old NBIPGW08 automatically exits when all users have logged off.

Security Risk of Applications Listening on Well-Known Ports

In Unix and Linux only applications running at superuser level can open the well-known ports.
The HOB WebSecureProxy normally listens on HTTPS port 443; this port is one of the well-known ports.

But for security reasons it is less critical when the WebSecureProxy NBIPGW08 runs on a normal user account.

To solve this problem, HOB has developed the listen-gateway NBIPGW12.
The listen-gateway NBIPGW12 is a small application which should run on superuser level and can then open the well-known ports.
The listen-gateway NBIPGW12 needs only little configuration, this can be given in the command line when NBIPGW12 is started.
The HOB WebSecureProxy NBIPGW08 now runs on a normal user account and creates a Unix Pipe (FIFO) to NBIPGW12. NBIPGW08 over the FIFO sends encrypted commands to the listen-gateway NBIPGW12, such as open a port for listen. The listen-gateway NBIPGW12 then opens said port for listen and forwards all incoming connection requests to NBIPGW08 over the FIFO.

In this way, NBIPGW08 does not need to run as superuser and still can open well-known ports.

no comments |

You must be registered in order to write comments. To register as a new user click here.

If you're already registered, please leave a comment here

Leave a comment

tp://fredericdevillamil.com')) %>
Powered by typo