Best method to secure connection to firebird over internet - database

I have a client-server application which use a firebird server 2.5 over internet.
I have met the problem of given a secure access to FB databases and as a first approch a tried to solve this problem by integrating a tunnel solution in the application (STunnel software more exactly). BUT, this approch suffer from many aspects :
- this add more resource consumption (CPU, memory, threads) at both client/server side,
- sotware deployment become a serious problem because STunnel software is writen as a WinNT Service, not a Dll or a Component (WinNT Service need administrator privileges for install)
and my client application need to run without installation !
SO, i decided to take the bull by the horn (or the bird by the feathers as we talk about Firebird). I have downloaded the Firebird 2.5 source code and injected secure tunnelization code directly in his low level communication layer (the INET socket layer).
NOW, encryption/decryption is done directly by the firebird engine for each TCP/IP packet.
What do you think about this approach vs external tunnelization ?

I would recommend to wrap data exchange in SSL/TLS stream, from both sides. This is proven standard.
While custom implementations, with static keys, can be insecure.
For instance, CTR mode with constant IV can reveal a lot of information, since it only encrypts incremented vector and XORes it with data, so XORing two encrypted packets will show the xored version of unencrypted packets.

In general, my view of security critical code is this, "you want as many eyes on the code in question as possible and you do not want to be maintaining it yourself." The reason is that we all make mistakes and in a collaborative environment these are more likely to be caught. Additionally these are likely to be better tested.
In my view there are a few acceptable solutions here. All approaches do add some overhead but this overhead could, if you want, be handled on a separate server if that becomes necessary. Possibilities include:
stunnel
IPSec (one of my favorites). Note that with IPSec you can create tunnels, and these can then be forwarded on to other hosts, so you can move your VPN management onto a computer other than your db host. You can also do IPSec directly to the host.
PPTP
Cross-platform vpn software like tinc and the like.
Note here in security there is no free lunch and you need to review your requirements very carefully and make sure you thoroughly understand the solutions you are working with.

The stunnel suggestion is a good one, but, if that's not suitable, you can run a true trusted VPN of sorts, in a VM. (Try saying that a few times.) It's a bit strange, but it would work something like this:
Set up a VM on the firebird machine and give that VM two interfaces,
one which goes out to your external LAN (best if you can actually
bind a LAN card to it) and one that is a host-only LAN to firebird.
Load an openvpn server into that VM and use both client and server
certificates
Run your openvpn client on your clients
Strange, but it ensures the following:
Your clients don't get to connect to the server unless BOTH the
client and server agree on the certificates
Your firebird service only accepts connections over this trusted VPN
link.
Technically, local entities could still connect to the firebird
server outside of the VPN if you wanted it -- for example, a
developer console on the same local LAN.

The fastest way to get things done would not be to improve firebird, but improve your connection.
Get two firewall devices which can do SSL certificate authentication and put it in front of your DB server and your firebird device.
Let the firewall devices do the encryption/decryption, and have your DB server do its job without the hassle of meddling with every packet.

Related

Server selection in krb5.conf

i have a general question about the Kerberos configuration (krb5.conf) on a client.
If I give a RHEL8 client multiple AD servers for authentication (one in USA, one in Europe and one in Asia), which server would the client use if I want to connect from Germany?
krb5.conf
AD.COMPANY.COM = {
kdc = us-server.ad.company.com
kdc = eu-server.ad.company.com
kdc = asia-server.ad.company.com
}
is the server list processed dull from top to bottom or is the server used which answers fastest?
Greetings
D1Ck3n
To elaborate on T-Herons answer up top, it would be a bit of a security vulnerability if it responded to the quickest one. Imagine I knew that one of the three servers stored a password in a way that an invalid hash would pass, I could slow the other two via a packet flood or DDOS and force the vulnerable server to respond first every time.
Design flaws like this can be generally exploited in most computer systems, (especially things like networking, for instance). So it's 'safe' to assume that in any instance dealing with authentication that you are are dealing with one authentication at a time.

How can a number of angular clients communicate between themselves even when they lose connection to a central server?

So the scenario is like this...
I have a number of different users in an organization. Each has his own session of an AngularJS app running in their browser. They share an internet connection over a local LAN.
I need them to continue working together (data, notifications, ... etc) even when they lose internet i.e. server side communication.
What is the best architecture for solving this?
Having clients communicate directly, without a server, requires peer-to-peer connections.
If your users are updating data that should be reflected in the database, then you will have to cache that data locally on the client until the server is available again. But if you want to first send that data to other peers, then you need to think carefully about which client will then update the database when the server comes back up (should it be the original client that made the edit - who may not be online anymore - or should it be the first client that establishes server connection). Lots to consider in your architecture.
To cope with this scenario you need angular service-worker library, which you can read about here.
If you just want the clients/users to communicate without persisting data in the database (eg. simple chat messages) then you don't have to worry about the above complexity.
Refer to this example which shows how to use simple-peer library with Angular2.
An assisting answer (doesn't fit in a comment) was provided here: https://github.com/amark/gun/issues/506
Here is it:
Since GUN can connect to multiple peers, you can have the browser connect to both outside/external servers AND peers running on your local area network. All you have to do is npm install gun and then npm start it on a few machines within your LAN and then hardcode/refresh/update their local IPs in the browser app (perhaps could even use GUN to do that, by storing/syncing a table of local IPs as the update/change)
Ideally we would all use WebRTC and have our browsers connect to each other directly. This is possible however has a big problem, WebRTC depends upon a relay/signal server every time the browser is refreshed. This is kinda stupid and is the browser/WebRTC's fault, not GUN (or other P2P systems). So either way, you'd have to also do (1) either way.
If you are on the same computer, in the same browser, in the same browser session, it is possible to relay changes (although I didn't bother to code for this, as it is kinda useless behavior) - it wouldn't work with other machines in your LAN.
Summary: As long as you are running some local peers within your network, and can access them locally, then you can do "offline" (where offline here is referencing external/outside network) sync with GUN.
GUN is also offline-first in that, even if 2 machines are truly disconnected, if they make local edits while they are offline, they will sync properly when the machines eventually come back online/reconnect.
I hope this helps.

VOLTTRON connect with Local cluster or (AWS)

Hi I am a developer who is studying VOLTTRON PLATFORM.
I have problem about connecting volttron and local cluster(or AWS).
In document, I couldn't found about part of connection volttron with local cluster(or AWS).
I think there three case about this problem solving.
use vip(volttron interconnect protocol)<-- but this solution should install volttron
use http protocol <-- but this is not good solution for big data processing
use socket programming
solution 1 make customize agent for big data framework(Spark ,etc) interface
solution 2~3 make customize agent for connect to cloud
Would you recommend the way to solve this problem? or give some other solution ?
Thank you!
Are you wanting to integrate with the message bus, or just connect to the historian to access data flowing out of the volttron platform?
Either are possible, and your use cases you layout are correct. I would avoid #3, as it's unnecessarily complex and has no benefit that I'm aware of.
I think we would need more context to make a specific recommendation for your use case.
If you only need access to read data out of your volttron deployment, integrating at the database level is probably ideal.
If you need to have input back into the volttron deployment, ie, operating actuators, you would need deeper integration at the VIP level, and I would recommend just writing an agent to accomplish what you want and running it within the volttron environment. You can easily deploy volttron to an EC2 host and access the other AWS resources from that agent.

Security considerations for TCP client request / server response of non-sensitive information

I have read several similar topics on stackoverflow in which fellow programmers discourage the practice of using simple client/server applications and raw TCP sockets for communication. I acknowledge that there are concerns but for what I'm trying to accomplish I don't see any other reasonable way.
Here is what I'm planning:
I have a simple working prototype client/server that I wrote in C. The client application sends a request to my server to remotely execute code, generates a value and then relays this value to the client. The transmitted data is not sensitive, will only be held in RAM and will be rejected if it exceeds a predefined length. If I run a (hardened) dedicated server with the sole purpose of remote code execution to generate a response are there any security issues I'm overlooking?
I am less worried about my server being compromised and more worried about possible harm to client computers. I'm not blind to the potential that my server gets hacked - I'm just trying to convey that their won't be any sensitive data on it even if it does get compromised. I don't see how anything malicious could be injected (mitm) given the narrow scope of the data being transmitted but maybe I'm naive and overlooking something? Please let me know.
I could accomplish this over HTTP with a re-write trick but that is convoluted, I'll incur more overhead than I want and I'm unsure it would be any safer.
Thanks.
You need to think about the possibilty of your server being damaged or wiped or even powered off by an intruder. Anything involving remote execution of code rings my alarms. You must at least use a secure client authentication scheme.
Confidentiality - not needed if you feel data is not sensitive
authentication - certificates can be used to make sure client talks to real server. Pls check openssl
Make sure the server is running with reduced privilege rather than root so that server can't be compromised completely in case of memory corruption attacks.
Using HTTP won't make any difference, HTTP uses TCP connections at transport layer.
HTTPS would be a possible solution.

Is PollingDuplex right for Silverlight client notification?

I'm trying to figure out if PollingDuplex is the right way to go for my problem.
Here is my scenario:
1. 3rd party application sends a UDP packet with a client's IP address to a server app.
2. The server app needs to the notify the specified client and send along some data.
The client is a Silverlight application.
I've been looking at some guides and sample code (http://petermcg.wordpress.com/2008/09/03/silverlight-polling-duplex-part-1-architecture/) but I don't understand how clients are identified on the server using PollingDuplex. I understand that the clients register with the server and continually poll for messages. How would I make sure that only the right clients get the message designated for that client? In other words, the messages on the server should not be broadcasted to all polling clients but only sent to one specific client.
Any help is much appreciated.
Whether you're using Net.TCP or HttpDuplexBinding, clients can be identified using OperationContext.Current.Channel.SessionId. And more specifically, you can grab the actual channel that WCF uses to talk to them using OperationContext.Current.GetCallbackChannel<IMyCustomServiceInterface>(). You can store those in memory, perhaps associated with some other identifier passed up from the client, and when you need to communicate with the client in question (e.g., to pass them the data from the UDP packet), you call the appropriate method on that specific stored channel; and the client will get notified.
I should note that while I don't particularly recommend HttpDuplexBinding, apart from its quirks and stability and performance issues, it should work for what you're doing, and in exactly the same way as Net.TCP. Although the clients technically do "poll" the server, that's hidden from you. All you know on the server is that you're calling a method on a particular channel. The underlying binding code takes care of making sure that the right client gets notified.
Polling duplex is actually an entirely client side implementation that exists only for Silverlight (there's no regular .NET framework version of it, except a project on Codeplex Microsoft's own internal consulting services developed for a high profile client of theirs). There's nothing at all special about it on the server side.
It's not really meant to be used in production by Microsoft's own admission (we have a Microsoft contact at our company who admitted this to us candidly). It's not very robust or well implemented and can/will DoS your server under any kind of volume:
http://forums.silverlight.net/p/89970/239380.aspx
You're better off rolling your own client side polling mechanism - or (better and more scalable) using TCP with session in Silverlight 4, which provides true duplex support (because the connection is not stateless and thus supports true push notifications):
http://www.silverlightshow.net/items/WCF-NET.TCP-Protocol-in-Silverlight-4.aspx.

Resources