7.2 Security Overview

With Management and Security Server, you can provide secure host access to all your users, whether they are around the corner or around the world.

In addition to using HTTPS connections and a variety of authentication and authorization methods, you can configure specific sessions to use the Security Proxy Server to shield the host from direct access by clients. (A separate license is required for the Security Proxy Add-On product.)

7.2.1 TLS Data Encryption

Use the TLS data encryption options to secure the client-server data exchanges.

TLS Encryption between the Client Browser and the Management and Security Server

By default, Management and Security Server allows browsers to use the HTTP protocol to communicate between the client computer and the Management and Security Server. Although HTTP is universally available to web browsers, it is not a secure protocol. Information exchanged using HTTP is sent in clear text and is vulnerable to unauthorized access.

To secure your passwords and other sensitive data, you should require browsers to use the HTTPS protocol, which provides TLS encryption, when connecting to the Management and Security Server.

To require HTTPS:

  1. Make sure TLS is enabled on your web server.

    If you installed Management and Security Server with the automated installer, TLS is enabled by default.

  2. Then, go to Configure Settings - General Security and check Require HTTPS.

When an HTTPS connection is made to the web server, the web server authenticates itself to the client browser using a server certificate. The client checks the server certificate against its trusted certificate store. If the certificate or its root is in the trusted store, the connection proceeds. If the certificate is not trusted, the browser warns the user and requires the user to agree to the connection.

If you use a self-signed certificate or one from a certificate authority (CA) that is not trusted by a user's browser, the browser will present a warning each time the user attempts to access the Management and Security Server. Many browsers permit the user to add the unknown certificate to a trusted certificate list, eliminating the warning. Another option is to use a Management and Security Server certificate from a CA whose root certificate is already trusted by the browser.

TLS Encryption between Client Session and Host

You can provide a level of security by using the TLS protocol to protect data sent between the client terminal (or printer) session and the host. (The host must be TLS-enabled.)

The option to require a TLS connection between the client and the host is available when you launch the session from Manage Sessions. In the launched session, go to the Connection Setup or Security Properties options to set a TLS connection.

TLS Encryption and Authorization between the Client Session and the Security Proxy Server

Greater security is provided by adding the Security Proxy Server, which requires a separate license. When you use the Security Proxy Server, data sent between the client session and the Security Proxy is TLS-encrypted and the host is protected from direct user contact. (The Security Proxy no longer support SSL encryption.)

In addition, when Security Proxy authorization is enabled, only users who have been authenticated and authorized by the Administrative Server are able to access the host. Others are denied access.

NOTE:To use the Security Proxy Server, the Administrative Server certificate must be trusted by the Security Proxy. The automated installer generates a self-signed certificate that must be imported to the Security Proxy's list of trusted certificates. If you installed a CA-signed certificate on the Administrative Server, you do not need to import the certificate to the Security Proxy.

End to end Encryption: Tunneled TLS Direct Connection to the Host

When you use the Security Proxy, data sent between the emulator and the proxy is TLS-encrypted. You can also tunnel a TLS direct connection to the host through the Security Proxy Server. This form of end-to-end encryption can be set up for a host that supports TLS connections.

To set up this type of connection, open the session’s Security (TLS Settings) dialog to configure a session to use the Security Proxy. Check the optionfor End to end encryption.

As part of the TLS protocol, the client checks the server or host name against the name on the server certificate. Therefore, TLS connections require the common name on the server certificate to match the host or Security Proxy server name. When end-to-end encryption through the Security Proxy is enabled, the client will receive a server certificate from both the Security Proxy and the host. It is recommended that the host certificate have the Security Proxy server name identified as a subject alternate name (SAN).

7.2.2 FIPS-Approved Mode

The United States government’s Federal Information Processing Standards (FIPS) are sets of standards developed by the National Institute of Standards and Technology (NIST) that describe the handling and processing of information within governmental agencies.

Specifically, FIPS 140-2 sets standards for cryptographic modules. The cryptographic modules are validated against the specific set of requirements and tested in 11 categories by independent US government-certified testing laboratories. NIST and Canada’s Communications Security Establishment (CSE) jointly administer the process by which modules are validated against FIPS 140-2.

When you configure the Security Proxy Server and secure terminal sessions to run in FIPS-approved mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards.

Related Topic: