TFS Technology
www.tfstech.com
Transparent, Encrypted Access to
Networked Applications
TFS ApplicationControl
White Paper
Table of Contents
Overview 3
User Friendliness Saves Time 3
Enhanced Security Saves Worry 3
Software Componenets 3
Features of TFS ApplicationControl 4
TFS Agents for Remote Administration 4
System Architecture 5
TFS BoKS Manager 5
TFS ApplicationControl 6
Log in Process With TFS ApplicationControl 7
Off-tthe-S
Shelf TFS Agents 8
Software Development Kits 8
TFS Agents
Combinations for Differing Requirements 9
Basic Combinations of TFS Agents 9
Additional Questions to Ask 9
Using Proxy Machines for Old or Special Operating Systems 10
About TFS Technology 11
TFS ApplicationControl
O
Ovveerrvviieew
w
TFS ApplicationControl is designed to provide you both a more user-friendly application environment and enhanced security.U
Usseerr-FFrriieennddlliinneessss S
Saavveess T
Tiim
mee
Once you have fully deployed TFS ApplicationControl, users need log in only once daily. TFS ApplicationControl then provides them transparent single sign-on (SSO) to all applications that are TFS ApplicationControl enabled. This eliminates user frustration due to lost account information, for example, upon returning from vacation or not having used a particular application for some time.
It is not only users who benefit from the SSO friendliness - application administrators are spared all the calls from users who would otherwise need to reset their passwords. The results: reduced help-desk costs and more time for productive tasks such as user account administration and application management. This means less time spent on daily tasks that do not add value, and more time available for tasks that do.
E
Ennhhaanncceedd S
Seeccuurriittyy S
Saavveess W
Woorrrryy
When important or essential information is transferred in clear text over a network, there is every reason to take a careful look at application security within the network. Sensitive information concerning things such as customers, bids, salaries, personnel, blueprints, prototypes, plans and strategy are among an organization's most important strategic assets. Unauthorized access to such information must be prevented, as it is possible for an attacker to obtain information sent in clear text over networks with simple tools such as "sniffers". TFS ApplicationControl secures sensitive information by encrypting all communication between application server and user. It is not only application content (data) that is protected, but user names and passwords as well.
S
Sooffttw
waarree C
Coom
mppoonneennttss
TFS ApplicationControl employs the following components:
• TFS BoKS Manager server - the central security server that provides user administration, user authentication, user authorization, audit logging as well as other services.
• TFS Desktop - client software that is installed on all PCs to allow users to log in to the security system and gain access to TFS ApplicationControl-enabled applications. Access is only possible from a TFS Desktop PC, virtually eliminating risk from outside, unauthorized intruders. TFS Desktop provides users with the capability of using digital user credentials such as certificates and electronic keys, which may be stored in either Smart Cards or Virtual Cards, or a combination of both. (A Virtual Card is essentially the protected software equivalent of a Smart Card).
• TFS Agents -the server software that is usually installed on the application server itself to protect the application from unauthorized access. Depending on the application, TFS Agents are installed either as a proxy in front of the application or as a shared library (DLL file) if such an interface exists in the application. For some applications, there is also a TFS Agent client component installed on the PC along with the TFS Desktop.
TFS ApplicationControl/ 3
The TFS Technology Vision: “Lead the world in providing enhancements to existing infrastructure, simplifying usage and administration with profound security using
FFeeaattuurreess ooff T
TFFS
S A
ApppplliiccaattiioonnC
Coonnttrrooll
TFS Agents are designed and built specifically for standard applications, but can also be customized for particular needs. Features, which vary somewhat depending on application, include:
• Non-intrusiveness - TFS Agents can be implemented without modifying the application being protected.
• SSO - Single sign-on to all applications, which lets users log in once to authenticate themselves, then gives them access to all applications for which they are authorized without the need for further passwords.
• Role Mapping - Allows a user to log in to an application with different roles, such as administrator, operator or tester.
• Access Control or Authorization - You define who can access what and when. Access Control is managed in TFS BoKS Manager.
• Strong two-factor authentication - Ensures that the user is who he or she claims to be, so that only authenticated users gain access.
• Line Encryption - Encrypts communication between the user's PC and the application server.
• Central Administration - Allows administration of access rights to all applications from one central point in the network. Administrators do not need to log in to all application servers to disable an account. Instead, the user is removed (or blocked temporarily) in the central security database. No one can log in to TFS Agent-protected applications without access rights in the database.
• Central Audit Logs -TFS Agents log successful and unsuccessful login attempts to the central security log in TFS BoKS Manager.
In application security, it is an advantage to have only one general security system to protect many applications, rather than one security system for each application. A single system greatly simplifies the work of administrators, provides a system overview and allows centralized audit logging for much easier audit review.
Almost all TFS Agents can be installed without the need to alter or modify the application. They are quick and easy to install, and the startup time before moving into production mode is short.
T
TFFS
S A
Aggeennttss ffoorr R
Reem
moottee A
Addm
miinniissttrraattiioonn
In today's world, it is becoming increasingly important to be able to perform remote administration for components such as application servers, file servers, firewalls and routers in a secure manner. The following TFS Agents for network access methods make it is possible to protect remote host administration via the most common means:
• TFS Agent for Telnet - Telnet • TFS Agent for FTP - FTP
• TFS Agent for Web Servers - HTTP (via a web interface)
• TFS Agent for Line Encryption - Allows remote access through a secure tunnel for existing user-developed administrative tools
The use of the above TFS Agents in a configuration in which the application server cannot be reached in any way except via the TFS Agents provides greatly strengthened security for remote administration.
TFS ApplicationControl
S
Syysstteem
m A
Arrcchhiitteeccttuurree
TFS BoKS Manager is the central security server for the TFS ApplicationControl, TFS DocumentControl, TFS UnixControl and TFS WorkstationControl solutions. This section describes the basic functionality that TFS BoKS Manager provides, as well as how it interacts with different solution values.T
TFFS
S B
BooK
KS
S M
Maannaaggeerr
TFS BoKS Manager is the central server in an ApplicationControl solution, holding the security database and the audit logs. From an ApplicationControl perspective, the TFS BoKS Manager has three primary tasks:
1. Generating RSA keys and certificates for users (unless Smart Cards are used) and hosts in the form of Virtual Cards.
2. Providing the TFS Desktop with a number of services, such as download of Virtual Cards (roaming credentials), user authentication and download of trusted CA certificates.
3. Providing TFS Agents with services to authenticate, authorize and fetch application account information for users and act as audit log server.
A TFS BoKS Manager installation is called a domain and consists of one TFS BoKS Manager
Master server and a number of Replica servers.
The Desktops and Agents can access any of the servers to obtain the particular services, providing load balancing and improved performance.
In addition to the services directly related to ApplicationControl, TFS BoKS Manager is also the central server in the UnixControl and DocumentControl solutions, providing access control services to BoKS Clients and providing Group Encryption Keys and personal file encryption keys to TFS Desktops users.
Communication between the TFS Desktops and TFS BoKS Manager is accomplished using the CSSP (Cryptographic Security Services Protocol) protocol over 128-bit SSL. Communication both between TFS Agents and TFS BoKS Manager, as well as between the BoKS Master, Replicas and Clients, is accomplished using 128-bit RC5 with a shared secret (Nodekey). TFS BoKS Manager is managed via a web interface on the Master server. The web interface uses 128-bit https, and authentication to the web interface is done either using SecurID or client-authenticated SSL.
TFS BoKS Manager supports all major UNIX brands (see the TFS BoKS Manager data sheet for details). This means that the Master server and Replica servers can be installed in a heterogeneous UNIX environment with all functionality intact, regardless of the platform on which TFS BoKS Manager is installed.
T
TFFS
S A
ApppplliiccaattiioonnC
Coonnttrrooll
TFS BoKS Manager is the point of central control and the provider of information to the other components in a TFS ApplicationControl solution. Both TFS Desktop and TFS Agent need to be in contact with TFS BoKS Manager for authentication, authorization and accounting purposes. TFS BoKS Manager also gathers log information for each connection (or attempted connection) and other events. The following schematic overview shows how the different components interact:
TFS ApplicationControl
LLoogg IInn P
Prroocceessss w
wiitthh T
TFFS
S A
ApppplliiccaattiioonnC
Coonnttrrooll
TFS Desktop Login: The user logs in to the TFS Desktop, which connects to TFS BoKS
Manager to check if the user is authorized to log in. When logging in to the TFS Desktop, the user may use either a Smart Card or a Virtual Card, or a combination of both, as user credentials. It is possible to configure (on a user basis) the use of either password or an RSA SecurID token to unlock the Smart Card or Virtual Card.
User Starts Application: When the application client is started on the PC (makes a TCP
connection to the application server), the TFS Desktop connection filter intercepts the connection and starts an SSL negotiation session with the TFS Agent to set up an authenticat-ed, encrypted connection. After a secure connection is negotiatauthenticat-ed, it is encrypted using 128-bit SSL. All communication between TFS products is also encrypted.
Authorization by TFS BoKS Manager: After the authentication process, the application data
is tunneled through an SSL channel and the TFS Agent begins processing the first application data packages sent between the application client and server. The TFS Agent checks the user's application setup in the TFS BoKS security database to ensure that the user is authorized to use this application (Access Route check), and maps the user to a predefined application user account. This means that the application user name, password and ID need not be known by the user.
TFS Agent Opens Channel to Application: With authorization from TFS BoKS Manager, the
user's application account information is now inserted into the original data package and the connection between the application client and the application server is opened. After the application has accepted the user name and password, the user has an encrypted line across the network to the application, or more correctly to the TFS Agent on the Agent host (which is generally the application server).
TFS ApplicationControl
The user only needs to authenticate once on their TFS Desktop through TFS BoKS Manager when starting work each day, and then experiences the ease of single sign-on without multiple passwords to all applications protected by TFS Agents. Your administrators can also rest secure in the knowledge that users are not setting simplified passwords that they can remember but that are easy to crack, or writing passwords down where they may be seen. In the context of this solution, TFS BoKS Manager manages all user credentials. TFS BoKS Manager allows synchronization with external CRLs, and provides for manual revocation and reinstatement of user certificates.O
Offff-tthhee-S
Shheellff T
TFFS
S A
Aggeennttss
The following TFS Agent solutions are available either for direct download or as standard solutions that must be compiled on the target platform and quickly tested before usage:• TFS Agent for SNC/SSF - covers SAP R/3's Secure Network Communication (SNC) interface, Secure Store and Forward (SSF) interface and MySAP.com (web) interface. • TFS Agent for Line Encryption (LEA)- provides access control and tunnels any
application that uses the TCP/IP protocol (that is, does not support applications running on UDP).
• TFS Agent for Oracle Applications • TFS Agent for Oracle DB/MTS • TFS Agent for Peoplesoft • TFS Agent for Informix • TFS Agent for Sybase
• TFS Agent for Web Servers - protects the HTTP protocol v1.0 and v1.1 and is not web server specific. No modifications to the TFS Agent for Web Servers is needed as long as the web server uses standard HTTP.
• TFS Agent for Lotus Notes - provides single sign-on (SSO) to the Lotus Notes application. May be combined with the TFS Agent for Line Encryption to add access control and encrypted communication.
• TFS Agent for Telnet • TFS Agent for FTP
• TFS Agent for POP3 - secures incoming mail traffic from the server to the client, that is, when fetching mail from the mail server.
• TFS Agent for IMAP - secures incoming mail traffic from the server to the client, that is, when fetching mail from the mail server.
• TFS Agent for SMTP - secures outgoing mail. The TFS Agent for SMTP can also ensure the authenticity of the email sender's name and address.
• TFS Agent for TN3270
S
Sooffttw
waarree D
Deevveellooppm
meenntt K
Kiittss
TFS Agent Software Development Kits (SDKs) can be used to build customized Agent solutions. Currently, three different TFS Agent Software Development Kits (SDKs) are available: one full kit and two lightweight Single Sign-On kits.The full TFS Agent SDK (referred to as the Agent SDK) has an easy-to-use C-API with a high level interface, allowing for easy creation of standard proxy agents. In addition, the Agent SDK has some 180 functions for advanced use if desired. This kit can be used to tailor solutions for almost any need.
If the requirement for a customized Agent is limited to single sign-on functionality, TFS offers two lightweight single sign-on SDKs that include 15 to 40 functions, respectively, to give you lightweight solutions that are easy, quick and cheap to implement. These kits only include functions relevant to SSO and come in two forms, depending on your architecture and needs: one server-based, referred to as the SSO SDK and the other client-based, referred to as the Desktop SSO SDK. The client-based kit works in conjunction with the TFS Desktop.
TFS ApplicationControl
In summary, the available TFS Agent SDKs are:
• TFS Agent SDK - full kit, currently ported to approximately 15 different platforms • TFS SSO SDK - server-based SSO tool. Currently ported to 3 platforms
• TFS Desktop SSO SDK - client-based SSO tool that interacts with the TFS Desktop
T
TFFS
S A
Aggeenntt C
Coom
mbbiinnaattiioonnss ffoorr D
Diiffffeerriinngg
R
Reeqquuiirreem
meennttss
TFS Agent software is so well integrated, modular and versatile, that many solutions are available for a given need. A commonly asked question is how to obtain SSO and security in the most cost-effective way.B
Baassiicc C
Coom
mbbiinnaattiioonnss ooff T
TFFS
S A
Aggeennttss
TFS Agents and the software kits can be combined to provide the most cost-effective solution for your needs. Some tradeoffs to consider in designing your solution using the various TFS Agents and SDKs are:
• Using the Agent SDK by itself is more complex than using the (Desktop) SSO SDK together with the optional TFS Line Encryption Agent (LEA).
• The benefit of using the Agent SDK is that the resulting solution is extremely secure if implemented correctly, whereas the (Desktop) SSO SDK together with the LEA offer medium security, that is, no sensitive information is sent in clear text over the networks but account information may reside in the client PC machine's memory for a time. The (Desktop) SSO SDK used alone offers improved, though lower, security than do the other combinations. Using the (Desktop) SSO SDKs alone should be used only for users to have SSO to applications, as account information is sent in clear text over the network.
• Implementing a solution using the (Desktop) SSO SDK is easier than doing so with the SDK, thus there are further questions one needs to answer before planning and choosing the tools for building a solution.
A
Addddiittiioonnaall Q
Quueessttiioonnss
Some additional questions to answer when designing a custom solution are the following: • What security level is required?
· high · medium · low
If your answer is "high", use the Agent SDK.
• Is the application's protocol specification available as open information? This is needed in implementing a full TFS Agent with the SDK. If not immediately available, it may take some effort to gather such specification information.
• If a full TFS Agent is desired and the application's source code is available, one option is to build the TFS Agent into the application (compiled together, or "native support"). This option creates a very tight, secure solution.
• Is it possible to start the application client with a script or log in to the application client via a published and supported API? Then the (Desktop) SSO SDK + the optional LEA is a good choice.
TFS ApplicationControl
• If it is not possible to start the client via a script and there is no login API, do you have the source code to the client? Would it be possible to add functionality allowing a scripted start to the code? In C programs, using the main (argv, argc) makes adding such functionality fairly easy. In such a case, TFS Technology suggests using the(Desktop) SSO SDK + optional LEA. This solution combination will likely result in a
project that is shorter, more cost-effective and easier to maintain, due to the fact that there are no maintenance dependencies on changes in the application protocol, etc. This is a way to create solutions for many applications, whereas a customized Agent built with the SDK would have been too expensive and costly to maintain.
• It is also possible to put (Desktop) SSO SDK client calls into the application client source code. This is a nice way to add SSO to the application.
In a typical operating network, there is often no need to secure all applications, as long as they do not contain sensitive information. However, when TFS Agents are to be developed and deployed for all sensitive applications, it may be just as profitable - from a cost, saved time and user perspective - to include all major applications in the TFS ApplicationControl solution.
U
Ussiinngg P
Prrooxxyy M
Maacchhiinneess ffoorr O
Olldd oorr S
Sppeecciiaall O
Oppeerraattiinngg
S
Syysstteem
mss
Occasionally, applications run on hardware or with operating systems that TFS Agents do not support. In such cases, it is always possible to front the application server with another machine using the (Desktop) SSO SDK and LEA, or the full Agent SDK, to create a TFS Agent solution. In such circumstances, the connection between the application server and the fronting machine must be physically secured and protected, as it is not encrypted.
As a TFS Agent may be installed directly on the application server or on a front-end machine, TFS uses the term Agent Host to refer to either one, that is, to the machine on which the Agent is installed.
O
Onnee S
Syysstteem
m,, M
Maannyy S
Soolluuttiioonnss
TFS Technology achieves synergy between its different solutions, as they are all part of the same standards-based system that protects critical applications while complying with enter-prise-wide security policies. It's central component, the TFS BoKS Manager, provides not only central administration, but also a central point of security information for other applications.A
Abboouutt T
TFFS
S T
Teecchhnnoollooggyy
TFS Technology is an international award-winning provider of solutions that simplify usage and administration of existing infrastructure while providing profound security for today's successful businesses. With solutions adopted in more than 10,000 organizations spanning 30 countries, TFS Technology leads the world in providing value-added products and services to the customer.
The history of the company's technology dates back to 1986 at the DynaSoft organization with the initial development of what is known today as TFS BoKS. In 1992, the development work of the email security and connectivity products were initiated within the TenFour organization. In 2001, TFS Technology was established as a separate entity from TenFour. focusing strictly on product development of email security and connectivity solutions.
In 2002, TFS Technology acquired the key management and file encryption products from RSA Security Inc., joining both product families together and strategically positioning TFS Technology as a comprehensive provider of e-security and infrastructure-enhancing solutions.
Today, TFS Technology's management team consists of the original inventors and developers of both successful product families, and is dedicated to continuing their strong product reputation of developing easy-to-use solutions.
TFS ApplicationControl
Copyright 2003 TFS Technology. All rights reserved. A number of solutions are available in the system including UNIX administration, file
encryption, secure messaging, email directory synchronization, and many more. TFS currently offers subsets of these services as individual licenses.
TFS Technology US Inc. [email protected] +1 703 263 1700 TFS Technology Sweden AB [email protected] +46 18 16 00 00 TFS Technology UK Ltd. [email protected] +44 1444 245 651
