Security Proxy

Our OutsideViewWEB and AppView products support a security architecture which implements a Security Proxy Server. In this architecture, a Java application executes on a computer with a Java 1.1 (or greater) compliant JVM. This application provides encryption/decryption (56-bit DES or 168-bit 3DES) services on the network channel to the emulation applet and a telnet data stream to the host. For maximum security, the server should be dual-homed.

The connection process for a remote client is (see figure 1):

• The client accesses the web server and opens the session bootstrap page which will download the Security Archive. On this initial connection, the certificate signing the Security Archive is compared to the list of trusted publishers in the local browser certificate store. If the certificate is not found, the user may be asked, based on their local security settings, if they wish to trust applications from your organization. The user is thus assured of the origin of the Security Server certificate and connection information. The Security Archive is downloaded only on the initial connection and is cached at the user’s workstation for future connections. After download of the archive, the bootstrap page then links to the session page. The session page then downloads the emulation applet.
  
  
• The emulation applet establishes an SSL connection to the Security Proxy Server. The server certificate fetched from the proxy during SSL handshake is compared to the contents of the Security Archive. A connection to the Security Proxy Server can only be achieved if the public key and other values stored in the Security Archive match the corresponding values in the server certificate.
  
  
• As a final step, the Security Proxy Server establishes a telnet connection to the host. The data stream between the remote user’s workstation and the Security Proxy Server is encrypted to the strength defined in the cipher suite. Communication between the host and Security Proxy Server is clear text. To further protect this channel, the Security Proxy Server may be isolated on a separate network segment with the host or even executed on the host if a compatible JVM is available.