Securing MWA Telnet Communication using SSH

An Oracle White Paper November 2004

Securing MWA Telnet Communication using SSH

Executive Overview.......................................................................................... 3 Introduction ....................................................................................................... 3 Securing MWA Telnet Communication using SSH ..................................... 4 SSH Client...................................................................................................... 5 SSH Server ..................................................................................................... 5 Sample SSH Software ....................................................................................... 5 SSH Mobile Clients ...................................................................................... 5 SSH Servers ................................................................................................... 5 FIPS 140-2.......................................................................................................... 5 Examples ............................................................................................................ 6 Example on using SSH with PUTTY clients ....................................... 6

Securing MWA Telnet Communication using SSH

Page 2

Securing MWA Telnet Client Connections using SSH

EXECUTIVE OVERVIEW

Oracle WMS and Oracle MSCA support connectivity to mobile devices using Telnet connections over TCP/IP, with security being provided via basic user/password authentication, tied directly to standard Oracle Applications menu security. Encryption using WEP or other schemes can be used to provide additional protection of the through-air component of this traffic. However there is no encryption of the payload on the (wired) network itself and there exists known vulnerabilities in the WEP encryption scheme. This has raised concerns about security when using this technology. The SSH (Secure Shell) open standard provides encryption and security of all traffic between the mobile device and the application. This provides an equivalent security mechanism for Telnet traffic to that provided by HTTPS. This document describes how to implement such a system. Please note that this involves non-Oracle components, Oracle makes no warranty as to the effectiveness of this solution.
INTRODUCTION

Oracles Warehouse Management and Mobile Supply Chain Applications enable most of the transactions to be executed using the mobile devices connected by an RF network. Connectivity is provided using Telnet over TCP/IP between a Telnet mobile client and the Oracle MWA Tenet Server. The user is required to login to the application, and this then restricts access to a defined set of responsibilities using the standard Oracle Applications menu security. The traffic passing through the RF network may be protected using a variety of encryption schemes (such as WEP2), which provide a level of protection. However, once the Telnet traffic passes beyond the RF network decryption point it is in the clear. This includes the user and password used to sign on. This is analogous to having no HTTPS support in the HTML world. An additional concern is that WEP encryption (including WEP2) has known vulnerabilities to a concerted intrusion attack. The result is that people have the potential to access data that travels across the network. When the data includes sensitive and confidential information (such as logon information), it is desirable to make it unintelligible to the unauthorized

Securing MWA Telnet Communication using SSH

Page 3

parties. It is also important to ensure that the data has not been modified, either intentionally or unintentionally, during the transport. There are various options available to make these wireless data transmissions more secure in both the directions, from server to client and client to the server. This paper describes an SSH tunneling solution that is highly effective in increasing the security of these data transmissions.
SECURING MWA TELNET COMMUNICATION USING SSH

The key components of this solution are an SSH Server, which resides next to the application server and a SSH Client which resides on the mobile device. Traffic is passed by the Telnet application on the mobile device to the SSH client also running on the mobile device. This then performs the encryption before sending on the data out of the mobile device and to the network (RF and wired). The traffic is then received by the SSH Server which decrypts the data before passing it to the MWA and WMS/MSCA applications. Traffic going in the other direction is handled in the same way. The following architecture diagram illustrates this process.

Securing MWA Telnet Communication using SSH

Page 4

SSH Client

This is a client component that resides that on the same telnet client device/machine and uses SSH protocol to transmit data to SSH Server. As both the Telnet Client and SSH Client reside on the same device/machine, the communication between these components is not open for eavesdropping and need not be secured. The primary function of the SSH Client is to acquire the data from the Telnet Client and transmit the same to the SSH Server through a secured mechanism and vice-versa.
SSH Server

This is the server side component that resides on the same device/machine as the MWA Server. As both the SSH Server and MWA Server reside on the same device/machine, the communication between these components is not open for eavesdropping and need not be secured. The primary function of this component is to acquire the data from the MWA Server and transmit the same to the SSH Client through a secure mechanism and vice-versa. The communications between SSH Client and SSH Server will be secured. SSH (Client) and SSH Deamon (Server) are together a replacement for telnet, rlogin etc and are available on all the LINUX and UNIX servers by default and require no additional licensing costs. SSH port forwarding is a feature of ssh where in the normal telnet, ftp, pop3, imap, net8 or any TCP/IP protocols could be routed thruough ssh secure session. SSH port forwarding would simply forward the incoming connection to the target port specified (could be Dispatcher or any TCP/IP port). The only disadvantage is that IP address mapping will not work as all the clients would have to connect to the same IP address (SSHD Server IP).
SAMPLE SSH SOFTWARE SSH Mobile Clients

http://www.dejavusoftware.com/pocketty/ http://www.movsoftware.com/products/sshce/sshce.htm http://www.pragmasys.com/

SSH Servers

http://www.foxitsoftware.com/wac/server_intro.php http://www.jfitz.com/tips/ssh_for_windows.html http://www.bitvise.com/winsshd.html

FIPS 140-2 This approach, while highly secure for most commercial applications, does not conform to all of the requirements for military applications as defined by the US Department of Defense FIPS 140-2 standards. For information regarding how to implement this highly stringent level of security, please contact your hardware

Securing MWA Telnet Communication using SSH

Page 5

provider. The major suppliers of RF equipment for industrial uses have developed FIPS 140-2 compliant solutions. The following are some references and helpful links.

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Symbol Offers Mobile Computing Wireless Security for Government ... Fortress Technologies - Press Releases http://www.why-war.com/news/2004/03/22/intermec.html

EXAMPLES
Example on using SSH with PUTTY clients

MWA telnet client connection can be made more secured using SSH Port Forwarding. Any telnet client that support SSH Port forwarding & VT100 Telnet Protocal can be used for this purpose. The following are the four simple steps to make your MWA telnet client connection secure on a desktop using PUTTY Telnet Client Assumption: It is assumed that the server running MWA Telnet Server also supports SSH sessions

Step1 : Specify the SSH Server Host Name and Port Number ( 22 is the default SSH port ).

Securing MWA Telnet Communication using SSH

Page 6

Step 2 : Select Connection -> SSH -> Tunnels. Specify the port information under Add new forwarded port. Source port could anyport on the local host that will later be used by the Telnet Client to connect to the MWA Application. Destination is the actual MWA Telnet Server Hostname and port in host:port format.

Step 3 : Login to the SSH session.

Securing MWA Telnet Communication using SSH

Page 7

Step 4 : Launch any telnet Client that supports VT100 protocol and connect to the source port on the localhost specified in Step 2 to make a secure connection to the MWA Telnet Server

The Following Diagrams show the various things that are configurable on SSH using PUTTY client.

Options controlling SSH Connections.

Securing MWA Telnet Communication using SSH

Page 8

Form to specify authentication parameters.

Setting the Workarounds for the SSH Server bugs.

Securing MWA Telnet Communication using SSH

Page 9

Securing MWA Telnet Communication using SSH November 2004 Author:Madhu Punuganti Contributing Authors:Anil Johnson Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com Oracle Corporation provides the software that powers the internet. Oracle is a registered trademark of Oracle Corporation. Various product and service names referenced herein may be trademarks of Oracle Corporation. All other product and service names mentioned may be trademarks of their respective owners. Copyright 2000 Oracle Corporation All rights reserved.