Professional Documents
Culture Documents
Executive Overview.......................................................................................... 3 Introduction ....................................................................................................... 3 Securing MWA Telnet Communication using SSH ..................................... 4 SSH Client...................................................................................................... 5 SSH Server ..................................................................................................... 5 Sample SSH Software ....................................................................................... 5 SSH Mobile Clients ...................................................................................... 5 SSH Servers ................................................................................................... 5 FIPS 140-2.......................................................................................................... 5 Examples ............................................................................................................ 6 Example on using SSH with PUTTY clients ....................................... 6
Page 2
EXECUTIVE OVERVIEW
Oracle WMS and Oracle MSCA support connectivity to mobile devices using Telnet connections over TCP/IP, with security being provided via basic user/password authentication, tied directly to standard Oracle Applications menu security. Encryption using WEP or other schemes can be used to provide additional protection of the through-air component of this traffic. However there is no encryption of the payload on the (wired) network itself and there exists known vulnerabilities in the WEP encryption scheme. This has raised concerns about security when using this technology. The SSH (Secure Shell) open standard provides encryption and security of all traffic between the mobile device and the application. This provides an equivalent security mechanism for Telnet traffic to that provided by HTTPS. This document describes how to implement such a system. Please note that this involves non-Oracle components, Oracle makes no warranty as to the effectiveness of this solution.
INTRODUCTION
Oracles Warehouse Management and Mobile Supply Chain Applications enable most of the transactions to be executed using the mobile devices connected by an RF network. Connectivity is provided using Telnet over TCP/IP between a Telnet mobile client and the Oracle MWA Tenet Server. The user is required to login to the application, and this then restricts access to a defined set of responsibilities using the standard Oracle Applications menu security. The traffic passing through the RF network may be protected using a variety of encryption schemes (such as WEP2), which provide a level of protection. However, once the Telnet traffic passes beyond the RF network decryption point it is in the clear. This includes the user and password used to sign on. This is analogous to having no HTTPS support in the HTML world. An additional concern is that WEP encryption (including WEP2) has known vulnerabilities to a concerted intrusion attack. The result is that people have the potential to access data that travels across the network. When the data includes sensitive and confidential information (such as logon information), it is desirable to make it unintelligible to the unauthorized
Page 3
parties. It is also important to ensure that the data has not been modified, either intentionally or unintentionally, during the transport. There are various options available to make these wireless data transmissions more secure in both the directions, from server to client and client to the server. This paper describes an SSH tunneling solution that is highly effective in increasing the security of these data transmissions.
SECURING MWA TELNET COMMUNICATION USING SSH
The key components of this solution are an SSH Server, which resides next to the application server and a SSH Client which resides on the mobile device. Traffic is passed by the Telnet application on the mobile device to the SSH client also running on the mobile device. This then performs the encryption before sending on the data out of the mobile device and to the network (RF and wired). The traffic is then received by the SSH Server which decrypts the data before passing it to the MWA and WMS/MSCA applications. Traffic going in the other direction is handled in the same way. The following architecture diagram illustrates this process.
Page 4
SSH Client
This is a client component that resides that on the same telnet client device/machine and uses SSH protocol to transmit data to SSH Server. As both the Telnet Client and SSH Client reside on the same device/machine, the communication between these components is not open for eavesdropping and need not be secured. The primary function of the SSH Client is to acquire the data from the Telnet Client and transmit the same to the SSH Server through a secured mechanism and vice-versa.
SSH Server
This is the server side component that resides on the same device/machine as the MWA Server. As both the SSH Server and MWA Server reside on the same device/machine, the communication between these components is not open for eavesdropping and need not be secured. The primary function of this component is to acquire the data from the MWA Server and transmit the same to the SSH Client through a secure mechanism and vice-versa. The communications between SSH Client and SSH Server will be secured. SSH (Client) and SSH Deamon (Server) are together a replacement for telnet, rlogin etc and are available on all the LINUX and UNIX servers by default and require no additional licensing costs. SSH port forwarding is a feature of ssh where in the normal telnet, ftp, pop3, imap, net8 or any TCP/IP protocols could be routed thruough ssh secure session. SSH port forwarding would simply forward the incoming connection to the target port specified (could be Dispatcher or any TCP/IP port). The only disadvantage is that IP address mapping will not work as all the clients would have to connect to the same IP address (SSHD Server IP).
SAMPLE SSH SOFTWARE SSH Mobile Clients
Page 5
provider. The major suppliers of RF equipment for industrial uses have developed FIPS 140-2 compliant solutions. The following are some references and helpful links.
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Symbol Offers Mobile Computing Wireless Security for Government ... Fortress Technologies - Press Releases http://www.why-war.com/news/2004/03/22/intermec.html
EXAMPLES
Example on using SSH with PUTTY clients
MWA telnet client connection can be made more secured using SSH Port Forwarding. Any telnet client that support SSH Port forwarding & VT100 Telnet Protocal can be used for this purpose. The following are the four simple steps to make your MWA telnet client connection secure on a desktop using PUTTY Telnet Client Assumption: It is assumed that the server running MWA Telnet Server also supports SSH sessions
Step1 : Specify the SSH Server Host Name and Port Number ( 22 is the default SSH port ).
Page 6
Step 2 : Select Connection -> SSH -> Tunnels. Specify the port information under Add new forwarded port. Source port could anyport on the local host that will later be used by the Telnet Client to connect to the MWA Application. Destination is the actual MWA Telnet Server Hostname and port in host:port format.
Page 7
Step 4 : Launch any telnet Client that supports VT100 protocol and connect to the source port on the localhost specified in Step 2 to make a secure connection to the MWA Telnet Server
The Following Diagrams show the various things that are configurable on SSH using PUTTY client.
Page 8
Page 9
Securing MWA Telnet Communication using SSH November 2004 Author:Madhu Punuganti Contributing Authors:Anil Johnson Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com Oracle Corporation provides the software that powers the internet. Oracle is a registered trademark of Oracle Corporation. Various product and service names referenced herein may be trademarks of Oracle Corporation. All other product and service names mentioned may be trademarks of their respective owners. Copyright 2000 Oracle Corporation All rights reserved.