Host Access Solutions: Terminal Emulation Software and Host Integration

PASSPORT WEB TO HOST® and Host Access Security

Secure Web-Based Access to TN3270E and TN5250E host applications

PASSPORT WEB TO HOST® is a web-based, multi-host thin client suite that centralizes the administration of TN3270E and TN5250E emulators and eliminates the need to install a terminal emulator on each desktop.

PASSORT WEB TO HOST uses the ActiveX architecture and thus it has several advantages over a Java™ based terminal emulator. Many security questions arise concerning ActiveX, Java™, and other technologies for terminal emulation. Most of these concerns are focused on the ability of these technologies to affect files on your hard drive or to facilitate malicious attacks. While it is appropriate to address all of these security concerns, it is also important to acknowledge that a key component of any security plan is to focus on a controlled approach on implementation and related use of solutions using such technologies.

PASSPORT utilizes security at the web server (HTTPS) as well as at the TN3270E and TN5250E server to secure and encrypt all data transmission. Furthermore, PASSPORT WEB TO HOST® provides its own menu configuration rules that will control who can access various features on the host. To thoroughly demonstrate these features as related to security, this review addresses several points below:

1. Architectural Design of PASSPORT WEB TO HOST®
2. Security
3. ActiveX vs. Java™ Security
4. PASSPORT WEB TO HOST® Security
5. Digital Certificates
6. Menu Configuration Rules & Related Control
7. ActiveX Benefits vs. Java™

Conclusions

This review has concluded the following concerning ActiveX technology utilized within PASSPORT WEB TO HOST®:

1. Provides limited security risk.
2. Security risk can be mitigated by proper deployment strategies
3. Java™ based emulators have no security advantages.
4. WEB TO HOST provides significant product performance compared to Java™ based emulators.
5. An assured channel using SSL and a trusted source on a secure server will eliminate security breaches to an enterprise.

Architectural Design of PASSPORT WEB TO HOST®

PASSPORT WEB TO HOST® resides either on a Microsoft® Windows 2000/NT IIS web server or an IBM® OS/390 with UNIX® System Services running WebSphere Application Server version 1.2 or higher, HTTP or comparable web server. At the workstation level, either the Microsoft® Internet Explorer 5.0 or higher is required. The first time a user requests an WEB TO HOST session, the 32-bit ActiveX component is downloaded to the workstation. These components are not downloaded again until a new version is installed and detected on the web server. Once the initial download is completed the user's requested host session is sent to the web server to obtain the session information (IP host address, screen size, LU name -- see step 1 in diagram below). These session parameters are sent back to the workstation via a 1K encrypted file, and then a direct connection is established between the workstation and the host (see step 2). From this point, there is no more communication between the workstation and the web server.

On a 100 megabit LAN with minimal traffic, it takes only 10 seconds for the one time download of ActiveX components from the web server to the workstation. The downloaded ActiveX component (Passweb.cab) is a 1.5MB file while the expanded WEB TO HOST component will take up 3.2 MB of space on the workstation. If the PASSPORT WEB TO HOST® FTP feature is requested, a Passftp.cab file (298 KB) is downloaded as well. Each time an WEB TO HOST session is started, it uses about 6.5MB of active memory on the workstation. PASSORT WEB TO HOST requires approximately 25MB of disk space on the web server.

Security

This security review will focus on two technologies, ActiveX & Java™. Most examinations of these two technologies have not been updated during the past two to three years. Distinctions between the two technologies have become blurred as the need for greater commercial utilization along with expanded functionality requirements for Java™ has allowed it to gain access to memory and printing functions. The major focus on a Java™ solution, in respect to security, has been focused on the so-called "sandbox" approach. This sandbox approach promises a separation of the operating system and the Java™ applet. This course of action suggests that no Java™ applet can or could attack key components within a workstation. Although the use of a Virtual Java™ Machine to process a Java™ applet may create a barrier between the applet and the core of the operating system it does not eliminate the security risks related to an unknown malicious Java™ source. The only real way to address security issues is to control the Java™ solutions that are utilized. Thus the best security is a trusted source deployed on a secure server utilizing an Assured Channel such as one with SSL security and digital certificates. This reality holds true for ActiveX components as well.

ActiveX vs Java Security

The original Java™ 1.0 virtual machine had many restrictions that promoted optimum security. These restrictions prohibited the Java™ applet from writing to the hard disk, accessing the printer and communicating with IP host addresses other than the machine it was downloaded from, etc. However, for WEB TO HOST applications, that may not be such a good idea. Although these restrictions provide additional security, they also prevent features like file transfers, host printing or access a host mainframe using other 3270 servers from happening. On the other hand, because of the ability to write to the hard disk and accessing the printer, ActiveX can perform all of these advanced features like file transfer and 3270 or 5250 host printing. Moreover, to combat the fear that a malicious ActiveX applet from an unknown source could destroy a user's hard disk, Microsoft® instituted digital certificates. A digital certificate guarantees that a downloaded ActiveX applet is from a specific company and is certified by a reputable authority such as VeriSign. Digital certificates guarantee that a hacker hasn't corrupted the signed applet.

With the release of Java™ Developer Kit JDK 1.2 the new architecture lets you grant Java™ applets and applications permission to access specific system resources outside their restricted environments. Applets by default have no access to system resources outside the directory from which they were launched, but a signed applet can access local system resources as allowed by the local system's security policy. This major relaxation of the Java™ "sand-box" relies on the same approach that Microsoft® has taken with ActiveX, Public Key Infrastructure PKI. The difference in the approach is that Active X components require just one PKI vs. Java™ requiring a PKI for each and every applet that requires access outside the "sand-box".

While the changes to JDK 1.2 has allowed Java™ based emulators to gain more features and functions they still fall short of PASSPORT WEB TO HOST®. Additionally, the security distinction between Java™ and ActiveX has been blurred and has resulted in ActiveX providing the same level of security as Java™. Thus the best security is a trusted source deployed on a secure server utilizing an Assured Channel such as one with SSL security and digital certificates.

PASSPORT WEB TO HOST® Security

There are two optional levels of SSL security with PASSPORT WEB TO HOST®. First, there is SSL security from the workstation (browser) to the web server when the workstation first connects to the server to request connection information. This utilizes HTTPS and the protection takes place between the workstation (browser) and web server. The configuration is done on the web server. Second, there is SSL security between the workstation and the host after a connection is made from the workstation using WEB TO HOST. This is known as TN3270E and TN5250E SSL and both the TN3270E and TN5250E client (PASSPORT WEB TO HOST®) and TN3270E and TN5250E server (Cisco® CIP or OS/390) has to be configured accordingly. Once properly configured, the data will be protected during a direct connection between the workstation and the host (TN3270E or TN5250E server). PASSPORT WEB TO HOST® supports both 40-bit and 128-bit data encryption.

Security Between Workstation (Browser) and Web Server

PASSPORT WEB TO HOST®' s security, like other WEB TO HOST solutions, begins at the web server (i.e. IIS). Your server must be configured for SSL (Secure Socket Layer) security in order to protect requests and data between Internet Explorer and the web server. This is when you connect to the WEB TO HOST server requesting for a download of the ActiveX component, a session name, or launching of a session. With SSL enabled, all data transmission here will be encrypted and protected via the HTTPS protocol (see diagram). For more information on how to configure your IIS server for SSL, please refer to:

Microsoft® TechNet article Q228991 (IIS 4) or
Microsoft® TechNet article Q290625 (IIS 5)

Security Between Workstation and Server

After the ActiveX component is downloaded and the session is launched, your workstation (browser) no longer communicates with the web server. At this point, TN3270E and TN5250E SSL security is needed between the browser and the TN3270E or TN5250E Server (Host). Here, PASSPORT WEB TO HOST® and the corresponding TN3270E or TN5250E server must be configured for SSL security in order to protect the data between your workstation and the host (see diagram). For more information on configuring SSL security with PASSPORT WEB TO HOST®, please refer to our WEB TO HOST Administrator Help file under the Profile section for more instructions. For SSL configuration on your host server, please contact your host server vendor.

Digital Certificates

When you download software from the Internet, there is always fear that the downloaded software may perform malicious activity on your computer. Since ActiveX components have the ability to write to the hard disk, downloading an applet from an unknown source could be a risk to your hard disk. As a result, Microsoft® institutes digital certificates. A digital certificate guarantees that a downloaded ActiveX or Java™ applet is from a specific company and its content has not been tampered or corrupted.

Zephyr uses Microsoft®'s Authenticode and Digital IDs from VeriSign to assure that the PASSPORT WEB TO HOST® ActiveX control is safe to download. When you connect to the WEB TO HOST server for the first time, you will be prompted to download an ActiveX applet to your PC. This signed applet (see diagram) assures the content source and content integrity of the product. To get a FREE guide on how to sign your ActiveX controls for Microsoft® Authenticode, please go to this page on Verisign's website.

View Screen shot

Menu Configuration Rules and Related Controls

PASSPORT WEB TO HOST® takes security to another level by allowing administrators to control what features a user can have access to the 3270 or 5250 host. This security measure can be configured through the Config Lock feature (see diagram). For example, an administrator can lock out options such as file transfer or macro to prevent his users from transferring bad or virus infected files to the host or running a macro to perform an illegal action that can be damaging to the host system. For more information on how to use this Config Lock feature, please refer to our WEB TO HOST Administrator Help file under the Profile/Groups/Users section.

View Screen shot

ActiveX Terminal Emulator Benefits

Why does PASSPORT WEB TO HOST® use ActiveX instead of Java™? The ActiveX WEB TO HOST terminal emulator offers performance, reliability, features and ease of use advantages over Java™.

Performance

ActiveX components are only downloaded the first time they are accessed and each time a new version of the software is updated. On the other hand, Java™ applets are downloaded every time they are accessed, which has the potential to add to network congestion. There are some configurations for specific Java™ applets that use caching to store the applets locally, but this entails additional administration and may not work on all platforms or with all web browsers. Moreover, Java™ applets, once downloaded to the browser, contain 8-bit byte code. ActiveX components on the other hand contain full 32-bit native code. This is one more reason why Java™ is significantly slower than ActiveX components.

Reliability

Since ActiveX is tightly integrated with the Microsoft® Windows operating system and Internet Explorer web browser, all Windows API functions are available and called directly. ActiveX provides the same degree of reliability found in thick clients designed for Windows XP, 2000, NT, 98, or 95. This consistency makes ActiveX solutions more reliable.

Features and Ease of Use

Another benefit of using ActiveX is the consistent look and feel between Word, Excel or any desktop application. PASSPORT WEB TO HOST® actually merges its menus with Internet Explorer and provides identical toolbars and button bars to those found in IE for ease of use. Applications that adhere to the Sun Java™ specification lose this benefit.

Quicktrial or Download Options

There are two ways to evaluate the PASSPORT WEB TO HOST® terminal emulator: either download a copy of the software or do a QuickTrial of the PASSPORT WEB TO HOST® application. With QuickTrial, there is no server installation, you simply download the client and run the application from our web server. This is a fast and easy way to look at the PASSPORT WEB TO HOST® software. For those that want to install the PASSPORT WEB TO HOST® software on their own web server, you can download the fully functional 3270, 5250, SCO ANSI, VT100/VT220/VT420 and Wyse 60 emulator trial and complete a full evaluation.