CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

2. Before we start

2.1. Mindterm and SSH Introduction

Businesses, schools, and home users need more secure network services now more than ever. As online business increases, more people continue to access critical company information over insecure networks. Companies are using the Internet as a primary means to communicate with travelling employees in their country and abroad, sending documents to various field offices around the world, and sending unencrypted email; this communication can contain a wealth of information that any malicious person can potentially intercept and sell or give to a rival company. Good security policies for both users and network administrators can help to minimize the problems associated with a malicious person intercepting or stealing critical information within their organization. This paper will discuss using Secure Shell (SSH) and MindTerm to secure organizational communication across the Internet.

Home users and business travelers are accessing company resources and sending sensitive data over insecure networks. This opens up a whole new area of security issues for System Administrators (Securing the home office sensible and securely), especially since the number of corporate users from home with high-speed access is expected to "more than double from 24 million in 2000 to 55 million by 2005" (Broadband Access to Increase in Workplace). The increase in the number of airports and hotels offering internet access, especially high-speed access, is increasing and is expected to grow in the future (Broadband Moving On Up). This can also leave a door wide open for a malicious person to hijack or view a person's Internet traffic and access their companies. The malicious person may not be interested in the work the employee is doing but just want access to a high-speed server to launch attacks, store files, or other uses. Business people are really at high risk because they don't know who's monitoring their Internet connection in the hotel, airport, or anywhere in their travels. Users of the new high-speed connections are usually not taught proper security protocols and some companies don't have the staff to help the home user and business traveler set up secure communication. Individual users and, surprisingly, some companies have a mentality that "I don't have anything people want". This is very disturbing considering the amount of sensitive information that travels across the Internet from an employee's home or from travelers. What's more disturbing is the availability of free software to perform these kinds of attacks and the software's ease of use. Dsniff (http://www.monkey.org/~dugsong/dsniff/) is a freely available program that has utilities that can allow anyone with a networked computer to highjack a local network and monitor what others are doing and grab passwords and other sensitive data. In his book Secrets and Lies: Digital Security in a Networked World, Bruce Schneier states that Technique Propagation is one of the main threats to network security: "The Internet is...a perfect medium for propagating successful attack tools. Only the first attacker has to be skilled; everyone else can use his software" (Schneier).

The purpose of this paper is not how to secure computers but how to set up virtual tunnels to perform secure communication, whether sending documents or sending email. Business travelers should read Jim Purcell, Frank Reid, and Aaron Weissenfluh's articles on travel security. Home users with high-speed access should read Ted Tang's article for information on how to secure your computers with high-speed access. I'd recommend the many resources available on www.sans.org, www.securityfocus.com, or www.securityportal.com for tutorials on how to secure your computers and servers.

The way to ensure that sensitive data is transmitted securely and quickly is to use encrypted methods of data delivery. This can be by way of encrypted email, using secure web-based email services, or establishing encrypted tunnels between two computers. Also, easy to setup and reliable software need to be used in order to allow the inexperienced users the ability to quickly establish secure communication channels. Taten Ylonen 's Secure Shell and MindBright Technology's MindTerm are a quick, easy to use, and reliable solution for securing communication over the Internet.

2.2. MindTerm and SSH

SSH (Secure Shell) is a secure replacement for remote login and file transfer programs like telnet, rsh, and ftp, which transmit data in clear, human-readable text. SSH uses a public-key authentication method to establish an encrypted and secure connection from the user's machine to the remote machine. When the secure connection is established then the username, password, and all other information is sent over this secure connection. You can read more details of how ssh works, the algorithms it uses, and the protocols implemented for it to maintain a high level of security and trust at the ssh website: www.ssh.com. The OpenBSD team has created a free alternative called OpenSSH available at: www.openssh.com. It maintains the high security standards of the OpenBSD team and the IETF specifications for Secure Shell (see the Secure Shell IETF drafts, except it uses free public domain algorithms. SSH is becoming a standard for remote login administration. It has become so popular that there are many ports of ssh to various platforms and there are free clients available to login to an ssh server from many platforms as well. See http://linuxmafia.com/pub/linux/security/ssh-clients for a list of clients and Securityportal.com has an excellent two-part article on ssh and links to ports for different platforms available at http://www.securityportal.com/research/ssh-part1.html. There are programs that also use an ssh utility called Secure Copy (scp) in the background that provide the same functionality of a full ftp client, like WinSCP and the Java SSH/SCP Client, which has a modified scp interface for MindTerm. Please read the licenses carefully to determine if you are legally allowed to download ssh in your country. SSH is free for academic institutions please. Please read the licenses available at the ssh.com website.

MindTerm is an ssh client written entirely in Java by MindBright Technology. One of the key practices of developing security software is proper implementation of the underlying algorithms and protocols it uses. MindBright Technology has implemented the ssh protocol very well in this small application file. It is a self-contained archive that only needs to be unzipped into a directory of your choice and it is ready to be used. It can be used as a standalone program or as a web page applet or both. It is available at: http://www.mindbright.se/download/. MindTerm is an excellent and inexpensive client to secure communication to and from a local and remote location. The MindTerm program located at the download address above is available free for non-commercial and academic use, commercial use is available on a case to case basis. However, the modifications made by the ISNetwork "is based on the MindTerm 1.21 codebase, which MindBright released under the GPL [General Public License -- see http://www.gnu.org]. Since our version is released under the GPL you can use it commercially for free" (Eckels). ISNetwork's implementation has all the features of MindBright's MindTerm except it has a nicer scp interface for more user-friendly file transfers. MindTerm does have some drawbacks in that it doesn't support UDP tunneling. In order to secure UDP traffic, a program called Zebedee ( http://www.winton.org.uk/zebedee/) will work nicely. Zebedee's server and client program is available for Windows and Linux platforms. It is freely distributed under the GPL License too. You can connect to either Windows or Linux machines using Zebedee. MindTerm will not check to see if your system is secure. It is up to the administrators and users to take care of securing the computer systems. It is easy to implement and it is very effective at maintaining the high level of security implemented in the ssh protocol. This paper will show how easy it is to set up and establish secure communication channels for almost any user and by almost any user. Documents, email, and other data communication can be easily and securely sent to users a few feet away or around the world.

2.3. How MindTerm and SSH work together

SSH and MindTerm will work together to use a technique called port forwarding. Port forwarding is forwarding traffic from one host and a given port to another host and port. In other words, the MindTerm application will open a port on the client's machine (local machine) and any connection to that local port is forwarded to the remote host and its listening port over an encrypted ssh session. Whether or not the connection is accepted depends on the type of request you are sending to the remote host. For example, you wouldn't forward POP requests to a remote host listening on port 21 because port 21 is reserved for ftp requests. Port forwarding is also used to allow connections to a server that is behind a firewall and/or has a private IP address. Essentially this is creating a Virtual Private Network (VPN). A VPN is "a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures" ( www.whatis.com ). The port-forwarding can only be done with TCP services.