Snow Agent System Pilot Deployment version



Similar documents
Using etoken for SSL Web Authentication. SSL V3.0 Overview

CS 356 Lecture 28 Internet Authentication. Spring 2013

Computer Networks. Secure Systems

Security Policy Revision Date: 23 April 2009

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Secure web transactions system

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

ERserver. iseries. Secure Sockets Layer (SSL)

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Ciphire Mail. Abstract

Directory and File Transfer Services. Chapter 7

Securing Data on Microsoft SQL Server 2012

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Centrify Cloud Connector Deployment Guide

TLS and SRTP for Skype Connect. Technical Datasheet

Cornerstones of Security

2007 Microsoft Office System Document Encryption

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Enterprise Security Critical Standards Summary

MS-55096: Securing Data on Microsoft SQL Server 2012

Netop Remote Control Security Server

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Forward proxy server vs reverse proxy server

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview. SSL Cryptography Overview CHAPTER 1

FileCloud Security FAQ

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

CipherShare Features and Benefits

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

Security Goals Services

Chapter 10. Cloud Security Mechanisms

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Network Security and Firewall 1

Savitribai Phule Pune University

PowerChute TM Network Shutdown Security Features & Deployment

Sync Security and Privacy Brief

SSL BEST PRACTICES OVERVIEW

CTS2134 Introduction to Networking. Module Network Security

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

ISM/ISC Middleware Module

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Configuring Security Features of Session Recording

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Xerox DocuShare Security Features. Security White Paper

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

SECURITY DOCUMENT. BetterTranslationTechnology

Where every interaction matters.

SBClient SSL. Ehab AbuShmais

Hosts HARDENING WINDOWS NETWORKS TRAINING

Security Controls for the Autodesk 360 Managed Services

How To Understand And Understand The Security Of A Key Infrastructure

Passing PCI Compliance How to Address the Application Security Mandates

SonicWALL PCI 1.1 Implementation Guide

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

McAfee Firewall Enterprise 8.2.1

Securing Distribution Automation

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Securing SIP Trunks APPLICATION NOTE.

Using etoken for Securing s Using Outlook and Outlook Express

Secure Web Appliance. SSL Intercept

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Install and configure SSH server

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

MEGA Web Application Architecture Overview MEGA 2009 SP4

End User Devices Security Guidance: Apple OS X 10.10

McAfee Firewall Enterprise 8.3.1

Proof of Concept Guide

ERserver. iseries. Securing applications with SSL

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

HIPAA Privacy & Security White Paper

Software Defined Perimeter: Securing the Cloud to the Internet of Things

GS1 Trade Sync Connectivity guide

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Chapter 7 Transport-Level Security

Clearswift Information Governance

Guidance End User Devices Security Guidance: Apple OS X 10.9

SafeWord Domain Login Agent Step-by-Step Guide

An Overview of the Secure Sockets Layer (SSL)

Protecting Your Organisation from Targeted Cyber Intrusion

Security Considerations for DirectAccess Deployments. Whitepaper

Encryption. Administrator Guide

Achieving PCI-Compliance through Cyberoam

The Seven Habits of State-of-the-Art Mobile App Security

Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

Data Protection: From PKI to Virtualization & Cloud

Computer and Network Security Policy

Chapter 17. Transport-Level Security

Network Security Essentials Chapter 5

Configuring User Identification via Active Directory

Common Remote Service Platform (crsp) Security Concept

The New Key Management:

Transcription:

Pilot Deployment version Security policy Revision: 1.0 Authors: Per Atle Bakkevoll, Johan Gustav Bellika, Lars, Taridzo Chomutare Page 1 of 8 Date of issue 03.07.2009

Revision history: Issue Details Who Date 0.1 Initial version. L. 2008.12.08 0.2 Removed the vulnerabilities of PKI and how to L. 2008.12.10 reduce the risk. 0.3 Added MUC comment and some other L. 2008.12.11 clarifications upon comments from Taridzo and Per Atle. 0.4 Updated after meeting with the whole team. L. 2008.12.17 0.5 Update after comments from Gustav. L. 2008.12.22 0.6 Updated end-to-end encryption section and some L. 2009.01.09 other minor changes. 0.7 Updated with changes made by Gustav (key distribution and authentication between client and server) in a version sent to Helse Nord IKT, January 19 th. L. 0.8 Updated after meeting with Gudleif. L. 1.0 Document updated after review by Per Atle and L. Gustav. 2009.03.11 2009.06.08 2009.06.12 Abbreviations: Page 2 of 8 Date of issue 03.07.2009

1 Introduction... 4 1.1 Deployment view for the hospital s lab... 4 1.2 Server-to-server communication and firewalls... 5 1.3 Client-to-server communication and firewalls... 5 2 Transport Layer Security (TLS)... 5 3 Authentication... 5 4 End-to-end message encryption... 5 5 Public Key Infrastructure (PKI)... 6 5.1 Private key management... 6 6 Client functionality... 7 7 Integration with lab server... 7 8 Server Administration... 8 Page 3 of 8 Date of issue 03.07.2009

1 Introduction This document describes the security policy for the for the deployment of the pilot version (spring 2009). The system is based on XMPP 1 (Extensible Messaging and Presence Protocol). The XMPP server implementation used is Openfire 2 from Jive software. The pilot deployment of the system does not require that GP offices set up Snow servers, but it requires that a Snow server is installed in the hospital s lab. GPs that want to use the system must be added as users to a central server, the Post Office (PO) server, and obtain the necessary certificates. The figure below illustrates the environment. Hospital network Health network GP Office 1 TLS TLS Lab Snow server Post Office Snow server TLS GP Office 2 In general, a Snow XMPP server is necessary on every site where data/statistics is going to be produced. However, in this version it does not apply to the GP offices since they are given the possibility to access lab data without contributing with data produced within their office. 1.1 Deployment view for the hospital s lab This section provides more details on the hospital s side. The figure below depicts a deployment view. 1 XMPP web page: http://xmpp.org 2 Openfire project web page: http://www.igniterealtime.org/projects/openfire/index.jsp Page 4 of 8 Date of issue 03.07.2009

Within the hospital s network there is a demilitarized zone (DMZ) for communication with external entities. Since the lab Snow server needs an XMPP server connection with the PO server in the health net, it must reside in the DMZ. The purpose of the lab Snow server is to retrieve data from the lab database and provide XMPP access to the lab users. Users (XMPP client) within the lab can connect to the server on port 5222. Exported database data (CSV file) are copied to the lab Snow server on an established SSH connection (port 22) from the database server to the lab Snow server. The file is copied to the $snow/data/in directory. No connection is made from the lab Snow server to the database server (named Retrieve4) in the lab since information can only be pushed from the inside. The database server is a Windows server running SQL Server 2005. The patient ID in the lab s database is part of the exported data. The patient ID is not the personal identification number, but it can be used to find right person. To ensure that the exported data can not be traced back to a person, the patient ID is SHA 3 hashed before the export is transferred to the DMZ. 1.2 Server-to-server communication and firewalls The XMPP standard explicitly states that there has to be two connections between XMPP servers. This means that the firewall in front of the hospital s lab server must be opened up for the PO server. The port to be used for server-to-server communication is port 5269. 1.3 Client-to-server communication and firewalls The client-to-server communication only requires one connection, which is initiated from the client side. This means that the firewall between the lab and the DMZ does not need any modifications to allow local computers to connect to the Snow server (port 5222) as XMPP clients. 2 Transport Layer Security (TLS) The server-to-server and the client-to-server communication are done over an established TLS connection. The certificates used must be CA signed and verified upon TLS establishment. 3 Authentication In the XMPP server-to-server communication and client-to-server communication, SASL EXTERNAL is used. The authentication occurs after TLS has been established. The server is configured to ask the client to provide its certificate and prove that is knows the private key. In server-to-server authentication the other server authenticates with the same domain as in the from address. The client only sends an authenticate message without an identity since it has already proven its identity during TLS, and it only has one XMPP address. That is, the client certificate is for an identity that can be used in all domains, not only for one or a few specific domains. 4 End-to-end message encryption The XMPP client and XMPP server is able to use end-to-end encryption on the contents of messages, and it is configurable. The XMPP server typically refers to components that receives and sends messages from users and agents. The XMPP client refers to both users and 3 SHA stands for Secure Hash Algorithm. Page 5 of 8 Date of issue 03.07.2009

agents providing services on the server. The PO server and the lab server can also be configured not to accept messages in clear text. XML encryption is used with the following concepts: Generate a symmetric key (AES 256) Encrypt the message with the symmetric key. For each recipient s public key (RSA): o Encrypt the symmetric key with the recipient s public key. o Add the EncryptedKey element to the message. By using symmetric encryption of the message we only need to encrypt the message once, disregarding the number of recipients. End-to-end message encryption is very hard to support in the multi-user chat (MUC) scenario. The reason is the concept of multi-user and that the chat is served by a server. The XMPP client explicitly states the difference between a private chat with another user and a multi-user chat session. 5 Public Key Infrastructure (PKI) The keys (public and private) to be generated are based on RSA and x509 certificates. Private keys are stored in an encrypted key store on the computers hard disk. This is an initial solution and smart cards will be used as soon as it is applicable. The private key must be distributed in a secure way upon creation of a user. A combination of e-mail and cell phone number can be regarded as a transfer mechanism. Public keys are stored on the XMPP server and can be queried for by the client. There is a distribution protocol between the XMPP servers to make sure that the public keys are updated. The PO server is the master and is the place for revoking certificates. XMPP clients query the local server for the public keys of other users. The clients do not store these public keys to avoid synchronization issues when keys change. 5.1 Private key management With smart cards these administrative tasks would be quite different and the system could rely on an already established structure and routine. However, this is not an option in phase one of the system, and thus, we need a way to manage the private keys. The keys are generated centrally, which means that the private key must be sent to the GP in a secure way. The following describes the routine for providing the GP with the private key: The GP downloads the client from a server and provides required user information. The user information includes the Health Personnel Number (HPNR) which uniquely identifies the user and a cell phone number. This is done though a Web page made available by Helse-Nord IKT. The Snow administrator generates the keys and creates a certificate based on the information provided. The Snow administrator encrypts the private key with a randomly selected password. The Snow administrator checks the health net address register and sends the encrypted private key in an e-mail to the GP. Page 6 of 8 Date of issue 03.07.2009

The Snow administrator sends the password to the cell phone number registered to become a user in the system 4. The GP starts the client software, runs private key import and provides the password received on his cell phone. The GP also selects a personal key or password which is used to encrypt the private key on the client machine. When the GP wants to use the private key, he must provide the personal key to decrypt the private key. The routine described assumes that the information provided in the health register can be trusted not to contain manipulated data. 6 Client functionality The basic client functionality is to search for statistics (limited search criteria), confirm or send outbreak alerts and communicate with other GPs (chatting). The latter functionality needs specific mechanisms to make the user verify that it does not contain sensitive information. The Snow client will open a dialog window when a new chat connection is initiated or replied to, to make the user confirm that the chat will not contain sensitive or classified information. The PO server can use a mechanism to verify that the client used is a correct Snow type of client. The mechanism is not intended to be very strong. This means that if a person within the system wants to use another XMPP client and make it look like a Snow client it will be possible. The purpose by providing a client is to make it easier to use and more restricted than any generic XMPP client is. 7 Integration with lab server All statistical data extracted in this version of the system comes from the hospital s lab. The other parts of this document describe the mechanisms for identity, privacy and confidentiality in the Snow system. This chapter focuses on integrity and consistency of data as well as reliability. The following concerns are addressed and discussed: 1. How to make sure that no sensitive data is extracted by Snow? The search function provides parameters from the client and not database queries. The data access layer used for retrieving data from the lab s database contains prepared SQL statements in which no personal information is extracted from the database. When prepared statements are used correctly it is not possible to use SQL injection type of attacks. 2. How to make sure that no data or properties in the lab are changed by Snow? Lab data are exported from the lab database and copied to a directory on the Snow server. Thus, Snow has no access or possibility to change data in the lab database. 3. How to make sure that the Snow system does not affect the performance of the lab system? 4 The cell phone number is required in the registration process since the address register does not contain cell phone numbers. Page 7 of 8 Date of issue 03.07.2009

Verify that the database server can handle more traffic (consider hardware changes if this is not so). The number of search agents from the Snow system can be restricted and for instance set to the maximum of one agent. The SQL statement can, if supported by the database, use paging and sleep time to reduce CPU consumption. 4. How to make sure that no security threats are transported as messages in the Snow system? Being a message based system makes it hard to impose security threats. Providing content that could possibly be run when starting a new Java process is hard because the startup is parameterized. SQL injection could be a potential threat, but not when proper countermeasures are made. Some parts of the client software may be updated by sending code as part of messages. Such software update messages are signed by the Snow CA and verified by the client before the update is accepted. 8 Server Administration Openfire server administration is done through a web interface. The XMPP sever administration interface will still be configured, using the firewall and/or web server access control list, to be accessible from local host or a limited set of hosts on a secure port. Page 8 of 8 Date of issue 03.07.2009

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information