|
|
|
Securing X11 Connections: An Overview
Technical Note 2196
Last Reviewed 20-Apr-2007
Applies To
Reflection X version 12.0 through 14.x
Summary
Technical Note 2196
Last Reviewed 20-Apr-2007
Applies To
Reflection X version 12.0 through 14.x
Summary
With security becoming increasingly important, the need to find a way to secure X11 protocol has never been more critical. Reflection X is a powerful tool that can provide a great deal of capability, convenience, and efficiency when working with host systems across networks and the internet. At the same time it can also create security concerns which, until recently, have been difficult to resolve. Fortunately, the combination of using Reflection X and SSH has proven to be a very effective way to maintain the valuable benefits of using a robust PC X-Server, as well as provide the high level of security that users, IT professionals, and system administrators have long been searching for.
The Problem
Reflection X is difficult to secure because it is a server, and it typically needs to be available for connection by X11 client applications running remotely on a UNIX host. This means leaving the X11 protocol standard TCP port 6000 open in your Windows and/or network firewall, and possibly other ports as well (for example, when using the Multiple X Display feature in Reflection X). How can access be restricted to only authorized X11 clients? Traditionally, this has been attempted with security settings such as "Host-based security," "User-based security," and "XDM-Authorization-1." Yet all of these measures have vulnerabilities, one being that they send the X11 protocol in the clear. This means that the packets are vulnerable to unwanted and unauthorized capture by those with the right trace tools.
The Solution
Using SSH (Secure Shell) not only addresses all of the traditional security concerns listed above, but also provides other advantages as well.
Security advantages:
- TCP port 6000 and other X11-related ports no longer need to be left open on the Windows workstation, or in the network firewalls. Note: The port configured for use by the SSH server, typically TCP port 22, must be open from the Windows workstation(s) running an SSH client and Reflection X, to the host running the SSH server and X11 client applications.
- All X11 protocol is encrypted.
- The level of encryption can be set as needed.
- User authentication is encrypted.
- Multiple authentication methods are available, including Username and Password, Public Key (length and type can set as needed), Keyboard Interactive, and Kerberos.
- Reflection X can be set to disallow all remote TCP/IP connections. This can be used to back up a misconfigured firewall or to provide primary defense in the event that no firewall exists.
- Host-based security can also be used in conjunction with SSH.
Other advantages:
- Compression can be used to help in low bandwidth environments.
- Various protocols other than X11 can be sent through the encrypted SSH tunnel by using port forwarding.
- The SSH server sets the display variable required for use with X11 protocol. This can be helpful when used in environments that include one or more firewalls and/or NAT, and when using SSH connections not established from Reflection X.
The list of advantages is long, however, one disadvantage is that SSH does not support UDP packet forwarding, which means that you can't create the full UNIX desktop with XDMCP (X Display Manager Control Protocol). There is, however, a workaround for this SSH limitation that is outlined in Technical Note 1818.
Using Reflection X with SSH
To use Reflection X with SSH, both the SSH client and server must be configured to allow X11 protocol forwarding through the SSH tunnel. While this setting is enabled by default in the Reflection SSH client when using Reflection X, the setting on most SSH servers is disabled by default and will need to be enabled. Information about how to modify an SSH server to enable this setting is available in Technical Note 1814.
For those who work primarily in remote emulation sessions, such as with Reflection for UNIX and OpenVMS or the F-Secure SSH Client for Windows, it is important to note that you can use the SSH tunnel created with either of these applications for tunneling any X11 protocol back to Reflection X. In these cases, X11 protocol tunneling is not enabled by default, but is easily enabled through the user interface.
Conclusion
Securing X11 connections with SSH is an effective solution to common security problems. If you would like to take advantage of the benefits of using Reflection X and SSH, give it a try. And if you have questions or comments, please contact the Attachmate Technical Support team: http://support.attachmate.com/contact/?prod=reflection.
