SSL and TLS – Technical Architect Series

Standard

We talk about firewalls and proxies and their rules to secure access to your resources. But have you ever wondered, what is the underlying mechanism, to secure your traffic between requests (browser) and responses (server)? Well, the answer is Secure Sockets Layer (a.k.a SSL).

Are TAs expected to setup SSL/TLS?
Nope, they are not. However, TAs are expected to understand how SSL/TLS works. If you ever get stuck with issues related to certificates/security. You (as a TA) are expected to co-ordinate with client’s technical teams to tell them what needs to be done? to resolve the issues.

What is SSL?
TLS and its predecessor, SSL, are cryptographic protocols that provide communication security over the Internet.

SSL was developed by Netscape and if you google and check its history, you will be astonished to know that its first version  was never used and second version was hardly used and its third version (SSL3) enjoyed little adoption and usage.

And you will be equally amazed to know that actual SSL technology (developed by Netscape) is no longer used. It’s just the name that floats around but the fact is actual SSL technology is no more used. Instead a new technology has emerged and is widely used these days. It’s called Transport Layer Security (a.k.a TLS).

How do I secure my server resources with SSL?
Just install the server certificate on the server and make sure that your application applies that server certificate to itself, thats it. Your application resources will be secure. Once installed, SSL will allow HTTPS:// to function on server.

What is a certificate?
In simple words, a Certificate is block of information in a cryptographic manner, essentially telling the other computers that I am who I say I am. Certificates are used for either authenticated single sign-on with an external website, or when using your organization as an identity provider.

  • You only need to generate a Salesforce.com certificate if an external website needs verification that a request is coming from a Salesforce.com organization. (I.e. your Salesforce instance).
  • You can generate a self-signed certificate (signed by Salesforce) or a CA-signed certificate (must be sent to a CA[Certificate Authority] to sign)

What is a two way certificate or client certificate?
In some cases HTTPS:// is not sufficient. After the initial security handshake is done, the customer might expect salesforce.com to prove that it actually is salesforce.com when salesforce.com is calling a customer resource. A couple of examples of that are:

Salesforce sends client certificate as part of

  1. Outbound messages
  2. Delegated authentication callout.

Some important things to note are:

  1. In salesforce, custom client certificates can be created and used within the app.
  2. Salesforce does not expect your client applications to send client certificates to salesforce. But Salesforce does send a client certificate as part of every outbound callouts, outbound messages, etc.

How does it work?
One important ground rule is, both client and the server should support SSL/TLS for a secure communication to happen. If browser supports and server doesn’t, then the connection cannot be established and communication won’t happen.

Since protocols (HTTP, FTP, etc..) can operate either with or without TLS (or SSL), it is necessary for the client to indicate to the server whether it wants to set up a TLS connection or not. There are two main ways of achieving this; one option is to use a different port number for TLS connections (for example port 443 for HTTPS). The other is to use the regular port number and have the client request that the server switch the connection to TLS using a protocol specific mechanism (for example STARTTLS for mail and news protocols).

Once the client and server have decided to use TLS they negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security. Here are some of the initial events that occur during a secure communication.

  1.  The client (browser) sends the server the client’s SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.
  2. The server sends the client the server’s SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client’s certificate.
  3.  The client uses the information sent by the server to authenticate the server. If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to the next step.

Hope that’s helpful.

Advertisements

Firewalls and Proxies – Technical Architect Series

Standard

What is a Firewall?
In simple words, a firewall is something (software or hardware) which protects your resources from external world (internet).

Why Firewall?
Ask yourself these questions:
Do you leave your bank lockers unlocked?
Do you leave your car unlocked in the parking lot?
If your answer is in negative (unless you are adventurous) then, why would you want to expose your servers to the internet?
You would want to put some security to protect your server’s resources from public/internet. And at times you may want to restrict your employees from accessing certain websites. You can do that by using a Firewall.

How does a Firewall work?
Firewall works, based on pre-defined set of rules, typically done by Network Admins. These rules are instructions given to a Firewall. Based on these instructions Firewall will allow or deny access to resources.

Are TAs expected to setup a firewall?
Nope, they are not. 9 out of 10 times your customer’s Network Admins would already set this up for you. But as a TA, you are expected to understand how Firewall works. TAs are expected to co-ordinate with Network Admins to setup the Firewall rules to gain access to resources on the servers.

Why will a TA even bother about Firewall, if it’s already setup by customer’s network admins?
Well, many a times when you try to connect to an external client system from salesforce. You may hit client’s network firewall. The firewall may not allow a callout/request from Salesforce to reach client’s system. It’s because firewall doesn’t recognizes the request as a valid one. Hence you will have to instruct firewall to allow requests coming from salesforce. Meaning a new rule should be added to firewall’s rule set, where your client’s team may ask you to provide IP ranges of Salesforce’s data centers.

What is a Proxy?
In simple words, a proxy is like a middleman between two parties (systems). A proxy could be software application or a hardware device or a mix of both.

For example, if you are unable to access internet from your browser. You will go to internet options and try to check your network settings and see if your proxy setting is set properly. If you correct your proxy setting then your internet starts working. Which means if you typed google.com in the address bar and hit enter key, your request will first go to your proxy (its like you are asking your proxy to get you google.com), proxy will forward your request, get the response and send it back to your browser.

What is a Forward Proxy?
A forward proxy controls and monitors traffic from an application behind a firewall.

What is a Reverse Proxy?
A reverse proxy controls and monitors traffic from the internet that requires access to a server inside the customer’s firewall (a typical use case when working with Salesforce.com and external systems)

What are some of the Reverse Proxy use cases, from a salesforce.com implementation standpoint?
Your client might open up following services to salesforce.com via a Reverse Proxy.

  • Delegated Authentication Endpoint
  • Web services (REST or SOAP)
  • Outbound Message Endpoint
  • Email Relay

So whenever you try to hit any of the above services, your request will first land on the client’s Reverse Proxy server. And it is Reverse Proxy server’s responsibility to forward your request to appropriate services.

Here are some of the famous technologies used by enterprises. There are many more such technologies available in the market.

  • IBM DataPower
  • Layer 7 Secure Span Gateway
  • Apache Http Server – moc_proxy

What is a Proxy rule?
Proxy servers allow the admins to define a set of rules. These rules can include following (but not limited to)

  • Authentication
  • Control time of access
  • URL Filtering
    for example google.com may be allowed but bet365.com may be blocked.
  • etc….

Hope that’s helpful.

Watch out for more blog post on this TA series.