Securing Networked Applications with SESAME

This article describes the SESAME Security Architecture and how it can be used to secure your networked applications.
Securing Applications With SESAME

SESAME provides the Generic Security Services Application Programmer Interface (GSSAPI), which is a library of security routines. The aim of the library is to provide a standard method to secure client/server networked applications, and the GSSAPI is now an Internet Standard (RFC1508). Our experience with the GSSAPI is that it is small enough to be easily understood (only about 20 routines), although it takes some time to understand all of the possibilities of each routine. The GSSAPI is becoming increasingly popular for securing applications, and the SESAME version of the GSSAPI provides the full implementation.

Figure 1 shows some segments of GSSAPI code. In the code segment, the client is authenticated to the server and data is protected during transit. The segment highlights the fact that it only takes a dozen or so extra lines of code in your client and server application to secure them (other than variable declarations). In the code segment only the client is authenticated, although with a few extra lines of code the server could also be authenticated to the client.

Figure 1. GSSAPI Code Representation

To secure your client/server applications, you insert the GSSAPI library calls at the appropriate points in your code and then rebuild the application. In a very short time it may be possible to convert an insecure application into a secure one, depending on how well structured your application is.

SESAME and Linux

SESAME is already available on a range of platforms: AIX 3.2 on Bull DPX 20, SINIX (Unix SVR4) on SNI MX300i, Unix SVR4 on ICL DRS6000 and AIX 3.2 on IBM RS6000. We have spent around 12 months porting SESAME to Linux. The main problems were:

  • The SESAME source made numerous assumptions about the Unix environment on which it was being built. These include absolute paths in scripts for Unix programs, assuming that the root home directory was / (in our case it was /root) and so on.

  • The documentation was quite extensive but still did not make it easy to build and configure the system. The order of information was not always logical, and in some sections was far too brief.

  • The code had a number of memory bugs. These include over-running array bounds and memory leakages.

After securing a number of applications, we are happy with the stability of our Linux version of SESAME. It is already being used here in Australia, in Europe and in North America. We have written comprehensive building, installation and configuration guides and have a number of reports available to help you get SESAME working on your networks (http://www.fit.qut.edu.au/~ashley/sesame.html).

To get SESAME working, you first download the source from the European web site (listed in the beginning of the SESAME section) and then download our Linux patches to modify the source and build SESAME for you (we have automated it down to a one line execution). After this you follow our installation and configuration guides, which describe how to start the SESAME Security Servers, how to setup accounts for users and how to create the cryptographic keys that will be used for your security. New administrators of SESAME will probably take about two days to get SESAME working and understand what they are doing.

We are also working on building a library of SESAMIZED applications for Linux. In cooperation with other SESAME developers, we have concentrated on producing a SESAMIZED TELNET, FTP, rtools and NFS. This development is ongoing with the aim of providing a comprehensive suite of applications for Linux networks.

We have concentrated on Red Hat Linux for our port. There was no particular reason for using this version of Linux other than we are using it for related work. The first version of the port was completed on Red Hat Version 3.0.3, although lately we have it working on Red Hat Version 4.1. We have also tried SESAME on Slackware Linux and it worked without any modification.

To Sum Up

SESAME is an advanced, scalable network security architecture. SESAME's GSSAPI allows you to quickly secure your client/server applications. It provides all of the services of Kerberos, with the added advantage of being scalable as your network grows. SESAME is now available for Linux, together with comprehensive documentation, and a comprehensive suite of SESAMIZED applications for Linux is under development.

Glossary

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState