|GUI ScreenIO Client/Server|
Secure shell can be used to provide an encrypted transport mechanism for client server installations. However, the need for this is entirely removed with our Registered Clients. Registered clients provide a fully encrypted data path. Therefore SSH is no longer necessary. We provide this discussion as information only.
Secure Shell (SSH) connections are an alternate way to improve the security of network applications. When you use SSH:
SSH inserts a security layer between the two computers connected across a network.
Instead of passing data directly to the network, applications (such as GUI ScreenIO's Network Client) pass the data to the SSH layer, which encrypts it before sending it across the network through a bi-directional SSH tunnel. The data is decrypted by the receiving end of the SSH tunnel and then passed on to the application.
You would normally have your clients use an SSH client to connect to the server machine as a guest and forward the client via the listening port (say, 1875) to the server via the Secure Shell tunnel.
The GUI ScreenIO server and client are configured to connect to the forwarded SSH connection using the internal loop-back interface (which has the IP of 127.0.0.1 on all machines). Think of this loop-back interface as a second Network Interface Card (NIC) in your machine. This can be done ONLY after the SSH connection is established.
As stated above, most SSH servers offer compression in addition to encryption. This compression can dramatically speed up data transmission. Bytes transmitted (and therefore response time) are cut by well over 50% making even transoceanic connections perform very well.
To use SSH, your server must also run a third party SSH server daemon, which listens for connections on a designated port, much like the GUI ScreenIO server daemon.
The clients must use a third party SSH client to connect to the SSH server daemon, much like the GUI ScreenIO Network Client.
When the SSH connection has been established, SSH server daemon forwards the incoming (decrypted) client connection to the GUI ScreenIO server daemon, which and the SSH server daemon will encrypt all data before passing it across the network through the SSH tunnel.
The GUI ScreenIO client specifies that it will connect to the internal loop-back interface (127.0.0.1), which connects it to the SSH tunnel (which is, in turn, connected to the GUI ScreenIO server on the other end).
Meanwhile, the GUI ScreenIO server daemon has been listening for connections on the internal loop-back interface (IP 127.0.0.1) instead of the external interface. This behaves exactly like any other network interface, except the data does not ever leave the server, it's all passed internally. The connection behaves exactly as it would if SSH were not being used.
When a the GUI ScreenIO Network Client layer has established a connection using SSH, all data is passed through the SSH layer for encription/transmission/decryption. Therefore, the data is always encrypted when it leaves either the client or the server.
As you can see, this is far more complex than using the embedded Secure encrypted transmission of the registered client.
The Secure Shell server must be configured with a listening port, and a forwarded port (example 1875) which will pass the data to the GUI ScreenIO Server Daemon. Normally, you would permit Client-to-Server (C2P) port forwarding and NOT permit a terminal shell.
The Secure Shell client must be configured with a password, user ID (Guest is OK), the desired host, and a few other basic items.
Quite a few vendors offer inexpensive software that implements Secure Shell connections. We have tested several. In addition, the SSH servers in Unix/Linux machines may be configured to accept connections and forward them to your Windows Server. The details of this are beyond the scope of this document.
PuTTY: A free Win32 Telnet/SSH Client
GUI ScreenIO's Client Server layer is always encrypted is you use Licensed Clients. Unlicensed clients are NOT encrypted unless you use the SSH method mentioned on this page. Therefore your data is transmitted in clear text across the network. If your network is insecure (like much of the internet), persons with access to the network and who are sufficiently knowledgeable may be able to "sniff" your data stream.
For critical data traveling over an insecure network NORCOM STRONGLY Recommends you use Licensed clients.
|© 2000-2019 Norcom, all rights reserved|