SSL Security Gateway

SSL Security Gateway

Access to legacy host applications has traditionally been through commonly used non-secure plain text ports such as Telnet, SMTP, FTP, POP3/IMAP, etc.

This practice presents several security risks and challenges:

  • No confidentiality of data or passwords. Without encryption data and passwords are exposed.
  • Weak authentication.
  • Decentralized authentication without any ties to the enterprise directory and the identity management systems.
  • Decentralized access control. Access control happens only at the host, so there is no centralized control over access to enterprise resources.
  • Decentralized auditing. Access to hosts is monitored only by the hosts themselves.

Many IT security organizations have adopted modern authentication and encryption technologies such as Kerberos, PKI, and Smart Cards to protect their newer enterprise applications.

But  they use SSL connections directly from the client to the host. The encrypted tunnel from the client to the host has the unfortunate side effect of defeating other security measures by making it difficult to monitor network traffic or apply any kind of access control in the DMZ.

As a result host systems are left with an insufficient level of protection and vulnerable to many security threats. In fact, legacy host applications often don’t comply with organizational security policies. Security managers hope to escape an audit while waiting for a non-invasive solution to materialize.

With our SSL Security Gateway however it is possible to bring modern, multi-layered authentication and encryption security to legacy plain text protocols.

Our SSL Security Gateway includes the following components:

  • SSL Security Management Server, where centralized client configurations are controlled and which ties in to an enterprise’s centralized identity management infrastructure.
  • SSL Security Proxy, which receives SSL traffic from the client side and receives authorization tokens dispensed by the management server.
  • SSL Metering Server, which tracks the number of connections and has the option of recording every host and port that every user connects to, as well as total connect time.

Benefits of the SSL security framework:

  • Centralized management of security
  • Centralized control over the network traffic passing between the clients and the host. In addition to any authentication that happens on the host itself, SSL Security Gateway enables layers of authentication, authorization, and auditing in the DMZ, where they can be centrally controlled and monitored.
  • SSL Security Gateway is non-intrusive; read-only access to your directory is sufficient.
  • Unlike some competing products SSL Security Gateway does not make you define users and groups in your host access product separately from the users and groups you have already defined in your enterprise directory.


Unique secure token authorization provides enforcement of access control

Several competing products offer simple SSL gateway or redirector devices. However, these all have a common flaw: They accept connections from any SSL-enabled client, without verifying that the user has been authorized to connect to the host.

In competing products, legitimate users authenticate before getting their session, but an intruder with an SSL-enabled client can skip the authentication step and simply connect to the gateway or redirector, which does not verify that the user is authorized to connect to that host. Instead, the device automatically passes the connection through to the host. The result is that the intruder gets a free ride—all the way to the host.

The SSL Security Proxy, by contrast, requires clients to prove that they have been both authenticated and authorized to access the host. When a client authenticates to the SSL Management Server, the server verifies that the user is authorized for the requested session and then passes the client a time-limited, digitally signed token granting the requested access. The security proxy verifies the token’s digital signature using public key cryptography before passing the connection through to the host.

An intruder who attempts to make an SSL connection to the Reflection Security Proxy—without first being both authenticated and authorized through the management server—will be denied access at the proxy. The intruder will never even make a network connection to the host.

Access to multiple hosts through a single port

Several competing products offer simple SSL gateway or redirector devices that map a listening port to a back-end host. If you have multiple back-end hosts, you have to open multiple listening ports, and thus, multiple ports in the firewall.
The SSL Security Proxy allows clients to connect to multiple hosts through a single listening port. By using a single opening in the firewall, for example, on port 443, you can enable access to all of your hosts and later add additional hosts without changing anything on the firewall. This simplifies configuration and reduces the administrative burden for the security team.


Broad platform compatibility

The SSL Management and Metering servers are compatible with the leading web servers and application servers. SSL Security Gateway ships with our own .NET 3.5 compatible stand-alone web server but can also be deployed on IBM WebSphere, Oracle WebLogic, Microsoft® IIS, and other popular server environments.
Nonintrusive multi-layered security for legacy host applications

With SSL Security Gateway, it is possible to bring modern multi-layered security to traditional green-screen applications. Our SSL security architecture delivers many advantages, such as:

  • It keeps legacy systems compliant with enterprise security policy.
  • It helps you maximize the investment you have already made in your authentication and identity management technologies.
  • It’s noninstrusive, so that you can minimize disruptions and reduce the burden on your IT staff and the owners of legacy systems.

Please do not hesitate to contact us in case you need further information or an evaluation kit.

Your Name (required)

Your Email (required)


Your Message

Translate »