One of the main obsessions of every IT administrator is the infamous, or perhaps better to say famous, “IT security”! Yes, better to say famous because, after all, security is something positive, despite being a big daily problem to deal with! Protecting data and corporate IT infrastructures from any external malicious attempt or from possible unforeseen events is an important mission, which allows the company to ensure operational efficiency and to avoid the risk of high economic losses. This, however, requires constant evolution, both in software products adoption to integrate state-of-the-art security standards and procedures, and for IT administrators, called to update the infrastructure and apply cutting-edge technologies.
Among the various aspects to take into consideration when it comes to IT security, there are communications between devices, in particular those between services on the web, or those between servers -called to deliver services and provide access to shared corporate resources (including data)-, and clients, i.e. distributed workstations (typically the end users’ workplaces, dedicated to various scopes).
Protecting these communications, especially when they occur on public networks, such as over the internet, is crucial both to guarantee the confidentiality of the exchanged data and to avoid various types of cyber security attacks in which communications are sabotaged and exploited to pretend to be part of the infrastructure and access fraudulently to corporate digital assets.
However, to provide security is not enough, it’s also important to understand at what price (in terms of concrete actions and effort) this can be guaranteed. There are solutions that can come to the aid of system administrators by offering “easy” access and configurability to state-of-the-art security settings.
Recent standards in Praim products
Praim integrates in its software the latest standards in terms of communication protocol security, in particular for all the exchanges between the ThinMan management console and the other endpoints. Indeed, one of the founding properties of Praim products is that all endpoints (whether based on ThinOX, ThinOX4PC or Windows with Agile4PC) communicate with ThinMan through a secure Web-Socket channel.
But that’s not all. All Praim software allow to easily configure the use of security certificates to strengthen this communication, both using private organization’s certificates and free ones, validated through the “Let’s Encrypt” service. Through ThinMan it’s possible to automate the configuration and use of certificates on all workstations, so that only those equipped with valid certificates can communicate and receive commands from the ThinMan console.
From a technical point of view, by using this protocol, the company infrastructure manager doesn’t need to keep incoming connections open on port 443 on the endpoint devices, as required by other solutions. In fact, all commands will pass through the established Web-Socket channel, thus simplifying the firewall settings within the network. The communication becomes full-duplex on the same channel, allowing data exchange even in networks under NAT. For example, it will not be necessary to go through a web connection on an IP address to carry out remote assistance on a remote endpoint managed by ThinMan (even when on the move connected to private home network); having an always active protected bidirectional connection enable the remote assistance within the private channel without the need for any firewall side changes.
New tools: Transport Layer Security
As mentioned above, computer security is a matter of “continuous evolution” and protection techniques must also evolve with the corresponding attack attempts. This also applies to communication protocols, which are called upon to use increasingly advanced data exchange techniques and encryption algorithms, both to “immunize” themselves against the new “decryption” techniques and to maintain efficiency as their complexity increases.
One of the standard to secure communications is the Transport Layer Security (TLS). TLS is a protocol that allows establishing a channel between a client and a server with the properties of integrity and confidentiality (in a cryptographic sense). After establishing a TLS secured connection, applications can use it to exchange data. TLS is used in several applications, such as for HTTPS, SMTPS, etc. connections. Given the continuous technological evolution and the possible discovery of new vulnerabilities, the TLS protocol evolves continuously, integrating new Cipher Suites, i.e. combinations of increasingly more advanced and secure cryptographic algorithms.
4 versions of TLS have been released so far, starting from the 1.0 (released in 1999) up to the most recent TLS 1.3 (released in 2018), where the TLS 1.0 and 1.1 versions are now considered deprecated and no longer secure in current applications.
ThinMan uses the latest versions of TLS for its WSS secured connections. Furthermore, starting from version 8.5.2, it offers the possibility of blocking any untrusted connection that may be requested by obsolete devices leveraging on the deprecated TLS versions, such as the ones whose software or operating systems are not updated or upgradeable to support the more recent extensions of the protocol. This to facilitate the work of the IT administrators who may have forgotten to update or remove unsecured devices from their network, especially on very large infrastructures.
With ThinMan it’s possible to configure the minimum level of security accepted in communications based on TLS protocols and the related Cipher Suites” allowing for example to select the “higher” level that excludes (and allows to identify) all the devices operating only with the obsolete TLS versions, in order, then, to replace them.
