A Security Model for ArcIMS
By Linh H. Le, Bureau of Healthcom Network Systems Management, Information System and Health Statistics Group, New York State Department of Health
ArcIMS offers an excellent solution for distributing GIS data and services via the Internet. However, this technological advantage also brings additional security risks. Several different Internet security models can be used for securing ArcIMS sites. Esri provides several security features that allow for the development of a secure Internet mapping site. In addition, ArcIMS can be integrated with standard security technologies to protect data and resources. This article describes a security model that uses standard Internet security technologies including firewalls, reverse proxies, and a secure socket layer (SSL).
Basic Concepts of Internet Security
Confidentiality, integrity, and availability are the three most important security considerations when providing information on the Internet. For some types of information, such as medical, insurance, or financial records, confidentiality is extremely important. The loss of confidentiality can have tremendous consequences. Similarly, unauthorized modification of information results in loss of integrity. The integrity of information is especially important with regard to financial transactions and other highly sensitive data. A consequence of efforts to preserve confidentiality and integrity may be that information becomes inaccessible to the proper users. This loss of availability can be disastrous for any business.
Authentication, authorization, and nonrepudiation can be used in building a secure ArcIMS site to make information available to trusted users. Authentication is the process that verifies a user is the person she or he claims to be. Authorization is the process of determining what permissions a particular user has to implement a certain operation or carry out a specific task. Authentication and authorization need to be implemented together. Users must be authenticated for security and integrity purposes before any authorized task is performed. Nonrepudiation is an authentication with a high assurance that it is genuine and cannot be subsequently refuted.
What Is an Internet Firewall?
A firewall is a combination of hardware and software designed to examine network traffic and service requests so that packets or requests that are not authorized will be blocked based on established security rules. An Internet firewall is most often installed at the point where an internal network connects to the Internet.
What Is a Reverse Proxy?
A proxy or forward proxy is a gateway for a client's browser. It sends an HTTP request on the client's behalf to the Internet. The proxy secures the internal network by using its own IP address and hiding the client's IP address. When an outside HTTP (Web) server receives the request instead of the actual client's address, the proxy address is seen as the requestor's address.
A reverse proxy acts on behalf of the HTTP server, not on behalf of the client-hence the term reverse proxy. It provides the final IP address for a request from outside. The Internet firewall usually works closely with the reverse proxy to ensure that only the reverse proxy can access the HTTP server hidden behind it, and the outside client always sees the reverse proxy as the actual HTTP server.
What Is SSL?
SSL is a protocol developed by Netscape that has been universally accepted for authenticated and encrypted communication between clients and servers via the Internet. An SSL works by using a public key to encrypt data that is transferred over the SSL connection. By convention, URLs that require an SSL connection start with https:// instead of http://.
SSL provides encryption and communication integrity as well as strong authentication using digital certificates. Although either 40-bit or 128-bit SSL encryption can be implemented, 128-bit SSL encryption is considerably more secure because 128 bits is about 309 septillion times larger than 40 bits.
The Security Model for ArcIMS
This model provides strong security features while maintaining an acceptable performance level.
- First, place ArcIMS, HTTP (Web) servers, and the reverse proxy on an independent network that is separate from the internal network (i.e., a Demilitarized Zone, or DMZ).
- By using Network Address Translation (NAT), an Internet standard, one set of IP addresses and host names can be set up for internal traffic and a second set of addresses and host names used for external traffic. Since there is no firewall between the HTTP server and the ArcIMS server in this security model, ArcIMS can be installed on the machine running the HTTP server.
- The site name is https://www.myarcims.com, which resolves to a static NAT address of 10.0.0.1 and a real IP address of 192.168.0.1. This site and NAT address make up the reverse proxy.
- The HTTP and ArcIMS servers are inside myserver.myarcims.com and have a NAT address of 10.0.10.1 and a real IP address of 192.168.10.1. By setting up the firewall rules to allow only port 443 traffic used for SSL connections to get through to 192.168.0.1 (the reverse proxy), all traffic from there will be forwarded to 192.168.10.1 (the HTTP and ArcIMS servers). [Port 443 is dedicated to encrypted traffic.]
- The host file on the reverse proxy has an entry for the host name myserver.myarcims.com that associates with the static NAT address of 10.0.10.1.
- Prefix mappings are required so that the reverse proxy can forward all requests. There are two types of prefix mapping-regular and reverse. A regular mapping informs the reverse proxy which URL prefix is to be proxied and what the actual destination URL is. Using this example, the source is myserver.myarcims.com and it has a destination URL of https://www.myarcims.com. The reverse mapping sends the URL prefix back to the reverse proxy's URL of https://www.myarcims.com and conceals the real HTTP and ArcIMS server name, myserver.myarcims.com, and allows it to intercept for redirect requests.
When a client sends an HTTP GET request to the ArcIMS site, https://www.myarcims.com (10.0.0.1), an SSL connection is established because the URL starts with https// instead of http//. This is also the only way an HTTP request can get through the firewall because it allows only port 443 for SSL traffic. The firewall checks the request against its NAT rule and forwards the request to the reverse proxy at IP address 192.168.0.1. When the reverse proxy receives the request, it authenticates the client and sends the request using the Remote Authentication Dial-In User Service (RADIUS) protocol. If the client's request is authorized based on the regular mapping, it will be forwarded to the HTTP and ArcIMS server (myserver.myarcims.com on port 80).
Continued on page 2