Secure Global Desktop 4.40 Administration Guide > Security > Security and SGD

Security and SGD

SGD is only one of many components on your network. The information on this page is related to SGD and can only help raise security levels as part of an ongoing security strategy. The following areas must be considered when using SGD:

• Network Connections
• User Names and Passwords
• Data Protection

Network Connections

SGD connects client devices to application servers, acting as a go-between. SGD servers can also join together as an array.

This means the following are the main network connections involved with using SGD:

• Connections Between Client Devices and SGD Servers
• Connections between SGD servers and application servers
• Connections between SGD servers

In a default SGD installation, most connections are unencrypted (in the clear). The following sections describe how you can improve security on network connections.

SGD can also be configured to work with firewalls and proxy servers.

Improving Security Between Client Devices and SGD Servers

To secure connections between client devices and SGD servers, use a secure (HTTPS) web server on all SGD hosts and enable SGD security services. See Securing Connections Between Client Devices and SGD Servers for more details.

Improving Security Between SGD Servers and Application Servers

The connections between SGD servers and application servers are used to start applications on the application server, and to send and receive data from the application, such as key presses and display updates.

The level of security between SGD and your application servers depends on the types of application server and the protocols they use.

UNIX or Linux System Application Servers

When using protocols such as telnet or rexec, all communications and passwords are transmitted unencrypted (in the clear).

For secure connections to UNIX or Linux system application servers, use SSH (Secure Shell). SSH encrypts all communications between SGD hosts and encrypts passwords before they are transmitted. See Installing and using SSH with SGD for more information.

By default, SGD secures X displays using X authorization. This prevents users from accessing X displays they are not authorized to access.

Microsoft Windows Application Servers

The level of security depends on the protocol configured for the Windows application, as follows:

• Microsoft RDP protocol - all communication is encrypted as standard
• Citrix ICA protocol - all communication uses the telnet protocol and is in the clear

For secure connections to Microsoft Windows application servers, use the Microsoft RDP protocol.

Web Application Servers

The level of security depends on the type of web server you are using to host the web application:

• HTTP web servers - all communications and passwords are transmitted in the clear
• HTTPS (secure) web servers - all communications and passwords are encrypted before transmission

For secure connections to your web application servers, use HTTPS.

Connections between SGD servers in an array

Connections between SGD servers are used to share static and dynamic data across the array. This includes the following:

• The configuration of objects in the organizational hierarchy
• User and application session information
• Configuration information, including array membership information
• The application server password cache
• The token cache, used for automatic logins when the SGD Client is operating in Integrated mode
• Resource files, such as application server login scripts

See Securing Connections Between SGD Servers for details on how to secure these connections.

User Names and Passwords

When logging in to SGD and the SGD Client is in Webtop mode, passwords are only encrypted if there is an HTTPS connection. If the SGD Client is in Integrated mode, the initial connection between the SGD Client and SGD is always secure. After the user is authenticated, the connection might be downgraded to a standard (insecure) connection depending on configuration.

SGD uses external mechanisms for authenticating users:

• Active Directory authentication uses the Kerberos protocol for authentication, which is secure
• LDAP authentication can be configured to use a secure connection
• Web server authentication is only secure if the user has an HTTPS connection
• All other authentication mechanisms use the native protocols for authenticating users

SGD encrypts all passwords stored in the password cache. By default, the encryption key used for the password cache never changes. You can force the key to change whenever SGD servers start, as follows:

1. In the SGD Administration Console, click the Global Settings » Security tab.
2. Select the New Password Encryption Key check box.
3. Click Save.

Alternatively, use the following command:

$ tarantella config edit --security-newkeyonrestart 1

Data Protection

Secure Global Desktop Administrators can control users' ability to print and copy data from applications displayed through SGD. You can configure this as follows:

• For details on how to control copy and paste operations in SGD see Using Copy and Paste with SGD
• For details on how to control access to client printers, see the following:
  • Printing From a Microsoft Windows 2000 or 2003 Application Server
  • Printing From a UNIX or Linux System Application Server
  • Configuring Printing for UNIX, Linux, or Mac OS X System Client Devices
• For details of how to control access to client drives, see Configuring Client Drive Mapping

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.