SSH tunneling in your practice

Introduction

This article is dedicated to the task of securing MySQL client-server connection using functionality provided by the Secure Shell (SSH) protocol. To be exact, the SSH tunneling concept is utilized. We testament check the steps needed to build secure MySQL client applications and implement a sample one ourselves.


MySQL traffic is not the individual kind of info that can be tunneled by the Secure Shell. SSH can be used to secure any application-layer TCP-based protocol, such as HTTP, SMTP and POP3. Provided your application needs to secure such a protocol by tunneling it finished a protected SSH connection, this article will be useful to you.

Background

Let's imagine that we are developing an enterprise application that needs to send requests to a number of SQL servers all over the environment and get responses from them (let's scheme that it's a super-powerful bank step that stores information about millions of accounts).

Let's take a look at what we have:

As you see, all the data between the application and SQL servers are transferred via the Internet "as is". As most protocols used by SQL servers effect not provide data righteousness and confidentiality (and those that do, complete it in a quite nontransparent way), all the transfered requests and responses may (and be sure, they will!) become visible to a passive adversary. An active adversary can cause much and determined problems - he can alter the data and no one will detect it!

SSH (Secure Shell) is a protocol that may help in solving this problem. One of its outstanding features is its ability to tunnel different types of connections through a single, confident and integrity-protected connection.

It works in the following way:

Now you achieve not have to worry approximately securing the counsel transferred over the Internet - SSH will handle this for you. In particular, SSH will take care of the following security aspects:

• Strong news encryption according to the latest industry-standard algorithms (AES, Twofish)
  
• Authentication of both client and server computers
  
• Data integrity protection
  
• Stability with regard to different kinds of network attacks
  
• Compression of the facts life tunneled
  
• Complete independence of the operating system and network specifics
  

Tunneling (or forwarding) works in the following way:

1. SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to forward all connections accepted on this port to some remote host.
   
2. When another connection is accepted on the listening port, the SSH client informs the SSH server about this fact and they together create a logical tunnel for it. At the same time, the SSH server establishes a fresh TCP connexion to the remote host agreed upon in process 1.
   
3. The SSH client encrypts all the material it receives from the accepted connection and sends it to the SSH server. The SSH server decrypts the data received from the SSH client and sends it to the remote host.
   

Please note, that the SSH client acts as a TCP server for the connections it accepts, and the SSH server acts as a TCP client for the connections it establishes to the remote host.


A single SSH connection can tunnel as multiplied application layer connections as needed. This means that you can defend your server by moving all the listening ports (e.g., database and handle server ports) to a local network, leaving onliest the SSH harbour open. It is much easier to take care of a single port, rather than a dozen contrasting listening ports.

Into the Fire!

Let's develop a small apply that illustrates the end of SSH forwarding capabilities. We will accede an important deadweight of securing a connection between a MySQL client operate and a MySQL server. Imagine that we need to amuse information from the database server, which is located a thousand miles away from us, in a secure way.

The following picture explains the scheme we will utilize:

SecureMySQLClient is the application we are planning to implement. It includes the following modules:

• SSH client-side module with forwarding capabilities
  
• MySQL client-side module
  
• User interface for configuring employ settings and displaying query results.
  

The SSH server runs in a remote network and is visible from the Internet. The database (MySQL) server runs in the same network as the SSH server and may not be visible from the Internet.


The course of performing secure information modify between SecureMySQLClient and the Database server goes as follows:

1. The SSH client module negotiates a secure connection to the SSH server and establishes forwarding from some local port to the remote MySQL server.
   
2. The MySQL client module connects to the listening port opened by the SSH client module.
   
3. The SSH client and server set up a logical tunnel for the accepted connection.
   
4. The MySQL client sends Receive to the port opened by the SSH client module, which encrypts it and sends it to the SSH server. The SSH server decrypts the asking and sends it to the MySQL server.
   
5. The SSH server receives a response from the MySQL server, encrypts it and sends it back to the SSH client, which decrypts it and passes it to the MySQL client module.
   

Looks too complex? Implementing this is easier than you think.So, let's go and do it.

We will need the adjacent products installed on the computer before creating the application:

• Microsoft Visual Studio .NET 2003, 2005 or 2008.
  
• EldoS SecureBlackbox (.NET edition). Can be downloaded from
  http://www.eldos.com/sbbdev/download.php.
  
• MySQL .NET Connector. Can be downloaded from
  http://www.mysql.com/products/connector/net/.
  

Let's now conduct Microsoft Visual Studio .NET (we will use the 2005 version) and fling to make such an application from scratch.

Let's start by creating a simple user interface:

After the GUI mould has been finished, we can go on with the argument logic code itself. First, adding references to the following assemblies to our project:

• SecureBlackbox
  
• SecureBlackbox.PKI (only in SecureBlackbox 5. SecureBlackbox 6 doesn't have this assembly)
  
• SecureBlackbox.SSHClient
  
• SecureBlackbox.SSHCommon
  
• MySql.Data
  

Placing ElSSHLocalPortForwarding component on the form and giving it the SSHForwarding name:

SSHForwarding notifies us about certain situations via its events, so we duty to create handlers for some of them:

Implementing two core methods, SetupSSHConnection() and RunQuery(). The first one initializes the SSHForwarding object and establishes an SSH session to the remote server by calling its Open() method, and the second one sends the subject to the MySQL server.

The logic is displayed on the consequent picture:

The code of the SetupSSHConnection() course is nice simple:

A bit more convoluted is the code of the RunQuery() mechanism (to be exact, the principle of RunQueryThreadFunc() method, which is invoked in a separate thread by the RunQuery() method):

And, that's all!
But there is one more thing I need to trail your attention to. As both SSH and MySQL protocols run in separate threads and access GUI controls from those threads, we extremity to haft the GUI access in a special design to prevent a cross-thread problems. I will illustrate this with the example of the Log() method:

Finally, the application is finished, and we may stab it in work. So clicking F5 and specifying the following settings in the text fields of the application form:

• SSH server location, username and password used to authenticate to it.
  
• Database server address, port, username, password, database name and query. Remember that database server directions should be specified as it is visible from the SSH server.
  
• Turning on the "Use tunneling" checkbox.
  

Now click the Start button and wait for the query results. If all the parameters gain been specified correctly, we should prompt something like this:

Features and requirements

SSH protocol provides (and SecureBlackbox implements) the succeeding features:

• Strong data encryption using AES, Twofish, Triple DES, Serpent and many other symmetric algorithms with key lengths up to 256 bits
  
• Client authentication using one or multiple authentication types (password-based, typical key-based, X.509 certificate-based, interactive challenge-response authentication)
  
• Server authentication
  
• Strong material exchange based on DH or RSA public answer algorithms
  
• Data honesty protection
  
• Compression of tunneled data
  
• Multiplexing various tunnelled connections through a unmarried SSH connection
  

SecureBlackbox provides the following functionality as well:

• Comprehensive standards-compliant implementation of the SSH protocol (both client and server sides)
  
• Support for cryptographic tokens as storage for keys and certificates
  
• Windows system certificate stores support
  
• Professional and fast customer support
  

SecureBlackbox is available in .NET, VCL and ActiveX editions. This method that you can appliance the components in projects implemented in C#, VB.NET, Object Pascal (Delphi and Kylix), FreePascal, VB6 and C++ languages.

SecureBlackbox (.NET edition) is available for Microsoft .NET Framework 1.1, 2.0, 3.0 and 3.5, and .NET Compact Framework.

Keywords: