Thread: [Embedlets-dev] Re: Security
Status: Alpha
Brought to you by:
tkosan
Menu
▾
▴
embedlets-developer
|
From: Andrzej J. T. <an...@ch...> - 2003-02-09 19:00:52
|
Jac states: > While reading some of the messages on this list I started wondering if > we're taking security into consideration while designing and are going to > implement it from the start. One of the issues with webservices is (was?) > the lack of standardized authentication/security, resulting in a delayed > acceptance of webservices if one may believe the trade press. My thinking was that security would initially (in an enterprise deployment scenario) be provided by the surrounding infrastructure (network and such). Embedlets would be running on a factory/warehouse floor on a physically controlled subne or VLAN, with properly secured gateways to the back end Enterprise Systems, access/security/authentication would be managed outside of the Embedlet container, so we could assume (at least initially) that we don't have to do much in that area (maybe just some rudimentary password protection for external access to Management Services and the like). If there is a connection between a plant network and head office, it would be secured (either a dedicated link or VPN tunnel across the public net), but I don't think we'll see devices exposed on the public internet for production deployments. Doing the typical security things on a tiny processor (authentication, authorization, encryption/decryption of data streams) will be nigh impossible on some of the smaller platforms. Web Services are being implemented in production as we speak....but primarily behind the corporate firewalls. I see embedded systems as following that pattern. That being said, our modular approach to services and the like would allow us to plug in more security features later on without much trouble, since it will be an issue that will be raised in the corporate environment. Andrzej Jan Taramina Chaeron Corporation: Enterprise System Solutions http://www.chaeron.com |
|
From: Andrzej J. T. <an...@ch...> - 2003-02-09 23:41:07
|
Jac states: > think using vlans to secure the connection between embedlets and > enterprise systems is overly optimistic. Embedlet hardware with > temperature probing devices might be used in a plant, but in office > buildings as well and I don't think network groups are going to be fond of > creating vlans with lots of devices spread acros buildings. That makes sense... > Doing things > this way would shift the burden from developers to those dealing with > production systems and networks. Being one of the people having to deal > with problems created by 'lazy' developers for most of my working day I > can say my collegues and I are not very fond of them... Point taken. > Security should be part of our solution, not something someone else has to > provide, IMHO. You've convinced me....I'll add an optional Security Service to the Architecture Document with a note that this might just be Authentication and not encryption based (due to the constraints of the platforms). I would expect that it would be primarily used in a userid/pswd mode (HTTP Basic Auth?) for external Management functions. The reason for making it optional is that it might not be needed if there are security functions provided by the network (eg. the shop floor LAN is isolated and protected from general access). How is that as the beginning of a solution, Jac? > Webservices are the perfect example of failing security. In the early days > they promised to be the perfect solution for integration of services over > the Internet, now they're only being used in closed networks. That's due to more than just a lack of basic security, since Web Services typically are being implemented over HTTP, and you can easily use HTTP Basic Authentication, SSL (and more) ot protect access to such services. As soon as you try to do transactional things with web services, you need long running transactions, encryption of payloads only (rather than the whole transmission with something like SSL), digital signatures (for identification) and common B2B requirements like non-repudiation, long running transaction support and the like. I think that saying that Web Services are only implemented inside the firewall due to a lack of "security" is a bit misleading, since there are very easy ways to secure web services in most cases. That has nothing to do with Embedlets necessarily....just setting the record straight is all. Andrzej Jan Taramina Chaeron Corporation: Enterprise System Solutions http://www.chaeron.com |
|
From: Andrzej J. T. <an...@ch...> - 2003-02-10 23:16:31
|
Jac offers his credentials... > Having been a system operator for over 5 years learned me the avarage > programmer is lazy and has not even the slightest idea what impact their > 'design' will have in an operational environment. And I for one am very glad you have this experience, so that you can keep us "honest" and we'll deliver a system that is manageable when you deploy 10K devices! Andrzej Jan Taramina Chaeron Corporation: Enterprise System Solutions http://www.chaeron.com |
|
From: Jac K. <j.k...@th...> - 2003-02-09 22:26:40
|
Hmm, I think using vlans to secure the connection between embedlets and enterprise systems is overly optimistic. Embedlet hardware with temperature probing devices might be used in a plant, but in office buildings as well and I don't think network groups are going to be fond of creating vlans with lots of devices spread acros buildings. Doing things this way would shift the burden from developers to those dealing with production systems and networks. Being one of the people having to deal with problems created by 'lazy' developers for most of my working day I can say my collegues and I are not very fond of them... Security should be part of our solution, not something someone else has to provide, IMHO. Webservices are the perfect example of failing security. In the early days they promised to be the perfect solution for integration of services over the Internet, now they're only being used in closed networks. Regards, Jac On Sun, 9 Feb 2003, Andrzej Jan Taramina wrote: > Date: Sun, 09 Feb 2003 13:58:13 -0500 > From: Andrzej Jan Taramina <an...@ch...> > Reply-To: emb...@li... > To: emb...@li... > Subject: [Embedlets-dev] Re: Security > > Topic tags:[ARCH][JAPL][WIRING][DOCS][MGMT][STRATEGY][NEWBIE] > _______________________________________________ > > Jac states: > > > While reading some of the messages on this list I started wondering if > > we're taking security into consideration while designing and are going to > > implement it from the start. One of the issues with webservices is (was?) > > the lack of standardized authentication/security, resulting in a delayed > > acceptance of webservices if one may believe the trade press. > > My thinking was that security would initially (in an enterprise deployment > scenario) be provided by the surrounding infrastructure (network and such). > Embedlets would be running on a factory/warehouse floor on a physically > controlled subne or VLAN, with properly secured gateways to the back end > Enterprise Systems, access/security/authentication would be managed outside > of the Embedlet container, so we could assume (at least initially) that we don't > have to do much in that area (maybe just some rudimentary password > protection for external access to Management Services and the like). If there > is a connection between a plant network and head office, it would be secured > (either a dedicated link or VPN tunnel across the public net), but I don't think > we'll see devices exposed on the public internet for production deployments. > > Doing the typical security things on a tiny processor (authentication, > authorization, encryption/decryption of data streams) will be nigh impossible > on some of the smaller platforms. > > Web Services are being implemented in production as we speak....but > primarily behind the corporate firewalls. I see embedded systems as following > that pattern. > > That being said, our modular approach to services and the like would allow us > to plug in more security features later on without much trouble, since it will be > an issue that will be raised in the corporate environment. > > > > > Andrzej Jan Taramina > Chaeron Corporation: Enterprise System Solutions > http://www.chaeron.com > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > _______________________________________________ > Embedlets-developer mailing list > Emb...@li... > https://lists.sourceforge.net/lists/listinfo/embedlets-developer > -- Jac Kersing Technical Consultant The-Box Development j.k...@th... http://www.the-box.com |
Thanks for helping keep SourceForge clean.
X