By default, data packets between the Sun Ray server and client are sent "in the clear." This policy means that outsiders can easily "snoop" the traffic and recover vital and private user information, which malicious users might misuse. To avoid this type of attack, Sun Ray Software administrators can enable traffic encryption through the ARCFOUR encryption algorithm.
The ARCFOUR encryption algorithm, selected for its speed and relatively low CPU overhead, supports a higher level (128-bit) of security between Sun Ray services and clients.
However, encryption alone does not provide complete security. Spoofing a Sun Ray server or a Sun Ray Client and posing as either is still possible, if not necessarily easy. Here are some examples:
A man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients and pretends to be the client for the server. The imposter then intercepts all messages and has access to all secure data.
Manipulating a client to pretend to be another client in order to gain access to sessions connected to the spoofed client.
Server and client authentication provided by Sun Ray Software can resolve these types of attacks. Server authentication uses a single pre-configured, public-private key pair in the Sun Ray Software and firmware, and client authentication uses an automatically generated public-private key pair in every client.
Sun Ray Software uses the Digital Signature Algorithm (DSA) to verify that clients are communicating with a valid Sun Ray server and that the server is communicating with a legitimate client. This authentication scheme is not completely foolproof, but it mitigates trivial man-in-the-middle attacks and makes spoofing Sun Ray servers or Sun Ray Clients harder for attackers.
Enabling encryption and authentication is optional. The system or network administrator can configure it based on site requirements. By default only client authentication is enabled.
When you configure encryption and client authentication, you must decide between hard and soft security modes. Security mode can be configured separately for encryption requirements including server authentication and for client authentication requirements. Security mode settings are intended for compatibility with older firmware, which did not support the affected security feature.
Hard Security Mode - Hard security mode ensures that every session is secure. If security requirements cannot be met, the session is refused.
Soft Security Mode - Soft security mode ensures that connection requests are granted even for Sun Ray Clients that don't support the configured security requirements. If security requirements cannot be met, the session is granted but not secure.
By default, the security modes for encryption and client authentication are both set to soft, which allows unauthenticated and unencrypted access to Sun Ray Clients running older firmware.
Security mode settings don't apply to Oracle Virtual Desktop Clients. Oracle Virtual Desktop Clients will always be treated as if hard security mode for encryption or authentication is in effect.
Table 11.1, “Security Modes” describes what happens when the different security modes are used.
Table 11.1 Security Modes
Situation | Hard Security Mode | Soft Security Mode |
---|---|---|
Encryption - The Sun Ray Client does not support encryption or server authentication because of old firmware. | Sun Ray server denies the session. | Sun Ray server grants the client a non-secure session. The user must then decide whether to continue using a non-secure session. |
Client Authentication - The Sun Ray Client does not support client authentication because of old firmware. | Sun Ray server denies the session. | Sun Ray server grants the client a non-secure session. |
Client Authentication - The client supports authentication, but the authentication fails. | Sun Ray server denies the session. | Sun Ray server denies the session. |
By default, upstream and downstream encryption is disabled. This procedure provides the steps needed to force upstream and downstream encryption.
Use the following command to force upstream and downstream encryption:
# utcrypto -a enc_up_type=ARCFOUR enc_down_type=ARCFOUR mode=hard
Use -m
instead of -a
if a
non-default security policy already exists.
Navigate to the Advanced > Security page.
Select the Upstream Encryption and Downstream Encryption options and select Hard as the Security Mode.
Click Save.
By default, server authentication is disabled. This procedure provides the steps needed to force server authentication for all clients.
Use the following command to force server authentication.
# utcrypto -a auth_down_type=simple mode=hard
Use -m
instead of -a
if a
non-default security policy already exists.
Navigate to the Advanced > Security page.
Select the Server Authentication option and select Hard as the Security Mode.
Click Save.
Some reasons to disable client authentication are:
Reduce administrative overhead: At the cost of security, disabling client authentication saves time required to manage client keys on the servers.
Eliminate log messages during upgrade: If you upgrade a Sun Ray server in a failover group with older servers, the upgraded server will repeatedly produce log messages indicated that it cannot store key data and the server will treat all keys as unconfirmed. Client authentication should be enabled once the entire group is upgraded.
Disabling client authentication creates a security risk. Make sure you understand the consequences before disabling client authentication.
Disabling client authentication applies to all future connections without restarting the Sun Ray server.
Use the following command to disable client authentication:
# utcrypto -a auth_up_type=none
Use -m
instead of -a
if a
non-default security policy already exists.
To enable client authentication, set the
auth_up_type
value to
default
.
On the Advanced > Security page, deselect Client Authentication and click Save.
If you don't need to allow access to clients running older versions of firmware, you can improve security by requiring client authentication from all clients.
Use the following command to force client authentication.
# utcrypto -a auth_up_type=DSA auth_mode=hard
Use -m
instead of -a
if a
non-default security policy already exists.
Navigate to the Advanced > Security page.
Select the Client Authentication option and select Hard as the Security Mode.
Click Save.