First off, before I ask, i would like to point out that this question is for education. I want to know to expand my understanding of Java and network security (what little there is).
How could you use Java for network security and counter attacks? I have been using server/sockets for a while now (for non system security stuffs), but I don't quite understand what I'm doing. Naturally, I should learn up on networking, but where to start? There is a protocol for everything, heck there are protocols to have protocols. To further expand, how could you use Java to say, port sniff, catch packets or kill/open a port remotely?
I guess to phrase the question more adequately; does anyone know of any good sources that I could look at to get a more in depth look/study of how Java handles network security and counter hacking and malware containment?
I think the best thing to do would be to learn concepts, then worry about using Java to implement the concepts later on. There are some gaps in your understanding (for example, I don't even know what "open a port remotely" might mean) and the best thing to do would be to solidify your understanding of how networks work first.
I don't really have a list of network security texts I can recommend -- probably someone else will! -- but IMHO it might not hurt to start with a classic like Steven's "UNIX Network Programming" to shore up the fundamentals, if you can find a copy.
how could you use java to say, port
sniff, catch packets or kill/open a
port remotely?
You can't use Java to sniff ports.
You can't use Java to catch packets.
You can't use Java to kill/open a port remotely.
how Java handles network security and
counter hacking and malware
containment?
Java doesn't handle network security other than internally for its own applications via the security sandbox.
Java doesn't handle counter hacking.
Java doesn't handle malware containment other than internally for its own applications via the security sandbox and bytecode verifier.
One of those things above can be done via an add-on to Java, but basically Java isn't the correct tool for this job.
Related
Firstly Cheers to all PROGRAMMERS [ Today = Programmers day :) ]
Secondly,
I'm working on a project where the specifications require using a server as a front end and an application in the back end. The project is an advanced smart home system. The server will handle commands coming from the client through the internet (let's say like a remote control from outside the house) and send them (through a channel of communication) to the application (planning on using JAVA application) which will handle the main logic like controlling hardware stuff (lights ...) , reading from a microphone (local mic) and accessing a database to act as a speech recognition system (offline).
Now I'm still in the planning phase and I'm not sure which technologies are the best for this project. I'm thinking to use Node.js or Apache as the server and a JAVA application as the back end and any SQL database for the application's SRS.
I hope this illustration demonstrates clearly how the system works:
The main question is:
What is the best way to make the Java application communicate with the server (communication channel [must be bidirectional]) ?
and Do you recommend a specific server other than the mentioned ones for this job ?
What crossed my mind so far:
1- JSP and servlets (making the server is the application too). But I don't want a server to handle the offline stuff and I'm not sure if java servlets can access hardware interface. I also want the server to be separate from making critical decisions (different layer for security reasons and since it won't be used as frequently as the local [offline] system).
2- Communication channel :
A- A shared file, but it's a bad idea since I don't want the application to check if the file contents changed (command received) or not from time to time (excessive operations).
B- A an inter-process-communication through a port (socket communication) seems the best solution but I don't know how that would turn in terms of operation cost and communication errors.
OS used : Linux Raspbian
EDIT:
I'm sure ZMQ+Apache is good enough for this task, but how is it in comparison to WebServices (like SOAP) ? Would WebServices be a better solution in terms of standard implementation and security ?
All related suggestions are welcomed, TQ
ZeroMQ is great for internal communications, or any other similar communication solutions.
For specifically your case, I can see that ZeroMQ would be a best fit.
Reasons:
You offline server have to be agnostic to web solution.
Communication can be reliable and bi-directional, possibly another patterns like (pub>sub, req<>res, etc).
Restarting any of sides would not require to restart the sockets (connection) on other side, as messages are queued.
Possibility to scale not just on same hardware, but as well to local area network or even through internet.
Big community of support. It might look a bit hard to get into, but in reality it is dead simple, just go to examples and once concept understood - it is very easy and neat to work with.
ZeroMQ has lots drivers for most popular languages, that includes Java and Node.js.
Considerations:
You need to think over packets and data will be sent. So some popular data protocols like XML or JSON is good way of thinking.
Responsibilities over different services - make sure they are not dependant on each other too much. Or if main offline server - is a core of system, make sure it does not depend on web facing service, so that web face can be removed/replaced/improved etc.
Few more points to think about:
Why Java, and what about modular approach? For example if you want to expand and scale - add more sensors into smart home solutions, then having one giant application would require to change it, it is harder to maintain as well as maintain different clients with own needs. Think modular way - some core functionality for offline stuff, but many aggregator processes that would talk to different sensors. This makes easier to support different setups and environments, as well maintain the system as a whole by improving independent components.
I am coding a program that necessitates having two machines talk to each other via TCP.
I have a (very) basic familiarity with the java.net Socket classes and related things. I am worried about routers/firewalls blocking the connection. All I need to do is get a port open in order to use the Java STL Socket classes.
I was told to look into using upnp by a friend, and another stackoverflow question regarding upnp suggested using Cling. As a network programming novice, Cling seems like overkill for this (and I am not advanced enough to fully understand the manual).
I am sorry if I am asking the wrong question, looking in the wrong place, etc. All I want to do is connect two machines to send some floats back and forth without having to manually go into my router and forward ports.
Is there anything in the STL that does this automatically, or any simple libs?
First thing first: there's no such thing as "STL" in Java. You're probably referring to the basic Java SDK.
Second, you are asking for "simple means" to perform an operation that is, from a networking point of view, not trivial at all. Look at the most basic task that one of your programs (program A) will have to do: denoting the network location of its "target" (program B). If program B is behind a router, what do you know about program B's network location? nothing. All you know is the router's address.
Same with firewalls. You're concerned about firewalls blocking your connection? well, if your firewalls are any good, then you want them to block all connections except for pre-approved ones.
For programs separated by a NAT, the only sensible method to go about doing what you're looking for is to use UPnP. If Cling is an overkill, try something like weupnp.
There's no free lunch, though.
If there is no network "masking" device (such as a router) between program A and program B, then very simple TCP/IP programming using the Java SDK should just work. If there are networking devices along the ways, you'll have to cope with them by means of configuring your devices, or using UPnP.
I would take a long look at the following tutorial: http://www.giantflyingsaucer.com/blog/?p=224
The idea here is that a library called xsocket creates events that trigger when new information arrives.
I have to implement a simple tour client-server game in Java. Unfortunately, I'm just beginning with network programming and have some problems with choosing an apropriate solution.
Let's assume I'm creating a chess game where two clients can connect to the server, authenticate with their username and passwords and play. The clients must be programmed as applets (thin clients), but I don't know what I should use as a server.
I mean, I've read about several different possibilities like RMI, sockets, servlets, but still don't know which one fits bets my needs. I'm a bit confused because I don't fully understand how the communication would be carried out.
Should I create an executable server which would run all the time on the server and wait for the players? This seems to me like an odd way. Or is there any easier way to do so, e.g. can I make a servlet and put it on Tomcat server so that the server would be run only if there are any players? Could that servlet communicate with applets (clients) and vice versa?*
I'd be really grateful for some tips.
can I make a servlet and put it on Tomcat server so that the server would be run only if there are any players
The Tomcat instance would run anyways, otherwise players couldn't connect to it.
What you could do is to provide a server that starts a new game instance when players connect. The server itself would have to always run.
In terms of technology, I'd suggest you use whatever you feel comfortable with. Don't care about performance yet but try and get started.
So if you already have some knowledge with a communication technology, try and use that. Just be aware of the limitations and take those into account (e.g. message formats, push/pull communication etc.).
It depends what kind of game you are after. Applets are usually good choice for presenting animation (completely in Java) and accessible from a browser. Real world examples would divert towards Flash for client presentation.
If your game is a turn type game (chess, cards etc.), then you can implement your logic in form of servlets or web services or ajax, with appropriate use of hashtables or databases to store live sessions on server side. If your game is more involved in terms of user experience (take an example of Need For Speed type, for instance), then creating a custom server make more sense.
If you are looking for a netwrok application framework in Java then you may consider reading about Apache MINA. Documentation claims that it " helps users develop high performance and high scalability network applications easily." and it has support for various transports such as TCP/IP and UDP/IP via Java NIO. Summary of features can be seen here.
My personal experience with MINA is so far good and used in various projects. One implementation resembles your case, Its not a mulitplayer game but do involves multiple applets connecting a server. I found MINA very good in handling multiple sessions. It do it very neatly. Moreover its very easy to scale and maintain code. Easy to add filters and define protocols.
There are no. of good tutorial available to jump start and initial setup is very easy to do.
However, like any emerging opensource project, it has its problems too. That are: Online community is small and documentation, though improving rapidly, is very limited.
Official user guide covers most of the basics and is a good starting point if you want to know more.
I am looking into securing network communications (UDP and TCP). It is looking like 'use IPSec' is a good solution. I know this is implemented at a lower level, and the application does not need to see it. However I want my Java application to be secure, and to know that it is secure.
So in practice, what do I have to do to use IPSec in a Java application? Do I still use DatagramSocket/ java.net.Socket.Socket? Is there something I need to do with System.getSecurityManager()? Do I have to do configuration at the OS (windows XP talking to an Amazon cloud) level?
At some point I will need to check/provide security credentials. How is that done?
I have done a fair amount of googling, and have seen at the network layer how it works. But I have not found anything along the lines of sample application code that takes advantage of IPSec.
Has anyone done this?
Thanks!
Ok, I have found the info I was looking for. Maybe the question didnt make it exactly clear what I wanted, but this is what I found:
IPSec needs to be configured on the operating system (to over simplify). You set up a connection between the two machines, and let them go at it. You know you have a secure connection, because you only allow secure connections on that machine. If you did not have IPSec configured it would not be secure, so you just need to make sure that you do.
Security can be a shared secret, or an X509 Certificate
And some useful how tos:
For linux http://www.ipsec-howto.org/x304.html
For Windows: http://www.elandsys.com/resources/ipsec/wincert.html
You can't do it - like you said it's at a lower level - much lower!
Is there any particular reason why "use SSL" isn't a good solution?
To expand on older answers: Suppose that, having to set up IPSec between two endpoints, we want to know if it's in place. If IPSec encryption is happening, it may be the best solution (hardware encryption, keys shared centrally with other services on the machine), but if IPSec encryption isn't being applied, we'd better abort the connection or use application-protocol-level encryption before sending sensitive data.
Unfortunately, there is no standard API for detecting IPSec on a socket (and any Java for doing this is going to have to interface with the native system calls). Further, note that IPSec may be applied by a router somewhere along the route, transparently, so it's only possible to detect it if it's being applied by the OS kernel.
APIs:
WSAQuerySocketSecurity
setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, &opts) since Solaris 8 (great tutorial here)
Shockingly completely(?) undocumented IP_IPSEC_POLICY on linux
Well documented IP_IPSEC_POLICY on FreeBSD and MacOS (using the well-established KAME implementation). Search for examples in /usr/src.
We have a C++ application on Windows that starts a java process. These two apps need to communicate with each other (via snippets of xml).
What interprocess communication method would you choose, and why?
Methods on the table for us are: a shared file(s), pipes and sockets (although I think this has some security concerns). I'm open to other methods.
I'm not sure why you think socket-based communication would have security concerns (use SSL). It is often a very good approach as it is language agnostic, assuming that you have a well-defined communication protocol. Have a look at Google's protocol buffers, for example - they generate the required Java classes and streams.
In my experience, file systems (especially network file systems) are not well suited to such communication as they are not necessarily tuned for messaging (I've seen caching issues result in files being not picked up by the target process for example).
Another option is a messaging layer (AMQ or Tibco for example) although this will likely involve a greater administrative overhead (plus expertise) to set up.
Personally I would opt for a pure-socket approach because of its flexibility and simplicity. You will be in complete control.
I've used named pipes for communication between C# and a cross-platform c++ app and had nothing but good results. Barring that sockets is definitely the way to go.
Sockets are nice. They give you the ability to very easily create a blackbox testing layer around each component, as well as run each component on its own machine.
Security is definitely a concern, but there are a good range of options depending on how important it is. You can use SSL, custom handshaking, password protected logins and firewalls to help secure it.
Edit:
Not something I'd recommend, but there's also shared memory using JNI. Just thought I'd mention it because it's not on your list.
Ice is pretty cool :)