10

I would like to write an application to manage files, directories and processes on hundreds of remote PCs. There are measurement programs running on these machines, which are currently managed manually using TightVNC / RealVNC. Since the number of machines is large (and increasing) there is a need for automatic management. The plan is that our operators would get a scriptable client application, from which they could send queries and commands to server applications running on each remote PC.

For the communication, I would like to use a TCP-based custom protocol, but it is administratively complicated and would take very long to open pinholes in every firewall in the way. Fortunately, there is a program with a built-in TinyWeb-based custom web server running on every remote PC, and port 80 is opened in every firewall. These web servers serve requests coming from a central server, by starting a CGI program, which loads and sends back parts of the log files of measurement programs.

So the plan is to write a CGI program, and communicate with it from the clients through HTTP (using GET and POST). Although (most of) the remote PCs are inside the corporate intranet, they are scattered all over the country, I would like to secure the communication. It would not be wise to send commands, which manipulate files and processes, in plain text. Unfortunately the program which contains the web server cannot be touched, so I cannot simply prepare it for HTTPS. I can only implement the security layer in the client and in the CGI program. What should I do?

I have read all similar questions in SO, but I am still not sure what to do in this specific situation. Thank you for your help.

kol
  • 27,881
  • 12
  • 83
  • 120
  • Are you tunneling the VNC connections over SSH? Perhaps you could also tunnel the HTTP connection? – steveax Nov 27 '11 at 05:05
  • Does the Web server support executing scripts or other programs when certain HTTP resources are accessed, in a similar way to PHP or Perl scripts? – Peter O. Nov 27 '11 at 11:57
  • @steveax We use SSH tunneling only in those few cases when the remote PC is not inside the corporate intranet. – kol Nov 27 '11 at 22:41
  • @PeterO. The web server is only able to run executable CGI programs. The existing CGI programs are written in Delphi. PHP, Perl etc. are not installed, and I would avoid installing them because writing and distributing a CGI exe is much simpler, than installing and configuring these scripting environments on hundreds of remote PCs... – kol Nov 27 '11 at 22:45
  • couldn't you handle encryption and decryption in you cgi program (and clients)? – Pengman Dec 02 '11 at 10:42

2 Answers2

7

There are several webshells but as far as I can see ( http://www-personal.umich.edu/~mressl/webshell/features.html ) they run on the top of an existing SSL/TLS layer.

There is also S-HTTP.

There are several ways of authenticating to an server (username/passwort) in a protected way, without SSL. http://www.switchonthecode.com/tutorials/secure-authentication-without-ssl-using-javascript . But these solutions are focused only on sending a username/password to the server.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
powtac
  • 40,542
  • 28
  • 115
  • 170
1

Would it be possible to implement something like message-level security in SOAP/WS-Security? I realise this might be a bit heavy duty and complicated to implement, but at least it is

  • standardised
  • definitely secure
  • possibly supported by some libraries or frameworks you could use
  • suitable for HTTP
Mike Goodwin
  • 8,810
  • 2
  • 35
  • 50