- This topic has 3 replies, 3 voices, and was last updated 4 weeks ago by
.
-
Posts
-
Hello,
Quite hard question asked by our CISO…
Is there actually a protocol break between nxhtd & nxwebplayer ?
Sever Direct Connections with a Protocol Break – TDi https://www.tditechnologies.com/2022/02/22/sever-direct-connections-with-a-protocol-break/
“A protocol break severs the direct connection of the user to your endpoints. It works by acting as a man in the middle between the user and the endpoint. Here an IP session terminates completely at the intermediate system and the data from that session is then transferred to a completely different IP session, usually using a different protocol.”
Secure Delivery of a Payload via a Protocol Break https://www.nexor.com/blog/secure-delivery-of-a-payload-via-a-protocol-break
“Rather than allowing a protocol exchange directly between System A and System B, we insert a “Catcher”, often referred to as a proxy (C in the diagram).
To System A, the Catcher looks like it is System B. So System A communicates with the Catcher quite happily.
The Catcher extracts the payload, and passes the payload to another system – the Thrower (T in the diagram).
The Thrower then talks to System B.
As far as System B is concerned it is getting information from System A.”
Does you CGI architecture guarantee such a protocol break ?
How ?
Thanks !
Regards,
Steve.
Are you referring perhaps to a protocol break by separating the web server host from the NoMachine server host? If so, yes this is already possible:
How to configure a NoMachine server to connect web sessions on localhost or on different hosts
https://www.nomachine.com/AR06P00984Hello,
“separating the web server host from the NoMachine server host ”
is a good thing but it is not enough for (very) sensitive environments.
“Protocol break” is a network protocol attack protection as described on this NCSC page :
Network protocol attack protection – NCSC.GOV.UK
https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/network-protocol-attack-protectionIn our case the risk occurs if a user, from a low security domain, has a remote access to a server in a high level security domain.
We must have strong protection against an attacker who might use the components within NoMachine as a route to compromise the core network.
NCSC :”A protocol break will terminate one transmission path, extract the relevant information, and use this to initiate a new transmission path.”
So the question is : what happens in the black box “nxhtd & nxwebplayer” between the 2 components ?
Is there a network session break ?
Is there a “rewriting” of data or just an “as-is” forwarding ?Please, could you forward these hard questions to a cybersecurity expert in your teams in labs ?
Thanks,
Regards,
Steve.
This is a simple schema of how web sessions work:
JS/browser < internet HTTPS > nxhtd [ apache webserver ] <> nxwebrunner [ CGI app] <> nxwebplayer < NXD / SSHD > nxserver
so breaking this down:
1. JS/Browser — HTTPS [to nxhtd / apache web server ] – The communication between the browser and nxhtd is over HTTPS. This ensures secure transmission of data via the standard HTTP protocol.
2 NXHTD — NXWebRunner. NXWebRunner parses and validates the incoming messages from the client (sent via JS/browser)to nxwebplayer.
3 NXWebRunner — NXWebPlayer. NXWebPlayer acts as the daemon and is responsible for handling the communication flow between NXServer and NXWebRunner. NXHTD, NXWebRunner and NXWebPlayer are on the same host. They cannot be separated.
4 NXWebPlayer — NXD/SSHD – NXServer. NXWebPlayer is the intermediary between the web environment and NXServer, ensuring that all communication is correctly routed, formatted, and transmitted. Messages over this secure channel are in “NX protocol format” so nx or ssh. You can configure the web server to connect to a different nxserver, so on a different host. This could give you some separation.
You might also consider a reverse proxy (configurable in apache for example), but without knowing much about your specific requirements, it’s difficult to advise further. What I suggest you do is contact our sales team via the website so we can understand your requirements better and evaluate what NoMachine products and configuration is best for your environment.
You must be logged in to reply to this topic. Please login here.