|
|||||||
 |
The X Window System And Broadway Accessing UNIX/X Windows Applications Over The Internet, Intranet And Enterprise Extranet
A
Hummingbird Communications Ltd. White Paper Contents
The age of the Internet is upon us. Demand for access to Web based information and resources has grown at a phenomenal rate over the past several years. The number of host computers connected to the Internet skyrocketed from barely two million in 1993, to over 16 million at the beginning of 1997. In 1996 the number of documents posted on the World Wide Web grew at more than a 100 percent annual growth rate, eclipsing 80 million documents by year’s end. According to International Data Corporation more than 16 million consumers will be roaming the Web by 1999, compared with two million currently. The Web’s success as a new platform for information distribution and collaboration (it is essentially a global virtual book), and emergence as a new business arena, has driven the acceptance and use of Internet and Web technologies in the development of organizational intranets. This has resulted in an ever increasing demand for technologies that enable remote Internet access to the information and resources of the intranet and enterprise internetwork . Telecommuters, mobile and remote workers, system administrators, and network managers are now seeking a reliable and secure means of accessing mission critical X-UNIX applications from the Internet — while information technology managers have begun the quest for emerging technologies that facilitate seamless integration and access from within the intranet desktop metaphor. The Browser Apple’s introduction of the graphical user interface in 1984 revolutionized computing by radically changing the human computer interface. The GUI shielded users from the starkness and unforgiving nature of command line interfaces, and simply but quickly transformed the personal computer into an intuitive and easily useable machine. During the 1990’s GUIs rapidly evolved into graphical user environments that now feature multiple desktop metaphors allowing users to navigate well beyond their hard drive, and into the realm of the internetwork. The desktop metaphor of the future has emerged in the form of a browser. Browsers will be used in the same way as the Windows Explorer file manager, but will feature a higher level of application integration, greatly simplifying access to enterprise-wide information and applications. Aside from ASCII terminal and X Windows emulation, the browser was the first desktop application that brought the concept of network computing to the masses. Browsers have become a focal point for enterprise desktop computing, their ease of use and growth of organizational intranets, has made them the focal point for application development. Broadway is a technology specification designed to extend X to the Internet, intranet and extranet without making any modifications to the existing base of UNIX/X applications. Broadway, the newest release of the X Window System [X11R6.3], has been designed to provide, robust, reliable and secure browser-based access to X-UNIX based applications from the Internet, or within the intranet. This white paper has been developed to provide a brief overview of intranet-enabled PC X servers, the Open Group’s X11R6.3 specification and the Broadway initiative. The Final Frontier— X11R6.3 And Broadway Since its first commercial release in 1986, the X Window System has become one of the most successful consortium developed open standards-based technologies, and is now the industry standard distributed windowing system on all UNIX computer systems. In the era of network computing [the 1990’s] X became a key enabling technology facilitating cross-platform integration in multivendor computing environments. As a network graphics protocol and distributed windowing system, X was the first successful distributed computing technology. X’s distributed architecture enables the input devices [keyboard and mouse], and display of an application to be distributed to an X capable networked desktop. One of the most successful of all products to emerge from the X Window System standard is the PC X server. Available as a native application on all PC operating systems, the PC X server has become the most powerful PC to UNIX integration technology in the industry. Millions of enterprise desktops rely on PC X servers to connect to mission critical applications and information based on UNIX servers. The concept of Broadway was introduced in 1995 by the X Consortium as a technology specification designed to extend the X Window technology to the Internet and WWW, without making any modifications to the existing base of UNIX/X applications. Broadway-enabled browsers and companion X servers would allow remote execution of UNIX/X applications over the Internet and WWW. In addition, Web pages and HTML documents would have the capability of embedding UNIX/X applications. The concept of Broadway has been well received by the industry, and the ability to access UNIX/X applications over the Internet opens new opportunities for distributing computing power over the existing public IP infrastructure. The X Consortium turned the responsibility for X technology over to the Open Group (www.opengroup.org), which recently released the final version of the X Window System’s X11R6.3. The components of Broadway and new features of X11R6.3 are highlighted in the bullet list on the following page. The X Window System X11R6.3 release and Broadway’s new capabilities make it easier to integrate X into a developing intranet or extranet. X and Broadway have been extended in a way that makes it unnecessary to rewrite existing X applications to be used in an intranet, extranet or over the Internet. Only the PC X server or browser must be updated to support X11R6.3. Currently, the Open Group’s Broadway reference plug-in supports Netscape Navigator 3.0, and runs only on Digital UNIX, HP-UX, IRIX and Solaris 2.x. Several PC X server vendors including Hummingbird have pledged support for Broadway and will provide plug-in support for Netscape’s Navigator and Microsoft’s Internet Explorer on all Windows platforms. X11R6.3 And Broadway Components Include:
Web browsers have been designed to support helper and plug-in applications, and in this case a PC X server becomes a helper application. The browser user clicks on a UNIX/X application URL, then the browser opens a connection to the desktop PC X server, and the Web server with embedded UNIX/X application, launches the application. The Broadway enabled browser displays the UNIX/X application within the browser interface. (Optionally, the browser can establish a connection over the Internet via the LBX protocol for low-speed operation.) In either case the Broadway-enabled browser essentially acts as a window manager for the remotely executed UNIX/X applications. Overview Of Broadway
Intranet-Enabling X Applications with Broadway Broadway standardizes two methods for invoking an X application by clicking on a URL: via a small platform-specific helper application called xrx, or via a browser plug-in (which could also be a Java or ActiveX applet). The first method launches the X application in a separate window entirely controlled by the X server. Thus, except for the method of invocation, this technique is no different in appearance from standard X server operations and really offers no advantage over the method already available in Exceed and other PC X servers. However, the plug-in method results in the X application’s output being displayed within the browser window, with the use of a new protocol, the application group extension (XC-APPGROUP). This protocol allows an application designated as "application group leader" (in this case the browser) to intercept display requests to the desktop window manager (i.e. the PC X server) and reparent the intended X window into the group leader’s window. In effect, the browser becomes a client to the X server on the same machine with it. The X server is still responsible for all display, rendering, and user input functions, so there is no performance hit (except in the case of serial operation using LBX), but the browser remains the "focus" of the user interface. In both cases, no modification of the X application itself is necessary; only the browser and the X server need be Broadway-compliant. However, each application on the UNIX server must now have three files associated with it:
In addition, the new RX MIME type must be added to the UNIX Web server to enable the plug-in or helper application on the desktop to be launched when the URL is clicked. The reference implementation of Broadway supplied by The Open Group includes a plug-in for some UNIX variants of Netscape 3.0; plug-ins (or applets) for other platforms or browsers must be supplied by the PC X server vendor. Likewise, xrx is available in the reference implementation only as a UNIX application; porting it to another OS is the PC X server vendor’s responsibility. A related protocol, called X-Agent, has also been added to Broadway. X-Agent lets special (i.e. written for this protocol) X client applications monitor or receive data from other X applications in real time. In effect, this lets the desktop X server act as the integrating focus of several X applications, which may be on different servers throughout the enterprise. Remote X Connectivity And Broadway’s Low Bandwidth X Although the X Window System was designed to be network, platform and operating system independent, it is not serial friendly. The X protocol stream is extremely verbose and remote connectivity to UNIX/X hosts has presented some challenges to remote X users. The leading PC X server vendors, however, have addressed this by adding optimized serial X technologies such as Serial Xpress from Tektronix Inc. and XRemote from NCD, to increase remote X performance. Additionally, the success and widespread use of high speed modems, PPP and ISDN has also benefited remote PC X server users. Although such links are of course slower than LAN speeds, the entire digital connection is nonetheless transparent to the PC X server: the user is merely another TCP/IP node on the enterprise network and can connect to any authorized host or application from that address. X11R6.3’s Low bandwidth X (LBX) has been designed to increase the performance of X over the Internet and serial connections. The LBX extension, a key component of Broadway, has been designed to run over the Internet, and is compatible with legacy X applications. Legacy X applications will work with LBX without changing the applications. Not unlike Tektronix’ Serial Xpress or NCD’s XRemote, LBX is based on a proxy server model (lbxproxy) utilizing compression and decompression algorithms to reduce the X protocol stream before it encounters the Internet or a serial connection. Conceptual Diagram Of Broadway’s Low Bandwidth X
Security Issues With X And Broadway As with virtually all UNIX technologies, X was designed to operate in a trusted environment. Although the concept of "trust" in computer security is a complex one, a simple analogy suffices to distinguish between a trusted and untrusted environment in regards to X. In a trusted environment, a locked door with the sign "Authorized Personnel Only" is considered sufficient security, most UNIX networks are considered trusted environments. In an untrusted environment, anything from electronic access control to a security guard may be considered necessary, depending on the value of what’s behind the door Before Broadway, the distinction between trusted and untrusted environments did not exist, making the use of X across both intranets and the Internet difficult to configure and control. Instead, X had five security mechanisms available, only two of which were widely implemented, and both of these have notorious weaknesses that make them unsuitable for Internet use. The two widely-implemented mechanisms were a host-based access control list (ACL), and user-based access control. The first depends a file associated with the X server, which can be changed with a command called xhost, that specifies all the hosts the desktop X server will accept commands from. The problem is that all of the users on a valid host can send commands to the X server as well. This enables hackers to view the contents of a screen, create and destroy windows, modify the behavior of X clients, and record keystrokes, including passwords. For this reason, xhost was never implemented on PC X servers. User-based access control (the most common is known as MIT-MAGIC-COOKIE-1) uses a 128-bit key (the "magic cookie") stored in a file associated with the X server called .xauthority. A special program automatically generates the cookie for each log-in if desired. X clients wishing to access the display must give this key to the X server. This security method is easily compromised by a replay attack, since the cookie is passed unencrypted across the network. As well, anyone who can read the .xauthority file can gain access to the X server; and if the host list of the X server is not empty, any host on the list can bypass user-based access control. Three other more advanced security methods are available as well. XDM-AUTHORIZATION overcomes the weakness of the cookie with 56-bit DES encryption. The client application generates a 192-bit packet by combining the current time with other information and encrypts this with the DES key. The server, upon receiving the encrypted cookie, decrypts it with the same key and then validates it by using the same generation process. Since XDM stores secret data in the .xauthority file like MAGIC-COOKIE, it shares the weakness that access to the file gives full access to the X server. In addition, Sun, and some other vendors, offered a secure public key remote procedure call (RPC) system, but its lack of interoperability inhibited widespread adoption. As well, MIT’s KERBEROS-5 system, based on mutual trust in a Kerberos server, is also available for X; for various reasons, including its complexity, Kerberos has not been widely adopted in the X world. Broadway does not eliminate any of these security methods; it merely adds the distinction between trusted and untrusted hosts. This distinction generally refers to hosts inside the firewall and those outside, which corresponds nicely to the intranet/Internet dichotomy. Untrusted hosts, regardless of how authorized, cannot execute trusted X commands, nor query the X server about trusted data. In general, this approach bears some resemblance to the Java "sandbox" approach, walling off sensitive portions of the desktop OS and X server to prevent malicious activities. In addition, Broadway distinguishes between trusted and untrusted applications, based on the presence or absence of certain operations that cannot, by their nature, be made secure. The new security extension has several elements, which control the keyboard, the display and file access. Most significant of these is a specific mechanism controlling access to the host file, which now distinguishes between trusted and untrusted hosts. The final piece of Broadway security is an application-level proxy, xfwp, which relays X commands through a firewall. Broadway Implementation Issues The basic advantages of Broadway are easy to discern. By integrating the invocation and display of UNIX/X applications into the universal interface of the desktop browser, user training requirements are reduced, and the X-based mission-critical applications can be more widely, and easily distributed within the enterprise intranet and extranet, or over the Internet. However, in common with all technologies, there are a number of issues that must be addressed when considering a Broadway implementation; overlooking these can lead to a less than optimum use of the new technologies in X11R6.3. Broadway Implementation Issues Include:
Performance VS. Bandwidth Although LBX was carefully designed to optimize the X protocol for low-speed serial transmission, its difficult to squeeze the extensive rendering capabilities of X, originally designed for a high-speed LAN environment, into a smaller network "pipe" without also sacrificing some performance. LBX not only relies on complex compression algorithms that will inevitably consume some server CPU cycles and thus impact performance, but also "compresses and decompresses" the X protocol to make it a better fit for typically low-bandwidth remote access applications. For some applications, this will have little or no impact on the user’s experience with the application. However, the relentless pace of innovation and unremitting enterprise demands for high-performance in mission-critical UNIX/X applications means that many, if not the majority of, UNIX/X applications will not perform as well through the LBX proxy over the Internet as in their native LAN environment. In some cases this will merely require some adjustment of user expectations (not always an easy task!); in other cases it may require re-writing the application, thus raising the actual cost of a Broadway implementation. As well, the performance and implementation of Broadway and the LBX proxy by specific vendors will play an important role in determining just how backward-compatible this technology is with legacy applications. Impact Of The New Security Paradigm Since the new security mechanisms in Broadway limit what untrusted applications are allowed to do, there are many existing applications that cannot be run from an untrusted host; the popular FrameMaker document composition application is one instance of an application that fails immediately if invoked from an untrusted host. To use such applications requires a change in the enterprise security boundaries, with the possibility of error that such changes always introduce. It will usually not do to re-write the application, since in most cases what the application is designed to do requires the use of operations that cannot fit into the trusted area of Broadway’s security model. In addition, even with compliant applications, there will be unpredictable changes in the behavior of a user’s desktop. For instance, Broadway’s security model is designed to prevent copy and paste operations between trusted and untrusted applications. Many users, however, may automatically interpret the failure of a copy/paste operation as a bug in their desktop, which could add to the load of the enterprise help desk and require additional training. Increased Complexity And Management The copy/paste example illustrates the additional management burden that could arise from the complexity imposed on the enterprise internetwork by the implementation of Broadway technologies. Since Broadway, in effect, redefines the behavior of X on the desktop, it might require some retraining and help desk costs associated with its implementation. More to the point, by adding a plug-in or the xrx helper application to the desktop, Broadway will add to the complexity and potentially the management of the enterprise desktop. As well, the presence of the LBX proxy on the server, along with additional components such as xprint, will require management attention. An important consideration, therefore, in choosing a vendor solution, is the presence or absence of additional management tools to ease the increased burden imposed by this complexity. Issues With Consortium Developed Technologies As organizations begin to adopt and implement Broadway, requirements for more features and enhancements of the technology will undoubtedly emerge. By definition, X11R6.3 and Broadway are in essence a reference implementation that should be considered merely a starting point: it’s up to vendors addressing the real-world concerns of their enterprise customers to build robust, commercial X servers that implement the new technologies of Broadway and X11R6.3. Historically, the major advances in personal computer-based X technology have come from customer-driven vendors such as Hummingbird and its competitors; for instance, the X Consortium drew on technologies from Tektronix and NCD to design LBX. Browser-based invocation of UNIX/X applications was offered by many PC X server vendors long before Broadway debuted. Broadway will be no exception to this historical trend. Thus, when considering a vendor’s Broadway offerings, it is important to take into consideration the vendor’s track record in innovation to satisfy customer needs and requirements, and the associated management issues. The development of X Window System Release 6.3 and Broadway represent a logical next step in the evolution of X. By extending X Windows into the Internet, and the burgeoning intranet and extranet environments, organizations will now have the capability of delivering mission critical applications, information and resources via the easy to use and now ubiquitous browser interface. The importance of Broadway may not be in the technology itself, but in its potential and concepts, and its future evolution within the organizational intranet. The information age has significantly heightened the level of competition in almost every industry, and information technology has become the weapon of choice for many businesses. IT managers are continually challenged to meet the needs of a workforce now dependent on immediate, easy, secure and reliable access to corporate information. During the 1990’s many of the world’s largest organizations spent billions developing X Windows-based mission critical applications on UNIX servers. Broadway promises to reliably and securely deliver these applications and information to anywhere in the world via the Internet, and anywhere in the organization via the intranet or extranet. - : - The information in this document represents the view of Hummingbird Communications Ltd. on the topics discussed, as of the publication’s date. The continually changing market conditions and general dynamic nature of the computer business mandate that Hummingbird cannot guarantee the accuracy of any information published after the date of publication. This White Paper has been prepared solely for informational purposes. Hummingbird MAKES NO WARRANTIES, EXPRESSED OR IMPLIED IN THIS DOCUMENT. Exceed and Exceed 3D are trademarks or registered trademarks of Hummingbird Communications Ltd. All other product and/or company names mentioned herein may be the trademarks of their respective owners. © 1997 Hummingbird Communications Ltd.
|
||||||
|
