With security becoming increasingly important, the need to find a way to secure X11 protocol has never been more critical. Reflection X is a powerful tool that can provide a great deal of capability, convenience, and efficiency when working with host systems across networks and the internet. At the same time it can also create security concerns which, until recently, have been difficult to resolve. Fortunately, the combination of using Reflection X and SSH has proven to be a very effective way to maintain the valuable benefits of using a robust PC X-Server, as well as provide the high level of security that users, IT professionals, and system administrators have long been searching for.
Reflection X is difficult to secure because it is a server, and it typically needs to be available for connection by X11 client applications running remotely on a UNIX host. This means leaving the X11 protocol standard TCP port 6000 open in your Windows and/or network firewall, and possibly other ports as well (for example, when using the Multiple X Display feature in Reflection X). How can access be restricted to only authorized X11 clients? Traditionally, this has been attempted with security settings such as "Host-based security," "User-based security," and "XDM-Authorization-1." Yet all of these measures have vulnerabilities, one being that they send the X11 protocol in the clear. This means that the packets are vulnerable to unwanted and unauthorized capture by those with the right trace tools.
Using SSH (Secure Shell) not only addresses all of the traditional security concerns listed above, but also provides other advantages as well.
The list of advantages is long, however, one disadvantage is that SSH does not support UDP packet forwarding, which means that you can't create the full UNIX desktop with XDMCP (X Display Manager Control Protocol). There is, however, a workaround for this SSH limitation that is outlined in Technical Note 1818.
To use Reflection X with SSH, both the SSH client and server must be configured to allow X11 protocol forwarding through the SSH tunnel. While this setting is enabled by default in the Reflection SSH client when using Reflection X, the setting on most SSH servers is disabled by default and will need to be enabled. Information about how to modify an SSH server to enable this setting is available in Technical Note 1814.
For those who work primarily in remote emulation sessions, such as with Reflection for UNIX and OpenVMS, it is important to note that you can use the SSH tunnel created with either of these applications for tunneling any X11 protocol back to Reflection X. In these cases, X11 protocol tunneling is not enabled by default, but is easily enabled through the user interface.
Securing X11 connections with SSH is an effective solution to common security problems. If you would like to take advantage of the benefits of using Reflection X and SSH, give it a try. And if you have questions or comments, please contact the Attachmate Technical Support team: http://support.attachmate.com/contact/.