Quark Engine - Security

Only true network protection is TLS with client-based certificates. All others are good or good enough to hide the data. Quark Engine is not an exception. Neither of the options are safe from MITM, except the first one. So, the question is "why did we implemented encryption?".

Many service configurations include some kind of front entry point in the form of a secured proxy such as Apache, HAProxy, NginX etc. Usually, they are configured with TLS to provide encrypted data transfer to the Internet, however, upon receiving the data from the Internet (browser), proxy forwards the data to the internal network in unencrypted form unless backend service is also protected with TLS.

This opens the possibility to sniff the network data in internal infrastructure. Today, many small and powerful network analyzer software exists, which can be installed even as a small service sniffing all network packets, detecting and targeting special services, making logs or forwarding data somewhere else.

In the beginning of TCP/IP networks, first hub network devices were used, which will send data packets to every connected device making network sniffing easy from any place. Later, network switches were introduced which can be divided into cheap ones and expensive ones. Depending on how much money you invested, makes a difference how data travels through your internal network and how it can be sniffed.

No matter what kind of switch you are using, imagine that the server computer which is running your service is infected with network sniffing malware. So, data is stolen from data destination location, and there is no network switch or technology that can protect you if data is not encrypted.

All mentioned above is the reason why we implemented encryption on data - software layer, as an additional security measure.

Imagine a user working on a web app, submitting screen data with sensitive information as credit card numbers and CVC codes, or passwords or just personal data. What if an app server for an example is running in some cloud network and data itself is protected only with an entry point proxy? When data passes behind a proxy server, it is not encrypted any more. Imagine automated web logging which tracks every request. What will be inside network logs?    

We never know how service will be configured at the network layer and what is logged and where. Adding one protection layer more is an additional security measure. As most of the sensitive web app data is actually small, implemented protection is fast enough to handle most of the data with minimum pressure to processing resources.

Quark Engine is an elementary block of Green Screens Terminal Service for IBM i which protects data at the data layer making it safer no matter if TLS is used and how. Decryption will happen within Green Screens Server itself. If data transfers are logged, they will be still encrypted protecting data from sniffing tools no matter to the configuration.