AVSS + Windows + Internet = AVSS/NET

The AVSS software is based on the M Technology, a programming language, database manager, and operating system. Advanced for its time, M has had multi-user and multi-tasking capabilities in the DOS environment since the 1980s. These capabilities facilitated automatic communications between AVSS computers, as, for example, between hospitals and local health departments. The M operating system, however, required complete control over critical computer resources in order to accomplish this goal and the M database manager required a dedicated environment to insure its integrity. This meant that AVSS PCs had to run on a DOS 6.22 computer dedicated solely to AVSS.  With the advent of Windows, this approach, though once reliable and effective, became increasingly outdated.  Yet, attempting to run DOS-based AVSS on Windows computers was not recommended and the AVSS Project did not support this approach.  In 2001, in response to this situation, the AVSS Project developed a client-server approach using the Internet and SSH encryption that allowed users to securely run AVSS on a Windows workstation.  This combination is referred to as AVSS/NET.  By using an AVSS/NET client workstation, users saw the same, familiar interface as with the DOS version so that there was no need for retraining.  Additionally, analysts could easily and securely download AVSS/NET data by means of the Internet rather than relying on traditional and cumbersome magnetic media.

By April 2006 all 56 AVSS local registration districts had converted to AVSS/NET.

1. AVSS/NET BENEFITS
1. Windows-based so that an AVSS workstation can run other applications such as word processing.
2. Eliminates the need for aging, obsolete hardware and dedicated telephone lines.
3. Eliminates system management responsibilities such as backups and hardware maintenance.
4. More reliable and faster.
5. Eliminates the need to for local staff to perform annual AVSS updates.
6. Streamlines the downloading of data from AVSS to other software and makes AVSS data more accessible.

2. AVSS/NET COSTS
AVSS/NET requires the following components for each AVSS user site:
1. Windows 2000/XP workstation (not Win9x or NT).
2. Continuous (not modem-based) Internet access with Port 22 open and with on-site LAN support staff.
3. HP LaserJet 2300 printer or equivalent (see Manual for more details). Note: Do NOT use the InkJet version.
4. Licensing fees of $550 per workstation every three years (these supplant the current fee of $250 every 3 years).
5. A deployment plan involving all users in a local registration district converting to AVSS/NET simultaneously.

3. AVSS/NET COMPONENTS
SSH (Secure SHell): SSH is a secure protocol that replaces existing TCP/IP protocols such as Telnet. SSH must be supported by both the client and the server. It provides strong authentication and secure communications over insecure channels. SSH prevents illicit network snooping whereby unencrypted text can be read by unauthorized parties. AVSS/NET uses SSH and three distinct components to efficiently and securely communicate confidential vital records information over the Internet:
Client Workstation: A Windows 2000/XP workstation that can connect to the Internet via a local ISP or LAN. This "Thin Client" must also have a terminal emulation program capable of supporting SSH communications protocol. SecureCRT is the program used by AVSS/NET. It allows for an encrypted SSH session using a user name and password authentication security and 56 to 256 bit triple DES ciphers for session data encryption. Encryption is started before authentication.  It is possible to change the printer settings as well as the screen settings.
Encryption Server: A UNIX computer running SSH. This server provides users with secure login connections, file transfer, and TCP/IP connections over the Internet. It uses cryptographic authentication, automatic session encryption, and integrity protection for all transferred data. RSA is used for key exchange and authentication, and symmetric algorithms for encrypting transferred data. The Encryption Server has two network interfaces, one that connects to the Internet, and a second connects to the AVSS Server directly and uses a private IP address.
AVSS Server: A Windows XP server running AVSS for Windows with Telnet support connected to the Encryption Server with a private address.

4. AVSS/NET SECURITY
AVSS/NET will protect against:
1. Viewing the content and type of communication by anyone other than AVSS/NET users.
2. IP Spoofing, where a remote host sends out packets that pretend to come from another, trusted host.
3. IP source routing, where a host can pretend that an IP packet comes from a trusted host.
4. DNS spoofing, where an attacker forges name server records.
5. Interception of clear text passwords and other data by intermediate hosts.
6. Manipulation of data by persons in control of intermediate hosts.

By placing the AVSS Server in a private network, outside access is locked out. The only way to access the AVSS Server is either directly by means of the AVSS Server console or indirectly by using a SSH Workstation through the Encryption Server, i.e., by using AVSS/NET.

5. AVSS/NET FIREWALL (for added security)
Both the Encryption Server and AVSS server sit behind an IP based packet filtering firewall. All incoming and outgoing packets are inspected and analyzed. IP spoofing is prevented by only allowing packets that have identical incoming and outgoing destinations. The firewall also prevents ALL incoming network traffic from directly reaching the AVSS Server; this prevents any type of direct penetration from an untrusted source. The firewall allows only incoming TCP Port 22 for SSH to access the Encryption Server. System logs for the Encryption Servers (there are actually two for redundancy) are sent on a private network to a local Log Server located behind the firewall. The firewall prevents all incoming traffic outside of the AVSS Project subnet from reaching the Log Server. The Log Server collects and analyzes the incoming logs from the Encryption Servers for abnormal activity every five minutes. When abnormal activity is found, the Log Server emails security@avss.ucsb.edu with excerpts from the log files.

6. AVSS/NET CONNECTIONS
As shown in the AVSS connection diagram below, the AVSS/NET connection process is as follows:
The Client Workstation loads the SSH software (SecureCRT) and tries to make a connection to the Encryption Server. The Encryption Server checks its database to see if the Client Workstation is coming from a trusted source then prompts the Client for authentication. When the Client Workstation successfully connects to the Encryption Server, the Encryption Server then connects to the AVSS Server. The user is then prompted for their current AVSS password and normal AVSS operations can begin.

Return To AVSS Home Page