• CAS
  • |
  • C&EN
  • |
  • Journals
  • |
  • ACS

 search site
Advanced Search »
  • Home
  • |
  • About CAS
    • CAS Media Library
    • CAS Quotes
    • Colors of Chemistry
    • 100th Anniversary Celebration
    • Careers at CAS
    • FAQs
    • Directions to CAS
    • Contact Us
  • |
  • Our Expertise
    • CAS Databases
    • Value Added Tools
    • Technical Service and Support
  • |
  • Solutions
    • Researchers
    • IP Professionals
    • Information Professionals
    • Academics
  • |
  • Products & Services
    • SciFinder
    • STN Family of Products
    • Science IP
    • CAS Client Services
    • CAS Document Detective Service
    • CD Products
    • Print Products
  • |
  • Support & Training
    • SciFinder
    • SciFinder Scholar
    • STN
    • STN Express
    • STN AnaVist
    • STN Viewer
    • STN on the Web
    • STN Easy
    • CAS Customer Care
  • |
  • News & Events
    • What's New
    • Press Room
    • News Releases
    • In the News
    • CAS - Science Connections
    • Trade Shows
  • Technical Support Home
  • System Requirements
  • SciFinder, Security, and the Internet
Home   •   Support  •  SciFinder  •  Technical Support  •  SciFinder, Security, and the Internet
SciFinder, Security, and the Internet

SciFinder® is a TCP/IP (Transmission Control Protocol/Internet Protocol) client/server product that uses the Z39.50 communications protocol. TCP/IP is the communications mechanism used by Internet computers. Z39.50 is an application-level information search and retrieval protocol used primarily by on-line services.  The registered port for Z39.50 is Port 210.

Common security-related questions that you might have regarding SciFinder include:

How secure is SciFinder through my company's firewall?

It is recognized that any communications passing through a firewall is a potential concern to the organization behind the firewall, so SciFinder has been designed to be firewall-secure:

  • The SciFinder client initiates all communications.  During periods of client inactivity exceeding several minutes, the server will poll the client, across the already established Z39.50 connection, requesting confirmation that the client is still active.  Other than the exception above, the SciFinder server acts only in response to client requests.  The SciFinder server will never initiate a connection to a client.  Port 210 may remain in "stealth mode" when "viewed" from the Internet.
  • All communications take place through a registered port, 210. If firewall and client modifications are required per your network security requirements, we strongly recommend that port 210 be used as the designated Z39.50 port on your firewall. However, you may use Network Address Translation for port translation provided that the destination addresses and ports are 134.243.85.3:210 and 134.243.85.4:210
  • All client communications are with two, well-known CAS server sockets
    • 134.243.85.3:210 
    • 134.243.85.4:210
    • Firewall security may be enhanced by creating rules that restrict outbound connections to only the SciFinder Server Sockets listed above.
  • Note for SciFinder 2007: In order to increase connection reliability and to provide load balancing, SciFinder 2007 initiates a client side "auto-select" feature to randomly pick one socket to attempt connection to the CAS SciFinder servers.  If connection fails, then the client tries the other socket, if both fail, then an error message will be displayed.  CAS recommends that both sockets be enabled on your firewall as connection pathways to SciFinder.

     

What about IP spoofing?

A network attack in which a "bad" computer is configured to masquerade as a "good" computer is called IP spoofing. For a spoof to be successful, a rogue computer must be able to convince clients that it is the target (good) computer. The more customized a network service is, the more difficult it is to spoof. For this reason, IP spoofing attacks have always targeted general network services such as "telnet", and not highly unique services such as the Z39.50 protocol which is used by the SciFinder client and server for application level communications. Additionally, the goal of a spoof is to attack a computer by exploiting network "trust" in a client/server relationship. ("Trust" in a network context means that one side of a client/server connection implicitly trusts the other side and so does not require the other side to authenticate itself). SciFinder does not use network trust, which is why it is a poor target for a network spoof.

Are my communications private?

To enhance data confidentiality, SciFinder never sends plain-text ASCII data. All network communications are encoded using BER (Basic Encoding Rules). BER performs a translation ("scrambling") of data. Both sides of a SciFinder client/server connection BER-encode their data just prior to sending it. The receiving side decodes the data by inverting the translation.

More information about the Z39.50 protocol is available at its Maintenance Agency Home Page at the Library of Congress:

http://lcweb.loc.gov/z3950/agency

SciFinder BLAST (Nucleotide and Protein Searching) Security

SciFinder BLAST searching launches client software written in SUN® Java.  The client - server communications use HTTPS (SSL) with 128 bit encryption via Port 443.

  • The client will attempt to create a secure tunnel via Port 443 through the firewall to BLAST server at:
    • 134.243.5.43:443 - DNS name: https://scifinder.cas.org
  • The client may be configured to use an HTTP proxy server by running the Site Preference Editor within SciFinder and entering the HTTP proxy server internal connection information into the HTTP Networking section.
    • Consult the Site Administrator Guide or
    • Contact your SciFinder Key Contact or
    • Contact CAS Customer Care
  • Client authentication to the HTTP proxy is supported using Basic Authentication protocol.

How Can We Increase the Security of our Connection to SciFinder

CAS offers Business to Business VPN connections for companies wishing to increase the security of their Internet connection to CAS.  SciFinder Sales Representatives can provide additional information or contact CAS Customer Care.  The Business to Business VPN will require a VPN gateway at your company Internet interface compatible with the CAS CISCO VPN concentrator.  The CAS networking and security staff will coordinate setup of the VPN tunnel with your IT staff.

 

Download a PDF copy of this page.
Updated 4/17/2007 4:30:17 PM
Home  |  About CAS  |  Our Expertise  |  Solutions  |  Products & Services  |  Support  |  News & Events
Copyright © 2008 American Chemical Society