COMSOL Security
COMSOL Multiphysics Client–Server Security
The COMSOL Multiphysics client–server architecture lets you access the COMSOL Multiphysics server — the computational engine in COMSOL Multiphysics — as a separate process. COMSOL Multiphysics client–server uses a TCP/IP connection to send data between client and server. The COMSOL Multiphysics server is a single-user server. The design of COMSOL Multiphysics client–server assumes that you, the user, start both the client and the server manually. You are responsible for setting a password for mutual authentication of the client and server. The COMSOL Multiphysics client–server architecture is designed to operate in a secure environment and has only basic security incorporated in its design.
You can also access a COMSOL Multiphysics server with the COMSOL API client in a Java method running in a separate process or a process on a separate computer. This happens, for example, in the LiveLink™ for MATLAB®, where MATLAB® loads the COMSOL API client and launches a separate process with the COMSOL Multiphysics server.
Password Security
You can control if the client–server password is stored on file between sessions. In the COMSOL Multiphysics client, select the Remember username and password checkbox in the Connect to COMSOL Multiphysics Server dialog to store the password between sessions. In the COMSOL Multiphysics server, by using the option -passwd nostore, you can avoid storing the password on file. If you do not provide the option, the password will be stored on file, and you will not be asked to provide it when you start a new server session.
Before storing your password on file, it is hashed by the SHA256 algorithm. This means that an adversary that gets access to your password file will not easily be able to obtain the password you originally entered. However, if an adversary gets access to your password file, the adversary could login on a COMSOL Multiphysics server started by you, or, potentially, have you log in on a hostile COMSOL Multiphysics server.
By default, both the COMSOL Multiphysics client and the COMSOL Multiphysics server write the hashed password to the file .comsol/v64/login.properties in your home directory. Both COMSOL Multiphysics client and server will attempt to make the password file inaccessible for other users by introducing access restrictions. When you use the client and server on the same computer there will only be a single password file by default. This could also happen if you run the client and server on separate computers, if your home directory is located on a shared network drive.
You should avoid storing your client–server password on file if your home directory is located on a network drive that does not encrypt network traffic. If your password is stored on a local drive, your client–server password security will be improved if the drive is encrypted. Generally, a user with administrative access to your computer could get access to your password file.
The COMSOL Multiphysics client–server is designed to protect your password file during network traffic between client and server (see the next section).
TCP/IP Connection
The TCP/IP communication between client and server is not encrypted. However, the server and client are mutually authenticated using a challenge handshake authentication protocol (CHAP), which means that the client–server password cannot be easily obtained by an adversary that can eavesdrop the network traffic between client and server.
The TCP connection between the client and the server is otherwise not encrypted. If you require encryption of the TCP connection, you can use third-party software based on protocols such as SSH or IPSEC and tunnel the client–server traffic. When doing this you may need access to the port number used for client–server communication. The port number is 2036 by default but can be controlled and modified both from the client and the server.
COMSOL Multiphysics Server Security
When running COMSOL Multiphysics client–server operations from the client, file system access is typically performed on the client. However, COMSOL Multiphysics client can potentially access files on the file system and other operating system resources on the server computer with the same privileges as the user that launched the Multiphysics server. The COMSOL Multiphysics client–server security design assumes that the same physical user is operating both the client and the server and that this user is not an adversary.
In particular, when using the COMSOL API on the client computer, you should avoid running Java methods, or MATLAB functions with the LiveLink for MATLAB, that have not been reviewed from a security point of view. Some operations on the COMSOL Multiphysics server will read and write files on the client and server computer, and other operations may run operating system commands or initiate network traffic on the client or server computer. These operations are performed with the same privileges as the user that started the COMSOL Multiphysics client or server.
When running model methods or add-ins in for COMSOL Multiphysics client–server, these are run using the security settings for applications (see the next section).