|
|
|
Securely Transferring Files Using Reflection, EXTRA! or INFOConnect
Technical Note 2172
Last Reviewed 13-Nov-2008
Applies To
Reflection Standard Suite 2008
Reflection for UNIX and OpenVMS 2008
Reflection for IBM 2008
Reflection for IBM 2007
Reflection Windows-based Products version 12.0 through 14.x (excluding Reflection NFS Client)
Reflection for Secure IT version 6.1 or higher
Reflection for the Web version 9.0 or higher
All EXTRA! Products version 9.0 SP2 or higher
INFOConnect Enterprise Edition version 9.0 or higher
Summary
Technical Note 2172
Last Reviewed 13-Nov-2008
Applies To
Reflection Standard Suite 2008
Reflection for UNIX and OpenVMS 2008
Reflection for IBM 2008
Reflection for IBM 2007
Reflection Windows-based Products version 12.0 through 14.x (excluding Reflection NFS Client)
Reflection for Secure IT version 6.1 or higher
Reflection for the Web version 9.0 or higher
All EXTRA! Products version 9.0 SP2 or higher
INFOConnect Enterprise Edition version 9.0 or higher
Summary
Attachmate products offer several options for secure file transfers, including support for SSH/SFTP, tunneling FTP with SSH, and FTP with SSL/TLS. This technical note provides an overview of each of these options, listing their benefits and limitations, and noting which products support each option.
This information is provided in the following order:
SSH/SFTP
SSH is a protocol that establishes a secure channel between a local and remote computer. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data.
There are two file transfer protocols that use SSH for authentication and encryption, SCP and SFTP. This section addresses SFTP. For information about the differences between SCP and SFTP, see Technical Note 1918.
SFTP is not a 'secure version' of the standard FTP protocol. It is a completely different file transfer protocol. You cannot connect to an FTP server using SFTP protocol or to an SFTP server using FTP protocol. The SFTP protocol relies upon SSH to provide authentication and encryption.
Once connected, the client can do a number of file manipulation operations, such as uploading, downloading, renaming, and deleting files. The exact capabilities provided depend upon the SFTP server.
Benefits of SSH/SFTP
- SSH/SFTP uses a different port than FTP, so administrators can block FTP.
- SFTP uses a single port, making it easier to configure your firewall.
- Because SFTP is different than FTP, administrators can eliminate the insecure FTP protocol entirely.
- SFTP provides end-to-end secure file transfers.
Limitations of SSH/SFTP
- Many SSH servers have limited wildcard support.
- The available command set is limited. For example, there is no support for QUOTE or SITE.
- SFTP does not recognize many operating-system-specific file structures.
- SFTP defines only the transfer of binary bitstream data. However, some SFTP clients, such as Reflection's, also provide limited binary to ASCII conversion.
Tunneling FTP with SSH
Tunneling (port forwarding) provides a way to redirect insecure TCP communications (including FTP) through a secure SSH tunnel. Using this method, the FTP protocol establishes two distinct TCP connections between the FTP client and FTP server:
- The control connection is used to manage the session. This connection is initiated by the client.
- The data connection is used for file transfers and directory listings. This connection is initiated by the client, when the client sends the passive mode command to the server. Passive mode is the default mode for the Reflection FTP client.
Reflection can be used to create an SSH tunnel and tunnel FTP. If a passive mode FTP connection is made, both the control connection and data connections are secure, enabling users to connect securely to an FTP server and use the full range of FTP commands.
For more information about FTP tunneling, see Technical Note 1862.
Benefits of Tunneling
- Once connected to the FTP server, you have access to the full range of FTP commands.
- Provides a secure means for continued use of FTP.
- SSH uses a single port (port 22), making it easier to configure your firewall.
Limitations of Tunneling
- Because you are configuring two protocols, FTP and SSH, more configuration and administration is involved than when using just FTP.
- Because FTP is still used (through the SSH tunnel), the FTP protocol cannot be eliminated from the enterprise environment.
- If active mode FTP is used, rather than the default passive mode, the file transfer is not secured end-to-end.
FTP with SSL/TLS
The SSL (Secure Sockets Layer) protocol was developed by Netscape to secure HTTP, but can also be used to secure other protocols. The SSL/TLS protocol uses public key cryptography and certificates for authentication and negotiates session keys for symmetric encryption.
SSL/TLS runs in layers below the FTP client and above the TCP transport protocol. An FTP-SSL client can use SSL to provide authentication and encryption.
Benefits of FTP with SSL/TLS
- Once connected to an FTP server that supports SSL, you have access to the full range of FTP commands and the operating system specific file structure.
- This protocol provides good support for many operating-system-specific file structures.
- This protocol provides good support for IBM host datasets such as MVS.
- It enables continued use of FTP, but with security.
- SSL/TLS provides secure transfers, end-to-end.
Limitations of FTP with SSL/TLS
- The FTP server must support SSL.
- FTP cannot be eliminated from the enterprise environment.
- Administration is more complex because the required authentication uses certificates.
- By default, FTP with SSL/TLS does not provides user authentication, only host authentication.
Which Products Support Which Protocols
The following table shows which Attachmate products and versions support which secure file transfer protocols.
| Product |
Version |
Supports SFTP |
Supports tunneling FTP with SSH |
Supports FTP with SSL/TLS |
| Reflection Standard Suite 2008 |
R1 |
Yes |
Yes |
Yes |
| Reflection for UNIX and OpenVMS 2008 |
R1 |
Yes |
Yes |
Yes |
| Reflection for IBM 2008 |
R1 |
Yes |
Yes |
Yes |
| Reflection for IBM 2007 |
R1 |
Yes |
Yes |
Yes |
| Reflection Windows-based products |
12.0 – 14.x |
Yes |
Yes |
Yes |
| Reflection for Secure IT |
6.1 or higher |
Yes |
Yes |
Yes (7.0 or higher) |
| Reflection for the Web |
9.0 or higher |
Yes |
No |
No |
| EXTRA!* |
9.0 SP2 or higher |
Yes |
Yes |
Yes |
| INFOConnect* |
9.0 or higher |
Yes |
Yes |
Yes |
* EXTRA! X-treme 9.0, INFOConnect Enterprise 8.1 SP1, and INFOConnect Airlines Gateway 2.1 SP1 ship with Reflection Secure FTP 14.x, which is the same as Reflection FTP Client 14.x.
