SSH Tectia Client and Server have the following main features and benefits. For a detailed list of new features and enhancements in the latest versions, please read the release notes for SSH Tectia Client and SSH Tectia Server.
- Secure Shell Protocol
- Secure File Transfer
- Transparent TCP Tunneling
- High Performace with SSH G3
- User Authentication
- Ease of Use
Secure Shell Protocol
| Compliance with the IETF Secure Shell standards | SSH Tectia Client and Server implement the Secure Shell (version 2) protocol as defined by the IETF Proposed Standard RFC specifications. SSH Communications Security is the original developer of Secure Shell and has been an active driver of the Secure Shell standardization in the IETF. |
| Comprehensive cryptographic support | SSH Tectia Client and Server offer state-of-the-art encryption with broad support for symmetric ciphers including 3DES, AES, Arcfour, Blowfish, SEED, and Twofish. Supported message authentication and public-key algorithms include MD5, SHA-1, Diffie-Hellman, DSA, and RSA. |
| FIPS-certified cryptographic library | SSH Tectia Client and Server incorporate a FIPS 140-2 certified cryptographic module to help ensure acceptance in government audits. The FIPS 140-2 Cryptographic Library has been validated for both Windows and major Unix platforms. Read more |
| Versatile command line tools | SSH Tectia Client and Server include versatile command line tools that can be used for remote login, remote command execution, and file transfer operations. These tools allow easy scripting of automated jobs such as secure file transfers or starting and stopping of services in remote locations. |
| Tunneling (port forwarding) | One of the key features of Secure Shell in addition to secure terminal access and secure file transfers is its ability to tunnel TCP-based application connections. SSH Tectia Client and Server allow static application tunneling where application client connections are routed through the local TCP port, and then securely forwarded to a remote Secure Shell server. |
| Pre-configured tunneling | Before an application can be tunneled, a Secure Shell connection needs to be established. When using the pre-configured tunneling feature, SSH Tectia Client listens to a specific port and establishes the connection automatically when the specific application is connecting to the localhost port. |
| Authentication agent | SSH Tectia Client incorporates authentication agent functionality that allows the caching of passphrases (used for encrypting the private key), eliminating the need to retype the passphrase each time when a connection is made. In addition, authentication can be "forwarded", allowing administrators to hop from one server to another without the need to store private keys in multiple servers. |
| Host-Based authentication | Host-based authentication mimics the legacy rhosts authentication that was used with Unix tools such as rsh and rcp to control access to systems based on the address of the remote host. The Secure Shell host-based authentication utilizes strong cryptography for host identity verification. |
| Firewall traversal | SSH Tectia Client and Server support SOCKS (4 and 5) and HTTP proxy for accessing Secure Shell servers located behind firewalls. |
| Multi-channel support | Multi-channel support allows users to have multiple terminal sessions, file transfers, and application tunnels that are multiplexed to a single Secure Shell connection without the need to authenticate every session separately. |
| Configurable re-keying policies | Administrators can configure the renewal period for session encryption keys according to the security requirements. |
Secure File Transfer
Transparent TCP Tunneling
Transparent application tunneling | SSH Tectia Client for Windows enables transparent application tunneling without the need to modify the tunneled applications. The main barrier for wider adoption of Secure Shell tunneling is eliminated, as there is no more need to reconfigure application client’s network settings with localhost addresses. When the connection is initiated by the application client, SSH Tectia Connector transparently captures the connection and establishes a secure tunnel according to the policy rules. |
| Fine-grained policy control | Administrators can freely define application security policies including rules to tunnel, allow plaintext, or block specific client-side application connections. The flexible configuration interface provides administrators with multiple ways of specifying the tunneled applications; applications can be identified according to destination address and/or port, application name, or location of the application client binary. |
| Centrally managed | SSH Tectia Client for Windows has been designed to be centrally managed with the optional SSH Tectia Manager product. Centralized installation, policy configuration, and monitoring enable highly cost-effective deployment and maintenance of secure application connectivity in heterogeneous environments. Read more about SSH Tectia Manager |
| Broad application support | SSH Tectia Client for Windows can be used to tunnel any TCP-based user client/server application including both commercial application software and internal legacy applications. |
| Secure TN3270 connectivity | SSH Tectia Client for Windows together with SSH Tectia Server for IBM z/OS allows transparent encryption of TN3270 application connections between Windows workstations and mainframes. Mainframe RACF passwords can be used for authenticating Secure Shell connections. Read more about SSH Tectia Server for IBM z/OS |
| CryptiCore® encryption and authentication | The SSH G3 architecture and the high-speed CryptiCore® algorithms (Intel platforms) help in meeting performance requirements of large-scale application access scenarios. CryptiCore enables up to 600 Mb/s application tunneling throughput in 1Gb networks. |
High Performance with SSH G3
| SSH G3 architecture | SSH G3 is a third-generation Secure Shell protocol implementation, which has been optimized for higher performance in demanding file transfer and application tunneling environments. The SSH G3 architecture provides unparalleled Secure Shell encryption throughput and scalability for large organizations. |
| Connection scalability | SSH G3 implements an n x m server process architecture for optimized server-side memory consumption and performance. While each server process (total amount n) can handle multiple (m) connections, the memory consumption per connection is considerably lower than in the second-generation Secure Shell implementations, making SSH Tectia an ideal solution especially for large-scale application tunneling. |
| Higher throughput | The SSH G3 architecture has been designed to minimize internal data handling such as data copy operations to minimize the throughput time in large file transfers. |
| Multi-threading | SSH G3 utilizes multi-threaded programming to fully leverage multi-processor servers for improved performance. |
| Client-side connection broker | The Connection Broker is a key component in the SSH G3 architecture, handling all protocol and cryptographic operations. Client-side memory consumption is reduced since there needs to be only a single Connection Broker instance running per user. Security is also further improved by isolating all security-critical operations including authentication data handling in a single component. |
User Authentication
| Passwords | SSH Tectia Client and Server support secure password-based authentication. Unlike in plaintext protocols such as Telnet and FTP, passwords are never sent in plaintext format over the network, eliminating the risk of password exposure. |
| Public-keys | Public-key authentication (without certificates) provides an easy-to-deploy and secure means of authenticating the users without the need to deploy and maintain a public-key infrastructure. Users will create key pairs for themselves, and upload the public keys to the server for verification. |
| X.509v3 certificates | SSH Tectia Client and Server support X.509v3 certificates for further security and scalability in large and dynamic network environments. Comprehensive support for IETF PKIX and PKCS standards ensures seamless interoperability with third-party PKI products. |
| Flexible certificate revocation | SSH Tectia supports both CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) for centralized revocation of user credentials. CRLs are automatically fetched using HTTP or LDAP depending on the local settings and the CRL Distribution Point extension in the certificate. CRLs can also be imported offline in legacy environments. |
| Certificate lifecycle management | SSH Tectia Client and Server support IETF PKIX standards (CMPv2) for online certificate enrollment. Certificates can also be imported by using the PKCS#12 envelope format supported by most CAs (Certification Authorities). SSH Tectia has been integrated with Entrust PKI for transparent certificate lifecycle management in Entrust environments. |
| Smart cards and PKI tokens | SSH Tectia Client supports smart cards, USB tokens, and other PKI authentication devices by supporting PKCS#11 and MSCAPI for interfacing with authentication keys. Strong, two-factor authentication overcomes the inherent security issues of password authentication. |
| Keyboard-interactive | Keyboard-interactive is a standards-based method of integrating Secure Shell with third-party authentication mechanisms that are based on keyboard input, without the need to modify the client-side application (SSH Tectia Client). Keyboard-interactive is commonly used in conjunction with PAM and RADIUS in the server-side. |
| PAM support | SSH Tectia Server supports PAM (Pluggable Authentication Module) for integrating with third-party authentication systems that have standards-based PAM libraries. |
| LDAP integration | SSH Tectia Server can utilize standards-based third-party LDAP directories as centralized user repositories. The keyboard-interactive method and third-party PAM modules for LDAP can be used for integrating SSH Tectia Server on Unix with LDAP directories. |
| RSA SecurID | SSH Tectia Client and Server support RSA SecurID for strong, two-factor authentication. The keyboard-interactive method is used for providing the password from SSH Tectia Client to Server, which is integrated with the RSA Authentication Agent libraries for seamless interoperability. |
| RADIUS support | The RADIUS (Remote Authentication Dial-In User Service) protocol can be used with SSH Tectia Client and Server for checking users' authentication and authorization information from a remote server. Keyboard-interactive is used for sending the password to SSH Tectia Server, which interfaces with the third-party RADIUS server such as Microsoft IAS or FreeRADIUS. |
| GSSAPI authentication (Kerberos) | Kerberos/GSSAPI authentication enables transparent, single sign-on alike authentication of SSH Tectia Client users. Once the user has logged on to the network and received the logon credentials, there is no need to type in the authentication credentials again through SSH Tectia Client user interface when accessing Secure Shell servers. Specifically, Kerberos/GSSAPI authentication enables the use of Windows domain authentication and Active Directory accounts with SSH Tectia (SSPI API in Windows). |
| OpenSSH key support | SSH Tectia Client and Server support the legacy OpenSSH public-key format, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. Key compatibility feature also allows easy migration of OpenSSH environments to SSH Tectia. |
| Centrify DirectControl support | Integration of SSH Tectia with Centrify DirectControl enables secure host access while leveraging Active Directory-based identity management throughout multi-platform enterprise networks. |
Ease of Use
| Drop-in replacement for Telnet and FTP | While providing a user interface similar to the widely used Telnet and FTP tools, the SSH Tectia client/server solution provides an easy and cost-effective means of securely replacing plaintext Telnet connections and file transfers in heterogeneous enterprise networks. |
| Drag-and-drop file transfers | Easy-to-use graphical user interface for Windows allows users to securely drag-and-drop files between Windows and remote Unix/Linux/Windows/mainframe systems. |
| Windows domain authentication | SSH Tectia Client and Server can be integrated with Windows domain authentication by using Kerberos/GSSAPI for fully transparent user authentication. Once the users are logged on to the domain, there is no need for additional interaction for Secure Shell user authentication. |
| Easy Installation | The installation process of SSH Tectia products is effortless. SSH Tectia Client can also be easily installed by the end users themselves if the security policy allows. SSH Tectia Manager is optionally available for centralized deployment and maintenance of all SSH Tectia software. |
| Configuration GUI | SSH Tectia Client and Server for Windows offer an intuitive GUI for locally configuring all relevant Secure Shell settings needed for secure terminal access, file transfers, and static application tunneling. SSH Tectia Manager is optionally available for centralized Secure Shell configuration management and security policy enforcement. |
| XML configuration file format | Demanding and complex security rules such as access control and authentication configurations can be easily set up by using the XML-based configuration file format. Administrators can use existing third-party XML parsers to efficiently view and edit the configurations settings. |
| User defined key mappings | Users of SSH Tectia Client can easily create new keyboard shortcuts and edit existing ones according to their preferences. |
