SSH Tectia Client / Server

• Features & Benefits
• Usage Scenarios
• Supported Platforms
• Certifications

Secure System Administration

The Secure Shell (SSH2) protocol, developed by SSH Communications Security, is a standard remote access mechanism providing secure upgrade capability for legacy login, remote command execution, and file transfer methods. Secure Shell provides confidentiality, integrity, and authentication for system administration connections, eliminating common network security threats such as password exposure, data eavesdropping, and connection hi-jacking.

SSH Tectia Client provides client-side secure terminal, replacing Telnet, for system administrators to both access and administer computers running SSH Tectia Server or any other standards-based Secure Shell implementation. Broad platform support of SSH Tectia, including Windows, Unix, Linux, and mainframe systems, allows organizations to standardize on a single Secure Shell solution for secure server administration throughout heterogeneous enterprise networks.

The Windows version of SSH Tectia Client provides advanced configurations options and an easy-to-use GUI for interactive file transfers. Flexible authentication options with support for third-party authentication systems including RSA SecurID, PKI, and Windows domain authentication enables reliable identification of system administrators.

SSH Tectia Client are Server are based on the IETF Secure Shell standard specifications and include additional compatibility features to facilitate seamless interoperability with third-party Secure Shell implementations.

* Secure terminal usage of SSH Tectia Client (Windows)

 

 

Secure File Transfer

Many system administrators utilize periodic and ad-hoc file transfers based on plaintext FTP (File Transfer Protocol) for moving database backups, transaction logs, and other files that contain sensitive information. Eavesdropping of such transfers constitutes a serious threat to the integrity and confidentiality of data.

The SSH Tectia Client and Server products provide a solution to counter this threat by replacing unsecured FTP connections with SFTP (Secure File Transfer Protocol) based on the Secure Shell standard. Versatile command-line SFTP and SCP (Secure Copy) tools of SSH Tectia Client and Server allow easy scheduling of scripted file transfers by using OS-integrated and third-party scheduling systems.

 

 

SSH Tectia Client for Windows provides an easy-to-use graphical user interface for interactive exchange of files with remote servers running Windows, Unix, Linux, and IBM z/OS. Files can be dragged and dropped between the systems similarly to commonly used unsecured FTP clients.

 

* Secure interactive file transfer with SSH Tectia Client (Windows)

 

Whereas SSH Tectia Client and Server products can be used to implement simple, secure file transfers, the EFT (Enhanced File Transfer) Expansion Packs for SSH Tectia Client and Server are separately available for more demanding use cases that require enhanced file transfer functionality such as checkpoint/restart mechanism, higher file transfer performance, or transparent FTP-SFTP conversion. For more information, please visit the EFT Explansion Pack page. 

 

Secure Database Replication with Static Tunneling

SSH Tectia Client and Server support static tunneling of TCP-based application connections to ensure confidentiality, integrity, and authentication of transmitted data. It is possible to configure SSH Tectia Client so that the secure tunnel is automatically established when a specific application connects to the remote server.

One common use case for pre-configured static tunnels is securing protocols used for online database back-up and replication between enterprise servers, as an alternative to periodic file transfers using SFTP. When the replication protocol connection is initiated in the client-side, SSH Tectia Client or SSH Tectia Server (with its built-in client-side functionality) automatically establishes the Secure Shell connection and starts tunneling the replication connection according to the pre-configured setting.

Static tunneling feature of SSH Tectia Client and Server requires that the application client is configured to route network connections through the local host. For transparent tunneling of end-user application connections between Windows workstations and remote servers, without the need to reconfigure the application's network settings, the Tunneling Expansion Pack is separately available. For more information, please visit the Tunneling Explansion Pack page.

 

 

 

Secure Application Connectivity

With the widespread adoption of business applications such as CRM (Customer Relationship Management) and ERP (Enterprise Resource Planning), the flow of unprotected sensitive information is ever increasing in the enterprise networks. While at the same time both internal and external security threats are growing, communications security cannot anymore be managed with the traditional perimeter security solutions, such as firewalls and VPNs, alone. More comprehensive end-to-end communications security throughout diverse enterprise networks is needed to meet the strict security requirements of new regulations and corporate security policies.

SSH Tectia Client for Windows  have been designed to provide transparent protection of application connections between the enterprise workstations and the application servers. As invisible and centrally managed desktop software, SSH Tectia Client for Windows eliminates the need for end user training and helpdesk costs thus reducing the total cost of ownership (TCO) of the security system. Broad platform support of SSH Tectia Server facilitates easy integration into cross-platform environments consisting of Windows, Unix, Linux, and mainframe-based application servers.

 

Flexible user interface of SSH Tectia Client for Windows allows administrators to specify security rules that match the requirements of the enterprise security policies. For example, less sensitive applications and application connections with built-in security (e.g. HTTPS) can be passed through without tunneling. Centralized management of transparent tunneling with SSH Tectia Manager eliminates the need for costly on-site configuration.

For more details, please read the Secure Application Connectivity - Application Note.

 

 

Fully Transparent Security with Windows Domain Authentication

When both the workstation and server are located in the same Windows (NT or Active Directory) domain, it is possible to integrate the Windows Domain logon with SSH Tectia using the Kerberos/GSSAPI feature to enable single sign-on to Secure Shell connections. This means that when a user logs on to a Windows Domain, the user gets a "ticket" that can be used for authentication. In this case, the authentication procedure is non-interactive; the user is not prompted to enter a password when the SSH Tectia Client for Windows connects to the SSH Tectia Server.

 

 

When used together with transparent tunneling of SSH Tectia Client for Windows and SSH Tectia Server, Windows domain authentication makes SSH Tectia fully invisible to the end user, while still implementing strong encryption and authentication. When the user is connecting to an application, which requires tunneling, the Secure Shell connection and application tunnel are established automatically without any user interaction.

 

Encrypted Application Connectivity and Login

When SSH Tectia is used to protect application connections, it is not always necessary to implement strong user authentication. If it is acceptable to the established local security policy to rely on the security of the application's own login mechanism, there is no need to authenticate the user when establishing the application tunnel. In this kind of scenario, SSH Tectia Client for Windows and SSH Tectia Server can be used to ensure that all application data and passwords are encrypted while in transit, eliminating risks of data eavesdropping and password sniffing. The application itself ensures that users are properly authenticated.

 

User-specific authentication can be avoided by creating a common global account for a group of users, with rights to establish tunnels only (specifically no terminal or file access is allowed). The corresponding username and password can then be distributed with SSH Tectia Manager to those SSH Tectia Client for Windows workstations. SSH Tectia Client for Windows can automatically connect to the application server with the common user group credentials without the need to prompt the user for any login credentials. Therefore, there is no user interaction needed for authentication.

Note that in this scenario, the SSH Tectia Client for Windows and SSH Tectia Server can also be used in conjunction with a single sign-on (SSO) solution to implement non-interactive Secure Shell user authentication. Another alternative is to use Windows domain authentication as introduced in the previous use scenario.

 

Secure TN3270 Application Connectivity

TN3270 terminal emulation is widely used on Windows workstations to provide enterprise end-users with a direct access to IBM mainframe applications. While many organizations have not implemented encryption controls for TN3270 application connections, sensitive data and user passwords are constantly exposed in the enterprise networks.

Transparent TN3270 tunneling requires that SSH Tectia Server for IBM z/OS is installed on the IBM mainframe. When the terminal client accesses a remote mainframe, SSH Tectia Client for Windows captures the connection transparently and establishes a secure tunnel between the workstation and IBM z/OS system. All TN3270 application connection traffic is then transmitted over an encrypted Secure Shell tunnel, ensuring confidentiality of user passwords and application data.

End users can continue to use their existing terminal emulator clients and there is no need to introduce a new authentication layer, as mainframe's RACF passwords can be used for authenticating SSH Tectia connections. End-user transparency makes SSH Tectia a highly cost-effective solution for securing both interactive end-user connections and automated file transfers to and from IBM mainframes.