Secure Application Connectivity

With the widespread adoption of business applications such as CRM (Customer Relationship Management) and ERP (Enterprise Resource Planning), the flow of unprotected sensitive information is ever increasing in the enterprise networks. While at the same time both internal and external security threats are growing, communications security cannot anymore be managed with the traditional perimeter security solutions, such as firewalls and VPNs, alone. More comprehensive end-to-end communications security throughout diverse enterprise networks is needed to meet the strict security requirements of new regulations and corporate security policies.

SSH Tectia Connector and SSH Tectia Server with Tunneling Expansion Pack have been designed to provide transparent protection of application connections between the enterprise workstations and the application servers. As invisible and centrally managed desktop software, SSH Tectia Connector eliminates the need for end user training and helpdesk costs thus reducing the TCO (total cost of ownership) of the security system. Broad platform support of SSH Tectia Server facilitates easy integration into cross-platform environments consisting of Windows, Unix, Linux, and mainframe-based application servers.

 

 

Flexible user interface of SSH Tectia Connector allows administrators to specify security rules that match the requirements of the enterprise security policies. For example, less sensitive applications and application connections with built-in security (e.g. HTTPS) can be passed through without tunneling. Centralized management of transparent tunneling with SSH Tectia Manager eliminates the need for costly on-site configuration.

For more details, please read the Secure Application Connectivity - Application Note. 

 

Fully Transparent Security with Windows Domain Authentication

When both the workstation and server are located in the same Windows (NT or Active Directory) domain, it is possible to integrate the Windows Domain logon with SSH Tectia using the Kerberos/GSSAPI feature to enable single sign-on to Secure Shell connections. This means that when a user logs on to a Windows Domain, the user gets a "ticket" that can be used for authentication. In this case, the authentication procedure is non-interactive; the user is not prompted to enter a password when the SSH Tectia Connector or Client connects to the SSH Tectia Server.

 

 

When used together with transparent tunneling of SSH Tectia Connector and Tunneling Expansion Pack for SSH Tectia Server, Windows domain authentication makes SSH Tectia fully invisible to the end user, while still implementing strong encryption and authentication. When the user is connecting to an application, which requires tunneling, the Secure Shell connection and application tunnel are established automatically without any user interaction. 

 

Encrypted Application Connectivity and Login

When SSH Tectia is used to protect application connections, it is not always necessary to implement strong user authentication. If it is acceptable to the established local security policy to rely on the security of the application's own login mechanism, there is no need to authenticate the user when establishing the application tunnel. In this kind of scenario, SSH Tectia Connector and SSH Tectia Server with Tunneling Expansion Pack can be used to ensure that all application data and passwords are encrypted while in transit, eliminating risks of data eavesdropping and password sniffing. The application itself ensures that users are properly authenticated.

 

 

 

User-specific authentication can be avoided by creating a common global account for a group of users, with rights to establish tunnels only (specifically no terminal or file access is allowed). The corresponding username and password can then be distributed with SSH Tectia Manager to those SSH Tectia Connector workstations. SSH Tectia Connector can automatically connect to the application server with the common user group credentials without the need to prompt the user for any login credentials. Therefore, there is no user interaction needed for authentication.

Note that in this scenario, the SSH Tectia Connector and Server with Tunneling Expansion Pack can also be used in conjunction with a single sign-on (SSO) solution to implement non-interactive Secure Shell user authentication. Another alternative is to use Windows domain authentication as introduced in the previous use scenario.

 

Secure TN3270 Application Connectivity

TN3270 terminal emulation is widely used on Windows workstations to provide enterprise end-users with a direct access to IBM mainframe applications. While many organizations have not implemented encryption controls for TN3270 application connections, sensitive data and user passwords are constantly exposed in the enterprise networks.

Transparent TN3270 tunneling requires that SSH Tectia Server for IBM z/OS is installed on the IBM mainframe. When the terminal client accesses a remote mainframe, SSH Tectia Connector captures the connection transparently and establishes a secure tunnel between the workstation and IBM z/OS system. All TN3270 application connection traffic is then transmitted over an encrypted Secure Shell tunnel, ensuring confidentiality of user passwords and application data.

End users can continue to use their existing terminal emulator clients and there is no need to introduce a new authentication layer, as mainframe's RACF passwords can be used for authenticating SSH Tectia connections. End-user transparency makes SSH Tectia a highly cost-effective solution for securing both interactive end-user connections and automated file transfers to and from IBM mainframes.