Applications

• Secure System Administration
• Secure File Transfer
• Secure Application Connectivity

Frequently asked questions and answers about SSH Tectia and secure application connectivity:

1. What does secure application connectivity with SSH Tectia mean?
2. What products are needed to secure application connectivity with SSH Tectia? 
3. How does the transparent TCP tunneling feature of SSH Tectia work? 
4. What is the difference between static application tunneling (port forwarding) and transparent application tunneling? 
5. What kinds of threats exist when using business applications? 
6. What security technologies are used in SSH Tectia to secure application connections? 
7. What types of business applications can be protected with SSH Tectia? 
8. Can SSH Tectia secure in-house legacy applications? 
9. How visible is SSH Tectia to the end-user when an application is being protected? 
10. What is deperimeterization and what are its security implications?
    

Q1. What does secure application connectivity with SSH Tectia mean?

With SSH Tectia, large organizations can cost-effectively secure application connections between end-user workstations and application servers without any modification to the application itself.  SSH Tectia can be applied in different ways to ensure confidentiality, integrity, and authentication of application data while transmitted over TCP/IP networks. You may for instance replace unsecured Telnet-based terminal clients and servers with SSH Tectia when accessing command-line applications. Alternatively, SSH Tectia ConnectSecure or SSH Tectia Client for Windows 6.0 (or newer) can be used to automatically and transparently tunnel any TCP-based applications data without the need to reconfigure or modify existing applications.

Q2. What products are needed to secure application connectivity with SSH Tectia?

SSH Tectia Client and SSH Tectia Server products can be used to replace unsecured terminal application connections between workstations and servers. SSH Tectia Client provides a Telnet-like user interface and ensures full integrity and confidentiality of the remote terminal connection. 

SSH Tectia Client for Windows and SSH Tectia Server is needed to transparently tunnel application connections between Windows workstations and servers, while SSH Tectia ConnectSecure supports connections between windows servers and a SSH Tectia Server. Transparent application tunneling eliminates the need to modify or reconfigure applications when implementing secure application connectivity.

When used in conjunction with SSH Tectia Server for IBM z/OS, SSH Tectia Client for Windows allows transparent tunneling of TN3270 terminal application connections between Windows workstations and IBM mainframes. 

SSH Tectia Manager can be used to deploy, configure, update, and audit the SSH Tectia environment from a central location, providing a cost-effective solution for large enterprises by drastically reducing the cost to upgrade, patch, and change security policies and by easing the auditing burdens placed on IT resources.

Q3. How does the transparent TCP tunneling feature of SSH Tectia work?

Once the application software initiates a connection to the network server, SSH Tectia Client for Windows or SSH Tectia ConnectSecure transparently captures the connection, authenticates the user and establishes a secure, encrypted connection. Thanks to the advanced transparent TCP tunneling capabilities of SSH Tectia, no configuration changes are required for the tunneled applications, so unlike other solutions, you do not need to re-configure the application client to route connections to the localhost.  Securing the application connections is fully transparent to the end users and thus there is no need to train the users for the use of SSH Tectia.

 

Q4. What is the difference between static application tunneling (port forwarding) and transparent application tunneling?

Please read the answer to question Q3 above to learn how transparent application tunneling with SSH Tectia works.

The SSH Tectia Client product also supports static application tunneling (also known as port forwarding). When static application tunneling is used, the application connections need to be re-routed through a local host in order to establish a secure application connection. This means that the network settings of the application client need to be reconfigured so that the client connects to a specific TCP port in the local host. Additionally, SSH Tectia Client needs to be configured to forward the tunneled (localhost) connection to a remote server.

 

Figure: Static application tunneling in action

Unlike the transparent application tunneling of SSH Tectia Client or SSH Tectia ConnectSecure, the static application tunneling requires changes in the client-side network settings and can mainly be used with application protocols that use fixed ports. Static application tunneling can also be used for securing unattended connections between servers.

Q5. What kinds of threats exist when using business applications?

Enterprises have traditionally implemented encrypted communications between remote user workstations and the corporate firewall residing at the network perimeter. With the adoption of enterprise applications such as CRM (Customer Relationship Management) and ERP (Enterprise Resource Planning), the flow of unprotected sensitive business information is ever increasing in the corporate LANs. Various internal and external threats such as data eavesdropping from the internal network by employees, adoption of wireless local area networks, and emergence of new, sophisticated network worms, are serious threats to the integrity of mission-critical data.

Q6. What security technologies are used in SSH Tectia to secure application connections?

SSH Tectia uses the Secure Shell protocol (SecSh v2), developed by SSH Communications Security. The Secure Shell protocol is a standard remote access mechanism used by millions of users worldwide. Through use of advanced authentication and encryption technologies it provides confidentiality, integrity as well as strong authentication of users.

SSH Tectia supports strong advanced encryption protocols such as AES, 3DES, Cryptocore, DSA, and RSA algorithms. The underlying cryptographic libraries have been FIPS 140-2 certified, making SSH Tectia highly suitable for even the most demanding government and enterprise environments.

The broad authentication support of SSH Tectia includes passwords, public-key authentication, certificates and PKI, GSS-API/Kerberos, RADIUS, PAM, and RSA SecurID.

For more information on technical specifications, please read the SSH Tectia client/server solution datasheet.

Q7.What types of business applications can be protected with SSH Tectia?

SSH Tectia can transparently secure virtually any TCP-based application. To ensure that SSH Tectia is easy to use in today’s complex IT environment, SSH regularly tests for compatibility with a wide range of commercial application software. Tested application products include SAP, Oracle E-Business Suite, Lotus Notes, and common e-mail applications. A list of currently compatible applications can be found at the SSH Resource Center. Please contact us if your application is not listed. 

For more information, please see Compatibility Notes.

Q8.Can SSH Tectia secure in-house legacy applications?

Yes, SSH Tectia can secure legacy client/server applications that have been developed internally, without the need for code-level or other changes to these applications.

Q9. How visible is SSH Tectia to the end-user when an application is being protected?

Typically the only visible interaction between SSH Tectia and the end-user is the PIN dialog or password prompt when the secure connection is being established. However, the need for the authentication prompt can be eliminated if you can use Windows domain authentication, Entrust Authority, or a single sign-on system. Other possibilities exist to make the tunneling fully invisible to the end-users.

Q10. What is deperimeterization and what are its security implications?

Traditionally information security systems have been developed using the concept of perimeter security, which is built on safeguards such as firewalls and anti-virus gateways. The perimeter security model assumes that the internal network can be trusted and does not require any additional security measures. However, as a combination of various recent IT trends, information security threats can no longer be prevented in the network boundary alone. This is consequence of an effect called deperimeterization, or in an easier form, the disappearing perimeter.

Internet is increasingly used to offer remote access to employees and to integrate business applications with customers’ and partners’ environments. The integration commonly involves making holes to the perimeter firewalls to allow access to the back-end servers. As a result, corporate networks see large amounts of application traffic originating from external sources that are not within the administration of the corporate IT. Furthermore, perimeter security cannot offer protection against the new threats created by the adoption of wireless access to corporate network (e.g. WLAN).

In the age of deperimeterization, a more comprehensive security approach is needed to protect critical data from the inside out. One important part of preparing networks for deperimeterization is securing mission-critical business applications end-to-end. SSH Tectia for secure application connectivity can meet this requirement.