Frequently asked questions and answers about SSH Tectia and secure system administration:
- What does secure system administration with SSH Tectia mean?
- What products are needed to implement secure system administration with SSH Tectia?
- What security technologies are used in SSH Tectia to protect system administration?
- Why should I not use traditional remote administration tools, such as Rlogin or Telnet?
- Why should I choose SSH Tectia over open-source-based Secure Shell?
- What platforms are supported?
- How do I manage large Secure Shell environments with SSH Tectia?
- Can SSH Tectia be used with X11-based applications?
- What authentication methods does SSH Tectia support?
- What is a Secure Shell agent and what is agent forwarding?
- Is SSH Tectia compatible with third-party Secure Shell implementations?
Q1. What does secure system administration with SSH Tectia mean?
SSH Tectia allows large organizations to protect their system administration connections in heterogeneous networks. By replacing legacy login (for example, Telnet and Rlogin) and remote command execution mechanisms with strong cryptographic security, SSH Tectia offers effective protection against common network security risks. SSH Tectia is the first and only solution in the market to offer a complete set of Secure-Shell-based products with multi-platform support and centralized software and configuration management functionality. These features make it possible to deploy and operate SSH Tectia in any large and heterogeneous network environment in a highly cost-effective manner.Q2. What products are needed to implement secure system administration with SSH Tectia?
SSH Tectia Client needs to be installed on the client side and SSH Tectia Server on the server side. SSH Tectia Client provides secure terminal and file transfer capabilities for system administrators to both access and manage servers or other network devices running SSH Tectia Server or another standards-based Secure Shell implementation. The Windows version of SSH Tectia Client offers an easy-to-use GUI with advanced configuration options, facilitating multi-platform compatibility and ease of use.
SSH Tectia Manager is a comprehensive security management platform that allows easy establishment and maintenance of large SSH Tectia Client / Server environments. Centralized security management eliminates configuration errors and enables centralized enforcement of security policies and effective monitoring for improved system security and regulatory compliance. Through the automation and centralization of laborious configuration and software management work, operating costs will be significantly reduced.
Q3. What security technologies are used in SSH Tectia to protect system administration?
SSH Tectia utilizes the Secure Shell protocol (SecSh v2), invented and developed by SSH Communications Security, for securing data communications. The Secure Shell protocol is a standard remote access mechanism used by millions of users worldwide. It provides a secure upgrade capability for unsecured login, remote command execution, and file transfer tools by implementing cryptographic confidentiality, integrity, and authentication. The Secure Shell implementation of SSH Tectia incorporates standards-based strong cryptography including AES, 3DES, DSA, and RSA algorithms. The underlying cryptographic libraries have been FIPS 140-2 certified, making SSH Tectia highly suitable for even the most demanding government and enterprise environments.The broad authentication support of SSH Tectia includes passwords, public-key authentication, X.509v3 digital certificates (PKI), GSS-API/Kerberos, RADIUS, PAM, and RSA SecurID. For more information on technical specifications, please read the SSH Tectia client/server solution datasheet.
Q4. Why should I not use traditional remote administration tools, such as Rlogin or Telnet?
Telnet and the Unix r-series programs such as Rlogin, RSH, and RCP are the original tools used to remotely access computers over a network. However, since these tools lack security and passwords, and the data content is sent as plaintext, it is a trivial matter to eavesdrop on the information as it travels over the network.Also, standard attack tools that are readily available on the Internet make the interception and malicious spoofing of IP addresses easy. Given the high privilege levels needed to perform system administration tasks such as remote program execution, the inherent security risks of unsecured remote administration are very high.
Q5. Why should I choose SSH Tectia over open-source-based Secure Shell?
Open-source-based Secure Shell (OpenSSH) lacks critical functionality required by large financial institutions and governmental agencies, such as centralized management, integration with common enterprise identity management systems, security certifications (for example, FIPS 140-2), scalable user authentication (for example, two-factor authentication), Windows as a supported platform, commercial professional support services, contractual warranty, and product liability.Q6. What platforms are supported?
SSH Tectia supports a wide variety of Windows, Linux, Unix, and mainframe operating systems, making it possible to standardize on SSH Tectia throughout a heterogeneous network environment. For details on specific platforms support, please visit the SSH Tectia Client / Server page.Q7. How do I cost-effectively manage large SSH Tectia environments?
With its centralized management capabilities, SSH Tectia is a highly cost-effective choice for server administration in large enterprise networks. The key features of the SSH Tectia Manager product for centrally managing SSH Tectia Client/Server environments include:
- Centralized deployment and upgrading of SSH Tectia Client/Server software
- Centralized management and distribution of SSH Tectia Client/Server configurations
- Centralized SSH Tectia Server authentication key management
- Environment monitoring capability (auditing, logging, statistics)
The benefits of centralized management with SSH Tectia Manager include:
- Reduced time and money spent on installing and upgrading large deployments
- Reduced time and resources used to manage configurations in large deployments
- More reliable auditing and improved regulatory compliance
- Increased system security through enforced security policy consistency
- Reduced total costs of system administration
Q8. Can SSH Tectia be used with X11-based applications?
Yes, SSH Tectia supports tunneling the X11 protocol transparently and securely.Q9. What authentication methods does SSH Tectia support?
SSH Tectia supports public-keys (without PKI) and digital certificates (with PKI) for server authentication. For authenticating users, SSH Tectia supports:
- Password
- Public-key
- PKI (X.509v3 certificate)
- Smart cards and hardware tokens through MSCAPI and PKCS#11
- GSS-API/Kerberos (for example, Windows domain authentication)
- RADIUS
- Pluggable Authentication Modules (PAM)
- RACF authentication (in IBM z/OS)
Q10. What is a Secure Shell agent and what is agent forwarding?
Typical use of SSH Tectia involves a system administrator who needs to connect on a regular basis to a large number of remote servers. For example, he/she may need to manage tens or hundreds of remote servers from a single workstation. The authentication agent functionality of SSH Tectia increases usability and system administrator productivity by eliminating the need to type in user credentials every time when a secured connection to a server is established. When public-key authentication (either with or without digital certificates) is in use, SSH Tectia Client offers two main authentication agent features:
- Authentication key caching allows system administrators to set up a security policy in SSH Tectia Client to store the authentication key in the memory during a session. As a result, the passphrase (used to encrypt the private key) needs to be typed only once, during the first connection. Subsequent connections to other servers will not require further login interaction.
- Agent forwarding eliminates the need to store the private key on multiple servers when system administrator needs to “hop” from a server to another. Instead the private key needs to be available only on one workstation, and the authentication is “forwarded” from a server to another by the agent. This is a secure method since the actual private key is not sent over the network.
