SSH Tectia

Tunneling with SSH Tectia Connector

SSH Tectia Connector has been especially designed for application tunneling. It provides encryption and strong two-factor authentication to third-party network client applications. It allows a company IT administrator to install transparent network security to Windows workstations in order to secure the intranet communications of any standard applications that use TCP/IP.

SSH Tectia Connector can be used for example to secure connections from workstations to the department server room, or to connect securely to the office e-mail server and intranet from a remote location.

Architecture

SSH Tectia Connector connects to SSH Tectia Server with Tunneling Expansion Pack and captures all network communication originating from applications on the local workstation such as MS Outlook, MS Internet Explorer, Netscape and other software.

When an application tries to establish a connection to a remote host, SSH Capture DLL queries from the Connection Broker whether the connection needs to be blocked, passed directly or tunneled securely through an SSH Tectia Server. If the connection requires tunneling, the Connection Broker creates a TCP listener as a local tunnel end point and the application connection is redirected to that local end point.

Processes running with the SYSTEM account are passed through, and only user processes are captured. Connector uses the standard Windows Socket API.

The architecture of SSH Tectia Connector

Figure 4.11. The architecture of SSH Tectia Connector

SSH Tectia Connector directs the network communication using tunneling (port forwarding) over the secure SecSh connection to the SSH Tectia Server with Tunneling Expansion Pack, which, if necessary, relays the traffic to the destination host. The connection segment between SSH Tectia Connector and SSH Tectia Server is secure and the relayed connection between the SSH Tectia Server and the application server is unsecured. This is why it is recommended that there is at least one SSH Tectia Server in each physically secured area such as a machine room.

Connector can secure network client applications that initiate connections to server applications using TCP communications. Other network protocols such as UDP are currently not supported. Also applications that initiate connections from the server to the workstation are currently out of the scope of SSH Tectia Connector.

For example, when FTP is used in passive mode, the FTP client initiates both command and data connections to the server. This way, SSH Tectia Connector is able to capture the connections and secure them regardless of port numbers and the number of data connections. When the FTP client connects to an FTP server using active mode FTP, the FTP server initiates the data connections, and they are not captured by SSH Tectia Connector. Hence, in active mode FTP, connections are not secured.

Example Scenario

  1. An application connects to a service on a specific host and does a DNS query.

  2. SSH Capture DLL captures the query and redirects it to the Connection Broker.

  3. The Connection Broker returns a pseudo IP address for the hostname.

  4. The application connects to the host using the returned pseudo IP address.

  5. SSH Capture DLL captures the connection call and queries Connection Broker which action to take. The Connection Broker returns one of four possible actions:

    1. BLOCK if SSH Capture DLL should block the connection attempt.

    2. DIRECT if SSH Capture DLL should pass the connection directly with a real IP address.

    3. TUNNEL if SSH Capture DLL should redirect the connection into a tunnel created by the Connection Broker. If this action is returned, SSH Capture DLL connects to the local tunnel end point and all further communication goes through an encrypted SecSh tunnel.

    4. FTP-PROXY for converting FTP connections to SFTP. This feature is included in SSH Tectia Client with EFT Expansion Pack.

Supported Functionality

SSH Tectia Connector supports the following functionality:

  • Secure Shell tunneling connections to hosts.

  • Connections through SOCKS4 and SOCKS5 firewalls.

  • Public-key user authentication using the Connection Broker.

  • Password authentication by querying the password from the user via a graphical user interface.

  • Encryption-only connections to applications that handle the authentication themselves.

    [Note]Note

    It is not recommended to use this feature when tunneling an application that does not perform any user authentication.

  • GSSAPI

  • PKI (X.509 certificate authentication)

Unlike SSH Tectia Client, SSH Tectia Connector does not provide any file transfer functionality or a terminal client. You can use TCP-based file transfer applications and terminal clients, and secure their network communications using Connector.