Tectia

Hardening Application Connectivity with Transparent TCP Tunneling

When SSH Tectia is used only to secure business applications with transparent TCP tunneling, it is not always necessary to implement strong user authentication with the SSH Tectia client/server solution. If it is acceptable from the security policy point of view to rely on the security of the application's own login mechanism, there is no need to require end users to perform double login (first to SSH Tectia Server, then to the application itself).

In this use scenario, the added value created by SSH Tectia is:

  • Confidentiality and integrity is provided to application traffic.

  • Passwords used for application login are encrypted in transit.

Note that in this use scenario SSH Tectia may be used in conjunction with a single sign-on (SSO) solution, which eliminates the need to sign on separately to each application.

User-specific authentication can be avoided by creating a common global account for a group of users, with rights to establish tunnels only (specifically no terminal or file access is allowed). The corresponding username and password can then be distributed with SSH Tectia Manager to those SSH Tectia Client and ConnectSecure users that need to access business applications running on the SSH Tectia Servers. SSH Tectia Client and ConnectSecure can then automatically connect to the server with the common user group credentials without the need to prompt the user for any login credentials. Therefore, from the end-user point of view there is no visible additional authentication. But there is no true secure additional authentication either, as the global user account and password is shared between the users. Strong and transparent user authentication can be implemented with public key authentication, for example.

Figure 5.5 shows a network diagram of this use scenario.

Using transparent TCP tunneling

Figure 5.5. Using transparent TCP tunneling