Tectia

Transparent FTP Tunneling

Transparent FTP tunneling is implemented using the Tectia SOCKS Proxy component. Tectia SOCKS Proxy acts as a SOCKS proxy for the FTP client application on the Tectia Server for IBM z/OS host and captures FTP connections based on filter rules. The tunneling is transparent to the user and the FTP application. The only change needed in the FTP application is to change the SOCKS proxy setting to point to a localhost listener.

The SOCKS Proxy uses the hostname, username, and password information provided by the FTP client application to open an authenticated and encrypted tunnel to a Secure Shell server.

The Secure Shell server can also be defined in the filter rules. In this case, the secure tunnel is terminated at the Secure Shell server and from there the FTP connection is forwarded to the FTP server unsecured.

The principle of transparent FTP tunneling is shown in Figure 8.1. Before starting the tunneling, the Tectia SOCKS Proxy must be running and listening to the SOCKS port 1080 on the File Transfer Client host.

Transparent FTP tunneling

Figure 8.1. Transparent FTP tunneling

The following steps happen in transparent FTP tunneling:

  1. An application, a script, or a user triggers a file transfer.

  2. The FTP client in the File Transfer Client machine starts a file transfer to the FTP server in File Transfer Server.

  3. The FTP client makes a SOCKS query. The SOCKS setting in the FTP client is set to point to the localhost Tectia SOCKS Proxy instead of a real firewall.

  4. The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.

  5. The SOCKS Proxy module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user can be authenticated with the FTP username and password, or with public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or another server can be configured in the filter rules.

  6. The secure tunnel is terminated at the Secure Shell server.

  7. The Secure Shell server forwards the connection to the FTP Server, and the FTP server can continue with post-processing of the transferred files. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured. This is why it is recommended that there is at least one Secure Shell server in each physically secured area, for instance, in a machine room.