Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Transparent FTP Tunneling

Transparent FTP tunneling is implemented using the SSH Tectia SOCKS Proxy component. The SSH Tectia SOCKS Proxy acts as a SOCKS proxy for the FTP client application on the SSH Tectia Server for IBM z/OS host and captures FTP connections based on filter rules. The tunneling is transparent to the user and the FTP application. The only change needed in the FTP application is to change the SOCKS proxy setting to point to a localhost listener.

The principle of Transparent FTP tunneling is shown in Figure 4.6. Before starting the tunneling, the SSH Tectia SOCKS Proxy must be running and listening on the SOCKS port 1080 on the File Transfer Client host. The following steps happen during the tunneling:

  1. An application, a script, or a user triggers an FTP file transfer.

  2. The FTP client makes a SOCKS query. Instead of a real firewall, the SOCKS setting in the FTP client is set to point to the localhost SSH Tectia SOCKS Proxy.

  3. The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.

  4. The SOCKS Proxy module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user is authenticated with the FTP username and password, or by using public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or a server defined in the filter rules can be used.

  5. The secure tunnel is terminated at the Secure Shell server. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured.

  6. The FTP server in the File Transfer Server host is the end point of the file transfer.

Transparent FTP tunneling

Figure 4.6. Transparent FTP tunneling

For a sample use case, see Transparent FTP Tunneling.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now