SSH Tectia Server for IBM z/OS provides transparent FTP tunneling which is the quickest way to secure file transfers. Both the original FTP client and server are retained and the file transfers are secured by encrypted tunnels.
Transparent FTP tunneling provides a quick and easy way to secure FTP file transfers without the need to change the existing FTP scripts. Users can keep using the existing applications with their familiar IDs and authentication methods.
Transparent FTP tunneling uses the Secure Shell v2 protocol to tunnel the existing FTP client and server connections providing full compatibility with existing unsecured FTP file transfer environment. Transparent FTP tunneling can be used to secure both interactive and unattended FTP sessions. SSH Tectia Server for IBM z/OS supports passive FTP sessions that are initiated by an FTP client.
The existing FTP clients and servers are kept running, and they can continue performing their tasks, for example post-processing the transferred files.
Transparent FTP tunneling is an ideal solution for environments with thousands of complex FTP jobs with possible file transfer pre- and post-processing.
Transparent FTP tunneling also allows falling back to plaintext FTP, in case a Secure Shell tunnel cannot be established. This makes it possible to start migrating to secure file transfer usage immediately, and still be able to connect to the remaining FTP applications.
Transparent FTP Tunneling is implemented using the SSH Tectia Connection Broker component. The Connection Broker acts as a SOCKS proxy for the FTP application and captures FTP connections based on filter rules. The tunneling is transparent to the user and the FTP application. The only change needed in the FTP application is to change the SOCKS proxy setting to point to a local host listener.
The principle of transparent FTP tunneling is shown in Figure 3.3. Before starting the tunneling, the SSH Tectia SOCKS Proxy must be running and listening to the SOCKS port 1080 on the File Transfer Client host.
The following steps happen in transparent FTP tunneling:
An application, a script, or a user triggers a file transfer.
The FTP client in the File Transfer Client machine starts a file transfer to the FTP server in File Transfer Server.
The FTP client makes a SOCKS query. The SOCKS setting in the FTP client is set to point to the local host SSH Tectia SOCKS Proxy instead of a real firewall.
The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.
The SOCKS Proxy module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user can be authenticated with the FTP username and password, or with public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or another server can be configured in the filter rules.
The secure tunnel is terminated at the Secure Shell server.
The Secure Shell server forwards the connection to the FTP Server, and the FTP server can continue with post-processing of the transferred files. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured. This is why it is recommended that there is at least one Secure Shell server in each physically secured area, for instance in a machine room.