The Tectia client/server solution provides several methods for getting rid of the risks of plaintext File Transfer Protocol (FTP). Tectia Server, Client and ConnectSecure all include a secure alternative, Secure File Transfer Protocol (SFTP) that can be used to replace existing FTP clients and servers. If replacing all FTP clients and servers in an environment is unfeasible, Tectia ConnectSecure and Tectia Server for IBM z/OS offer also transparent FTP tunneling to encrypt the FTP connection, and FTP-SFTP conversion to convert unsecured FTP traffic to use the secure SFTP protocol, instead.
The Tectia client/server solution offers three methods for FTP replacement as illustrated in Figure 2.2:
An unsecured FTP connection is shown in red. If this is used, user IDs, passwords, and the actual transferred data are sent in plaintext, which makes them vulnerable to eavesdropping and unauthorized modifications.
Tectia products use the following methods to make file transfers secure:
The secure file transfer protocol (SFTP) transfers the files and the related control data in encrypted format. SFTP can be activated by using the
scpg3tools, or the Tectia Secure File Transfer GUI (on Windows) instead of the unsecured
Tectia Client or ConnectSecure provides the SFTP functionality and connects to any Secure Shell SFTP server. Both the original FTP client and FTP server can be eliminated.
Connections from the original FTP client are transparently captured by Tectia Server for IBM z/OS, converted to SFTP, and directed to a Secure Shell SFTP server. No changes to the original FTP client application are needed, and it can remain being used as before. The original FTP server, however, is eliminated.
This feature is available with Tectia ConnectSecure and Tectia Server for IBM z/OS (client tools) on all supported platforms and requires a Secure Shell server as the counterpart.
Transparent FTP tunneling
Transparent FTP tunneling creates a secure tunnel between an FTP client and an FTP server. All material is sent in encrypted format and so secured from eavesdropping. This feature is available with Tectia ConnectSecure and Tectia Server for IBM z/OS (client tools).
The Tectia client/server solution supports also non-transparent FTP tunneling on both Tectia Client and ConnectSecure. Non-transparent FTP tunneling can be implemented as SOCKS tunnels defined in the Tectia connection profiles, or as automatic tunnels defined in the Connection Broker configuration.
The following table lists the benefits offered by each of the FTP replacement methods.
Table 2.1. Differences between FTP and secure file transfer methods
|Feature||FTP||SFTP||FTP-SFTP Conversion||Transparent FTP Tunneling|
|Automated scripts can be used||x||x||x||x|
|FTP application used unmodified||x||x||x|
|Original FTP client running||x||x||x|
|Original FTP server running||x||x|
|Configured on Tectia||x||x||x|
|Fallback to FTP is possible||N/A||x||x|
|SFTP GUI available on Windows||N/A||x||N/A||N/A|