Environment
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Reflection Standard Suite 2011
Reflection for HP with NS/VT version 14.x
Reflection for IBM version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for Secure IT Windows Client version 7.1 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for the Web 2014 (All Editions except Limited)
Reflection for the Web 2011 (All Editions except Standard)
Extra! X-treme version 9.0 or higher
InfoConnect Enterprise Edition for Airlines, IBM and Open Systems version 8.1 SP1 or higher
InfoConnect Airlines Gateway version 2.1 SP1 or higher
Situation
Attachmate products offer several options for secure file transfers, including support for SSH/SFTP, tunneling FTP with SSH, and FTPS with (FTP over SSL/TLS), and FTP through the Reflection Security Proxy. This technical note provides an overview of each of these options, listing their benefits and limitations, and noting which products support each option.
Resolution
The following topics are covered:
FTPS (FTP over SSL/TLS)
Secure FTP through the Reflection Security Proxy
Which Products Support Which Protocols
SSH/SFTP
SSH is a protocol that establishes a secure channel between a local and remote computer. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data.
There are two file transfer protocols that use SSH for authentication and encryption, SCP and SFTP. This section addresses SFTP. For information about the differences between SCP and SFTP, see KB 7022000.
SFTP is not a 'secure version' of the standard FTP protocol. It is a completely different file transfer protocol. You cannot connect to an FTP server using SFTP protocol or to an SFTP server using FTP protocol. The SFTP protocol relies upon SSH to provide authentication and encryption.
Once connected, the client can do a number of file manipulation operations, such as uploading, downloading, renaming, and deleting files. The exact capabilities provided depend upon the SFTP server.
Benefits of SSH/SFTP
- SSH/SFTP uses a different port than FTP, so administrators can block FTP.
- SFTP uses a single port, making it easier to configure your firewall.
- Because SFTP is different than FTP, administrators can eliminate the insecure FTP protocol entirely.
- SFTP provides end-to-end secure file transfers.
Limitations of SSH/SFTP
- Many SSH servers have limited wildcard support.
- The available command set is limited. For example, there is no support for QUOTE or SITE.
- SFTP does not recognize many operating-system-specific file structures.
- SFTP defines only the transfer of binary bitstream data. However, some SFTP clients, such as Reflection's, also provide limited binary to ASCII conversion.
FTPS (FTP over SSL/TLS)
The SSL (Secure Sockets Layer) protocol was developed by Netscape to secure HTTP, but can also be used to secure other protocols. The SSL/TLS protocol uses public key cryptography and certificates for authentication and negotiates session keys for symmetric encryption.
SSL/TLS runs in layers below the FTP client and above the TCP transport protocol. An FTPS client can use SSL/TLS to provide authentication and encryption. The Reflection FTP client supports both implicit and explicit methods of invoking connection security.
Benefits of FTPS
- Once connected to an FTP server that supports SSL/TLS, you have access to the full range of FTP commands and the operating system specific file structure.
- This protocol provides good support for many operating-system-specific file structures.
- This protocol provides good support for IBM host datasets such as MVS.
- It enables continued use of FTP, but with security.
- SSL/TLS provides secure transfers, end-to-end.
Limitations of FTPS
- The FTP server must support SSL/TLS.
- FTP cannot be eliminated from the enterprise environment.
- Administration is more complex because the required authentication uses certificates.
- By default, FTPS does not provide user authentication, only host authentication.
- FTPS can be difficult to use through a firewall because it uses multiple ports.
Secure FTP through the Reflection Security Proxy
The Reflection Security Proxy is a component of Attachmate Reflection for the Web and Attachmate Reflection Administrator. Subject to certain license restrictions, it can be used with a supporting client such as the Reflection for the Web FTP client or the Reflection Windows-based FTP client to encrypt FTP traffic.
The client makes an SSL/TLS connection to the Reflection Security Proxy, and tunnels both the control and data channels of a traditional FTP connection through that single SSL/TLS connection. The Reflection Security Proxy decrypts the traffic, divides the control and data channels, and sends each of them to a traditional FTP server over separate plaintext connections.
This process is transparent to the traditional FTP server. To that server, it looks as if it is receiving conventional control and data channel traffic from a traditional plaintext FTP client.
A common configuration is to place a Reflection Security Proxy in the DMZ that serves as the boundary between the insecure public Internet and the protected internal network. The FTP connection is encrypted as it travels across the public Internet, and then decrypted and forwarded to a traditional plaintext FTP server within the internal network.
Before allowing the connection to pass through to the FTP server, the Reflection Security Proxy validates a secure authorization token that it receives from the client. The secure authorization token enables LDAP-based access control by ensuring that the user has been authenticated through LDAP and has been authorized by an administrator to connect to the FTP server.
Benefits of Secure FTP through the Reflection Security Proxy
- Remote clients can securely connect over the Internet to a traditional FTP server behind a firewall, without requiring any encryption or other security capabilities on the FTP server.
- This protocol is firewall friendly, because opening a single hole in the firewall for traffic to the Reflection Security Proxy is sufficient to allow clients to connect to multiple back-end FTP servers.
- The Reflection Security Proxy enforces LDAP-based access control, thus providing an additional layer of LDAP authentication and authorization in front of the FTP server.
- You have access to the full range of FTP commands and the operating system specific file structure.
- This protocol provides good support for many operating-system-specific file structures.
- This protocol provides good support for IBM host datasets such as MVS.
- It enables continued use of FTP, but with security.
Limitations of Secure FTP through the Reflection Security Proxy
- This mechanism does not provide end-to-end encryption. The traffic between the Reflection Security Proxy and the FTP server is traditional dual control/data channel plaintext FTP.
- FTP cannot be eliminated from the enterprise environment.
Which Products Support Which Protocols
The following table shows which Attachmate products and versions support which secure file transfer protocols.
Product | Version | SFTP | Tunneling FTP with SSH | FTPS | Secure FTP through the Reflection Security Proxy |
Reflection 2014 | R1 | Yes | Yes | Yes | Yes |
Reflection for IBM 2014 | R1 | Yes | Yes | Yes | Yes |
Reflection for IBM 2011 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection for IBM 2008 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection for IBM 2007 | R1 | Yes | Yes | Yes | Yes |
Reflection for UNIX and OpenVMS 2014 | R1 | Yes | Yes | Yes | Yes |
Reflection for UNIX and OpenVMS 2011 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection for UNIX and OpenVMS 2008 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection Standard Suite 2011 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection Standard Suite 2008 | R1 or higher | Yes | Yes | Yes | Yes |
Reflection Windows-based products | 13.0 – 14.x | Yes | Yes | Yes | Yes |
Reflection for Secure IT Windows Client | 7.x | Yes | Yes | Yes | Yes |
Reflection for Secure IT Server for Windows | 7.0 or higher | Yes | Yes | No | No |
Reflection for Secure IT Server and Client for UNIX | 7.0 or higher | Yes | Yes | No | No |
Reflection for the Web 2014 | R1 | Yes | No | No | Yes |
Reflection for the Web 2011 | R1 or higher | Yes | No | No | Yes |
EXTRA! | 9.0 or higher* | Yes | Yes | Yes | Yes |
INFOConnect | See footnote* | Yes | Yes | Yes | Yes |
* EXTRA! X-treme 9.0 or higher, INFOConnect Enterprise Edition 8.1 SP1 or higher, and INFOConnect Airlines Gateway 2.1 SP1 or higher include Reflection Secure FTP 14.x, which is the same as Reflection FTP Client 14.x.