Securely Transferring Files Using Reflection, EXTRA!, or INFOConnect

  • 7021928
  • 01-Feb-2007
  • 01-Apr-2018

Environment

Reflection 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Reflection Standard Suite 2011
Reflection for HP with NS/VT version 14.x
Reflection for IBM version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for Secure IT Windows Client version 7.1 or higher
Reflection for Secure IT Windows Server version 7.0 or higher
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for the Web 2014 (All Editions except Limited)
Reflection for the Web 2011 (All Editions except Standard)
Extra! X-treme version 9.0 or higher
InfoConnect Enterprise Edition for Airlines, IBM and Open Systems version 8.1 SP1 or higher
InfoConnect Airlines Gateway version 2.1 SP1 or higher

Situation

Attachmate products offer several options for secure file transfers, including support for SSH/SFTP, tunneling FTP with SSH, and FTPS with (FTP over SSL/TLS), and FTP through the Reflection Security Proxy. This technical note provides an overview of each of these options, listing their benefits and limitations, and noting which products support each option.

Resolution

The following topics are covered:

SSH/SFTP

SSH is a protocol that establishes a secure channel between a local and remote computer. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data.

There are two file transfer protocols that use SSH for authentication and encryption, SCP and SFTP. This section addresses SFTP. For information about the differences between SCP and SFTP, see KB 7022000.

SFTP is not a 'secure version' of the standard FTP protocol. It is a completely different file transfer protocol. You cannot connect to an FTP server using SFTP protocol or to an SFTP server using FTP protocol. The SFTP protocol relies upon SSH to provide authentication and encryption.

Once connected, the client can do a number of file manipulation operations, such as uploading, downloading, renaming, and deleting files. The exact capabilities provided depend upon the SFTP server.

Benefits of SSH/SFTP

  • SSH/SFTP uses a different port than FTP, so administrators can block FTP.
  • SFTP uses a single port, making it easier to configure your firewall.
  • Because SFTP is different than FTP, administrators can eliminate the insecure FTP protocol entirely.
  • SFTP provides end-to-end secure file transfers.

Limitations of SSH/SFTP

  • Many SSH servers have limited wildcard support.
  • The available command set is limited. For example, there is no support for QUOTE or SITE.
  • SFTP does not recognize many operating-system-specific file structures.
  • SFTP defines only the transfer of binary bitstream data. However, some SFTP clients, such as Reflection's, also provide limited binary to ASCII conversion.

FTPS (FTP over SSL/TLS)

The SSL (Secure Sockets Layer) protocol was developed by Netscape to secure HTTP, but can also be used to secure other protocols. The SSL/TLS protocol uses public key cryptography and certificates for authentication and negotiates session keys for symmetric encryption.

SSL/TLS runs in layers below the FTP client and above the TCP transport protocol. An FTPS client can use SSL/TLS to provide authentication and encryption. The Reflection FTP client supports both implicit and explicit methods of invoking connection security.

Benefits of FTPS

  • Once connected to an FTP server that supports SSL/TLS, you have access to the full range of FTP commands and the operating system specific file structure.
  • This protocol provides good support for many operating-system-specific file structures.
  • This protocol provides good support for IBM host datasets such as MVS.
  • It enables continued use of FTP, but with security.
  • SSL/TLS provides secure transfers, end-to-end.

Limitations of FTPS

  • The FTP server must support SSL/TLS.
  • FTP cannot be eliminated from the enterprise environment.
  • Administration is more complex because the required authentication uses certificates.
  • By default, FTPS does not provide user authentication, only host authentication.
  • FTPS can be difficult to use through a firewall because it uses multiple ports.

Secure FTP through the Reflection Security Proxy

The Reflection Security Proxy is a component of Attachmate Reflection for the Web and Attachmate Reflection Administrator. Subject to certain license restrictions, it can be used with a supporting client such as the Reflection for the Web FTP client or the Reflection Windows-based FTP client to encrypt FTP traffic.

The client makes an SSL/TLS connection to the Reflection Security Proxy, and tunnels both the control and data channels of a traditional FTP connection through that single SSL/TLS connection. The Reflection Security Proxy decrypts the traffic, divides the control and data channels, and sends each of them to a traditional FTP server over separate plaintext connections.

This process is transparent to the traditional FTP server. To that server, it looks as if it is receiving conventional control and data channel traffic from a traditional plaintext FTP client.

A common configuration is to place a Reflection Security Proxy in the DMZ that serves as the boundary between the insecure public Internet and the protected internal network. The FTP connection is encrypted as it travels across the public Internet, and then decrypted and forwarded to a traditional plaintext FTP server within the internal network.

Before allowing the connection to pass through to the FTP server, the Reflection Security Proxy validates a secure authorization token that it receives from the client. The secure authorization token enables LDAP-based access control by ensuring that the user has been authenticated through LDAP and has been authorized by an administrator to connect to the FTP server.

Benefits of Secure FTP through the Reflection Security Proxy

  • Remote clients can securely connect over the Internet to a traditional FTP server behind a firewall, without requiring any encryption or other security capabilities on the FTP server.
  • This protocol is firewall friendly, because opening a single hole in the firewall for traffic to the Reflection Security Proxy is sufficient to allow clients to connect to multiple back-end FTP servers.
  • The Reflection Security Proxy enforces LDAP-based access control, thus providing an additional layer of LDAP authentication and authorization in front of the FTP server.
  • You have access to the full range of FTP commands and the operating system specific file structure.
  • This protocol provides good support for many operating-system-specific file structures.
  • This protocol provides good support for IBM host datasets such as MVS.
  • It enables continued use of FTP, but with security.

Limitations of Secure FTP through the Reflection Security Proxy

  • This mechanism does not provide end-to-end encryption. The traffic between the Reflection Security Proxy and the FTP server is traditional dual control/data channel plaintext FTP.
  • FTP cannot be eliminated from the enterprise environment.

Which Products Support Which Protocols

The following table shows which Attachmate products and versions support which secure file transfer protocols.

Product
Version
SFTP
Tunneling FTP with SSH
FTPS
Secure FTP through the Reflection Security Proxy
Reflection 2014
R1
Yes
Yes
Yes
Yes
Reflection for IBM 2014
R1
Yes
Yes
Yes
Yes
Reflection for IBM 2011
R1 or higher
Yes
Yes
Yes
Yes
Reflection for IBM 2008
R1 or higher
Yes
Yes
Yes
Yes
Reflection for IBM 2007
R1
Yes
Yes
Yes
Yes
Reflection for UNIX and OpenVMS 2014
R1
Yes
Yes
Yes
Yes
Reflection for UNIX and OpenVMS 2011
R1 or higher
Yes
Yes
Yes
Yes
Reflection for UNIX and OpenVMS 2008
R1 or higher
Yes
Yes
Yes
Yes
Reflection Standard Suite 2011
R1 or higher
Yes
Yes
Yes
Yes
Reflection Standard Suite 2008
R1 or higher
Yes
Yes
Yes
Yes
Reflection Windows-based products
13.0 – 14.x
Yes
Yes
Yes
Yes
Reflection for Secure IT Windows Client
7.x
Yes
Yes
Yes
Yes
Reflection for Secure IT Server for Windows
7.0 or higher
Yes
Yes
No
No
Reflection for Secure IT Server and Client for UNIX
7.0 or higher
Yes
Yes
No
No
Reflection for the Web 2014
R1
Yes
No
No
Yes
Reflection for the Web 2011
R1 or higher
Yes
No
No
Yes
EXTRA!
9.0 or higher*
Yes
Yes
Yes
Yes
INFOConnect
See footnote*
Yes
Yes
Yes
Yes

* EXTRA! X-treme 9.0 or higher, INFOConnect Enterprise Edition 8.1 SP1 or higher, and INFOConnect Airlines Gateway 2.1 SP1 or higher include Reflection Secure FTP 14.x, which is the same as Reflection FTP Client 14.x.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2172.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.