Transparent FTP Tunneling

SSH Tectia ConnectSecure provides transparent FTP tunneling which is the quickest way to secure file transfers. Both the original FTP client and server are retained and the file transfers are secured by encrypted tunnels.

Transparent tunneling of existing FTP connections

Transparent FTP tunneling provides a quick and easy way to secure FTP file transfers without the need to change the existing FTP scripts. Users can keep using the existing applications with their familiar IDs and authentication methods.

Full compatibility with FTP

Transparent FTP tunneling uses the Secure Shell v2 protocol to tunnel the existing FTP client and server connections providing full compatibility with existing unsecured FTP file transfer environment. Transparent FTP tunneling can be used to secure both interactive and unattended FTP sessions. Likewise, both active (initiated by FTP server) and passive (initiated by FTP client) FTP sessions are supported.

The existing FTP clients and servers are kept running, and they can continue performing their tasks, for example post-processing the transferred files.

Easy migration

Transparent FTP tunneling is an ideal solution for environments with thousands of complex FTP jobs with possible file transfer pre- and post-processing.

Transparent FTP tunneling also allows falling back to plaintext FTP, in case a Secure Shell tunnel cannot be established. This makes it possible to start migrating to secure file transfer usage immediately, and still be able to connect to the remaining FTP applications.

The principle of transparent FTP tunneling is shown in Figure 3.3.

Figure 3.3. Transparent FTP tunneling

The following steps happen in transparent FTP tunneling:

An application, a script, or a user triggers a file transfer.
The FTP client in the File Transfer Client machine starts a file transfer to the FTP server in File Transfer Server.
The SSH Tectia connection capture module captures the connection before it leaves the client side. SSH Tectia ConnectSecure checks and applies the filter rules that specify which connections to capture. The filter rules are defined in the Connection Broker configuration. Connections can be captured based on the FTP application used and the destination address and/or port.
SSH Tectia ConnectSecure can extract the user name, password, and destination host name from the secured FTP application, and use them for authentication and connection setup with the Secure Shell server.
The Connection Broker module creates an authenticated and encrypted Secure Shell tunnel to a Secure Shell server. The user can be authenticated with the FTP username and password, or with public keys. The Secure Shell server can be the FTP server specified in the original FTP request, or another server can be configured in the filter rules.
The secure tunnel is terminated at the Secure Shell server.
The Secure Shell server forwards the connection to the FTP Server, and the FTP server can continue with post-processing of the transferred files. If the FTP server is located on a third host, the connection from the Secure Shell server to the FTP server will be unsecured. This is why it is recommended that there is at least one Secure Shell server in each physically secured area, for instance in a machine room.