Plaintext FTP is an inherently unsecured, but a widely used method of transferring files. SSH Tectia ConnectSecure offers an easy way to secure file transfer connections with transparent FTP tunneling. This feature is most useful when there is need to secure lots of FTP scripts.

Transparent FTP tunneling allows the FTP service to use the existing scripts and applications as they are, so to the users and applications the SSH Tectia FTP tunneling happens transparently. As the existing FTP applications are left running, for example the FTP servers can keep performing all their designated post-processing jobs as earlier.

Transparent FTP tunneling captures the connections that use the FTP protocol and tunnels them in encrypted format via a Secure Shell server to the FTP server. Transparent FTP tunneling can be configured to pick the user name, password and destination host directly from the FTP client, and use them to open the secured communication channel. In the Connection Broker configuration, this is done simply with one rule that can fit all FTP connections.

The users can define connection profiles to perform transparent FTP tunneling of certain connections, or they can request the tunneling per FTP connection on command line.

For end-to-end security, SSH Tectia ConnectSecure should be installed on the same host with the FTP client, and a Secure Shell server should be installed on the same host with the FTP server. If end-to-end security is not required, the FTP server can also reside on a third host.

The FTP server side can be on any platform, Unix, Windows or mainframe. SSH Tectia Server for IBM z/OS works ideally with SSH Tectia products, but supports any SSH2-capable Secure Shell servers.

Transparent FTP tunneling can be used to secure both interactive and unattended FTP sessions. It also provides an option to fall back to plaintext FTP for easier migration.

Figure 5.2. Using transparent FTP tunneling