SSH

Securing Plaintext FTP with Transparent FTP Tunneling

Plaintext FTP is an inherently unsecured, but a widely used method of transferring files. Tectia Server for IBM z/OS with its client tools offers an easy way to secure file transfer connections with transparent FTP tunneling. This feature is most useful when there is need to secure lots of FTP scripts.

Transparent FTP tunneling allows the FTP service to use the existing scripts and applications as they are, so to the users and applications the Tectia FTP tunneling happens transparently. As the existing FTP applications are left running, for example, the FTP servers can keep performing all their designated post-processing jobs as earlier.

Transparent FTP tunneling captures the connections that use the FTP protocol and tunnels them in encrypted format via a Secure Shell server to the FTP server. Transparent FTP tunneling can be configured to pick the user name, password and destination host directly from the FTP client, and use them to open the secured communication channel. In the Connection Broker configuration, this is done simply with one rule that can fit all FTP connections.

The users can define connection profiles to perform transparent FTP tunneling of certain connections, or they can request the tunneling per FTP connection on command line.

For end-to-end security, Tectia Server for IBM z/OS should be installed on the same host with the FTP client, and a Secure Shell server should be installed on the same host with the FTP server. If end-to-end security is not required, the FTP server can also reside on a third host.

The FTP server side can be on any platform, Unix, Windows or mainframe. Tectia Server for IBM z/OS works ideally with Tectia products, but supports any SSH2-capable Secure Shell servers.

Transparent FTP tunneling can be used to secure both interactive and unattended FTP sessions. It also provides an option to fall back to plaintext FTP for easier migration.

Transparent FTP tunneling

Figure 5.3. Transparent FTP tunneling