SFTPPlus

Articles from security category

Securing data and file transfers between SFTPPlus and third parties

Sun 21 January 2018 | article security

Why read this article

In order to have a fully established file transfer and sharing system, you need to implement integration at all the other layers including the OS. SFTPPlus can be integrated with external tools and third parties in order to help establish these integration requirements.

This article is written for those new to SFTPPlus and those involved in the business function of securing file transfer software. Topics are covered for various levels of knowledge to reach a wider audience.

Where does SFTPPlus sit in your IT infrastructure

The SFTPPlus software stands at the OSI Layer 7 or the TCP Layer 4. SFTPPlus can be integrated with external tools in order to secure data and file transfer with third parties.

For those not familiar with OSI and TCP please read on.

SFTPPlus on the OSI

The OSI model is a model that characterizes and standardizes communication functions. The layers range from layer 1 right through to layer 7. In the OSI, or Open Systems Interconnection model, SFTPPlus sits in the OSI Layer 7 or on the application layer.

The application layer sits at the top of the OSI model and is the software, hence the name application, layer between the end-user and the networking layers underneath.

SFTPPlus on the TCP

In addition to the OSI model, another way of understand where SFTPPlus plays a role in your infrastructure is via the TCP layer. SFTPPlus sits in the TCP Layer 4 or the application layer. This is the topmost layer which defines the TCP/IP application protocols and how SFTPPlus interfaces with the Transport layer, the layer below the application layer, services to use the network.

While the above information only provides a brief introduction, this should help you understand how SFTPPlus integrates with the networking components (the file transfer protocols) as well as the components on the application level (other systems).

Introduction to file transfer protocols supported by SFTPPlus

For those making the leap to a managed file transfer service for the first time, they may also be thinking about networking components such as which file transfer protocols to support. If your company is currently using FTP, then you may want to switch to FTPES or FTPIS for better security. Or perhaps SFTP for features such as the security of key exchanges.

File transfers are secured via the support of file transfer protocols such as SFTP, FTPS, FTPS, and HTPS. For those that are not familiar, please read the overview of the supported protocols from our Quick Start section in our documentation.

Logging and monitoring network operations with SFTPPlus

Introduction

When you create file transfer systems that interact with services, protocols, databases, users and data, it is important to ensure that the system is being protected and monitored from unauthorized modifications, use, access or destruction.

Ensuring that activities are under proper monitoring and logging is also an important aspect of secure file transfer infrastructures. Should there be access attempts from that particular IP range? Should this file transfer service port be in use at all? Are there subsets of data that are critical enough that an alert mechanism be put in place for failed transfers in that source? The answers to questions like these will help provide the basis for meeting logging and auditing requirements for your infrastructure through our audit and logging mechanisms.

Databases

SFTPPlus can be integrated with external database and logging tools such as SQLite, MySQL, Syslog, Windows Event Log.

These integrations will help in any logging, reporting and auditing obligations as is the case for organizations seeking to meet compliance with bodies such as GDPR, HIPAA, GPG13 and more.

SFTPPlus will keep a detailed log of any file which is transferred and can include details about the initial transfer request and the status of the request finalization, logs status changes to device and configurations, login attempts, connection attempts to and from the server or client, session activities and more.

Email resources for email alerts

Users can set up vital email alerts to monitor for any specific server events.

By creating a new email resource, SFTPPlus formulates outgoing emails as though they were coming from an email client.

Access to an SMTP server is necessary. You may use any email service available on your network (public or private). You may use anonymous SMTP, or a preexisting account on that server/service. A local or private SMTP server may also be used.

Once the email resource and Event Handler are configured, the body of any email sent will consist of a JSON object for the event that triggered the email. The recipient(s) and subject line of the email are configurable items.

Integrating SFTPPlus with third parties via the API

SFTPPlus provides public APIs which extend the identity management, file access, audit functionality and more of the SFTPPlus MFT Server using HTTP based micro-services / endpoints. The HTTP APIs can be used to integrate file transfer processes with disparate systems, such as web applications, that need to interface with SFTPPlus.

While it is targeted to HTTP, the HTTP API is used by integrator only as a layer of operations underneath secured networks such as having the services only available under corporate VPNs or proxies.

For more details about the API, please consult our developer section in the documentation.

Potential use case for HTTP Authorization

A potential use case for the API is utilizing the HTTP Authorization for SFTPPlus. This is deployed in a DMZ where certificate-based authentication cannot be used, only a username/password authentication with a time limit expiration.

Case study with load balancers and HTTPS push from third party via SFTPPlus API

Case study with load balancers and HTTPS push from third party via SFTPPlus API

This case study involves integrating with a third party. In this case, the third party is a web application functioning as the client.

Through the HTTPS service that is available with SFTPPlus, the third party developer works with the SFTPPlus HTTP API to authenticate the users and to allow them to upload content (push) to the SFTP servers.

Subsequently the corporate, or internal network, are authenticating via the SSH key exchange (as one of the possible methods) and pulling content from the servers.

While the topic is covered in another article, the servers are also set up for high availability and resilient environment via a load balancer. In this case, the load balancer is utilizing the weighted round-robin algorithm depending on the server ‘weight’.

Ensuring high availability is also a pathway to secure file transfer operations by making sure that critical data is constantly available. Load balancers can be used with SFTPPlus to set up high availability.

Through a combination of choosing secure file transfer protocols, smart use of the SFTPPlus API and structuring file transfer operations to function in a high availability environment, you can further secure your data and file transfers with your company.

Integrating SFTPPlus with DMZ and buffer zones

A DMZ (or demilitarized zone) is implemented in order to separate servers and other resources from the external or public-facing facing Internet and their internal, trusted networks will run through a number of different configuration options. The standard example used is two firewalls, one firewall for the external or public facing resources and the other for the internal resources, serving a subnetwork.

Case study with DMZ and buffer zones

Case study with DMZ and buffer zones

For a case study on how SFTPPlus is integrated with a DMZ, see above for an example of an internal company user transferring files towards external, public-facing servers.

In this case, the FTP/SFTP ‘Inbox’ folder which resides within the DMZ will utilize the SFTPPlus file-dispatcher Event Handler to dispatch files to the ‘Outbox’ folder within the DMZ.

The file-dispatcher event handler has been configured to move files from the SFTPPlus Inbox folder to the SFTPPlus Outbox folder based on a matching expression - either global or regular expression. In this instance, we can say that the matching expression is for all PDF files. All of this happens with the DMZ which acts as a buffer zone between the media PC in an internal network to external servers.

From the SFTPPlus Outbox folder, which serves as a cache of matched files, users can initiate a client transfer to the external public facing servers outsize the DMZ.

Implementing AAA (Authentication, Authorization and Accounting) frameworks

SFTPPlus allows for an AAA system to be implemented. AAA refers to Authentication, Authorization and Accounting. It is a system to mediate and manage network access based on the process of identifying a user (authentication), granting or denying access to the user (authorization) and keeping track of the user’s activities on the network resource (accounting).

Accounting part of the AAA framework

Accounting part of the AAA framework

As SFTPPlus operates, it will emit a set of events which contains a unique ID and defines a specific operation carried out by the server. A common action for an event is to send it to one of the supported logging systems. This covers the Accounting requirement of the AAA (Authentication, Authorization, and Accounting) security design framework.

Utilizing an accounting, also seen as auditing, framework is a way to ensure that any compliance or logging obligations and requirements are met.

Authorization part of the AAA framework

Authorization part of the AAA framework

The use of authorization is one of the fundamental aspects of network and resource management security. By building an authorization framework, you can ensure that users have correct access to network resources.

In the above diagram, we have two users in the same department or user group but both of these users have different access requirements. After authentication via the authentication server, how does an administrator ensure that the correct authentication framework is applied? One user can only have read-only rights to shared folder and full-control for a common home folder. Whereas another user has full-control-allowed access to both the common folder and all other folders underneath, including a shared folder with the first user.

The permissions framework can be set up on a global or on a per-path basis

In the above diagram, the permissions framework can be set up on a global or on a per-path basis, including fine-grain details such as permissions for matching expressions.

Even after a user group is authenticated and the correct users are in their respective accounts, a solid authorization framework will ensure that any additional user access rights policies are applied.

Authentication part of the AAA framework

The server-side security of SFTPPlus is designed based on the Authentication, Authorization and Accounting (AAA) components. Authentication can be integrated with external third parties - Windows Domain Accounts - or with external resources such as via the domain controller, via the SSH RSA/DSA keys or SSL certificates.

When compiling how you will secure your system, it is important to take stock of how you are mediating and managing network access based on meeting authentication, authorization and accounting requirements.

Integrating SFTPPlus with post-processing actions

Integrating SFTPPlus with post-processing actions

SFTPPlus can function suitably when anti-virus applications are installed to protect the environment on the machine. This integration is done as part of the transfer configuration for post-processing actions.

Most anti-virus applications have a real-time protection component that will scan files on creation, when accessed, and on execution. These operations will not affect the overall performance of the system.

Case Study - Virtual machines

Case Study - Virtual machines

To further secure data and file transfers, users can create two installations running in active / passive mode behind a load balancer. These two instances will share the same users, database and storage.

Running in AWS, a new instance is created when one dies to maintain high availability.

SFTPPlus can be integrated with a third party virtual private cloud, as well as load balancers to ensure high availability and resiliency.

Conclusion and next steps

The application of these does not immediately guarantee security. Please consider these guides merely as a layer within multiple others when implementing a secure managed file transfer solution.

Since features are constantly changed, we did not touch on any specifics within SFTPPlus. Please consult our documentation for the configuration and operations information, as well as practical users guides.

This resource is written as of SFTPPlus version 3.29.0.

SFTPPlus MFT bewerten

Die in diesem Artikel aufgeführten Funktionen sind nur einige ausgewählte Funktionen aus vielen heute verfügbaren Integrations- und Konfigurationsoptionen. Sprechen Sie mit dem Support-Team über Ihre Anforderungen an die Datenaustausch-Software.

SFTPPlus MFT Server unterstützt FTP, Explizites FTPS, Implizites FTPS, SFTP, SCP, HTTP und HTTPS.

SFTPPlus MFT ist als On-Premise-Lösung erhältlich, die auf Windows, Linux und macOS unterstützt wird.

Es ist auch in der Cloud als Docker-Container, AWS- oder Azure-Instanzen und viele andere Cloud-Anbieter verfügbar.

Fordern Sie mit dem unten stehenden Formular eine Testversion an.

• • •

SFTPPlus Release 3.28.0

Wed 29 November 2017 | security release

We are pleased to announce the latest release of SFTPPlus version 3.28.0.

New Features

  • It is now possible to set permission for file management operations for accounts authenticated with the FTP/FTPS service. [ftp][ftps][server-side] [#3399]
  • You can now implement custom event handlers using our Python based API. [#4192]
  • SFTPPlus is now distributed with the CA chains for SharePoint Online and Let's Encrypt. [#4365]
  • The FTPS client-side connections now show the SSL/TLS method used together with the cipher protecting the communication. [client-side][ftps] [#4370]
  • FTPS server-side events emitted when the command connection is closed now contains the cipher used to secure the connection. [ftps][server-side] [#4458]
  • It is now possible to define the permissions of file management operations set by accounts that are authenticated with the SCP and SFTP services. [scp][sftp][server-side] [#4461]
  • It is now possible to define the permissions of file management operations set by accounts that are authenticated with the HTTP/HTTPS services. [http][https][server-side] [#4462]
  • A rename-prepend-unixtime method was added to the file dispatcher event handler. It will allow the event handler to conduct an instant, atomic rename of the source file. [#4466]
  • You can now use additional SSL/TLS configuration options to protect HTTPS URL set for the HTTP authentication method. [server-side] [#4482]
  • HTTPS client connections now support the Server Name Indication (SNI) TLS extension. [#4490]
  • You can now use HTTPS url for the HTTP Post event handler. [#4512]

Defect Fixes

  • The WebDAV location can now be configured with SSL/TLS details in order to set up the parameter for the SSL/TLS connection. [security][client-side][webdavs][https] [#3912]
  • The events emitted by the file dispatcher event handler will now contain the full path to the destination file. In previous versions, the events contained the destination paths. [#4501]
  • An internal server error is no longer raised when the STMP client connects to the server and the server drops the connection. [#4509]

Deprecations and Removals

  • The event with ID 40002 is now associated with a server-side error when obtaining the attributes of a path. In previous versions, it was only used when the path was not found. [server-side][http][https] [#4462]
  • Support was removed for Red Hat Enterprise Linux 6 and Generic Linux on IBM System z s390x mainframe and the Hercules mainframe emulator. If you are still using these platforms, please get in touch with us. [#4503-1]
  • Support was removed for Ubuntu 14.04 LTS on POWER8 (little endian). Ubuntu 14.04 LTS is still supported on Intel X86_64. If you are still using this platform, please get in touch with us. [#4503-2]
  • Support was removed for Red Hat Enterprise Linux 6 on POWER8 (big endian). Red Hat Enterprise Linux 6 is still supported on Intel X86_64. If you are still using this platform, please get in touch with us. [#4503-3]
  • Support was removed for Solaris 10 11/06 U3 on SPARC and X64. Latest Solaris 10 on both SPARC and X64 are still supported. If you are still using these platforms, please get in touch with us. [#4503]

You can check the full release notes.

• • •

SFTPPlus Release 3.27.0

Tue 07 November 2017 | security release

We are pleased to announce the latest release of SFTPPlus version 3.27.0.

New Features

  • It is now possible to define the expiration date and time when configuring an account of type application or OS. [server-side] [#1152]
  • An audit event is now emitted when the HTTP connection is made and when it is closed. [client-side][http][https] [#3925]

Defect Fixes

  • When the user is authenticated based on the SSL certificate, the FTPS server now responds with code 230 instead of 232. [ftps][server-side] [#3563]
  • FTPS client connections will now verify the identity of the remote FTPS server when configured to check against a certificate authority. [ftps][client-side][security] [#3566]
  • When a WebDAV location fails to re-authenticate, it will enter the fail state and no other operations are performed. [client-side][http][https] [#4339-1]
  • When a WebDAV client session has its session credentials rejected and multiple WebDAV client requests are made at the same time, only a single re-authentication request is made. [client-side][http][https] [#4339]
  • Use a PID file in $INSTALL_ROOT in the init/unit files too, as used by the bin/admin-commands.sh script by default. This avoids mismatches when the daemon is started with this script and the status is checked with an init script. [#4388]

Deprecations and Removals

  • Support for AIX 5.3 was removed. AIX 7.1 is still supported. If you are still using this platform, please get in touch with us. [#4361-1]
  • Support for Raspbian Linux was removed. If you would like to use SFTPPlus on this platform, please get in touch with us. [#4361]
  • Support for SUSE Enterprise Linux 10 was removed. If you are still using this platform, please get in touch with us. [#4397]

You can check the full release notes.

• • •

SFTPPlus 3.6.0 Release

Fri 18 March 2016 | release security

We are pleased to announce the latest release of SFTPPlus, version 3.6.0.

Here is the list of the important new functionalities:

  • The OpenSSL version used by SFTPPlus is advertised as part of the events generated when starting the SFTPPlus process, as well as in the Local Manager status page.
  • Now you can configure the source port used by the FTP and FTPS services to initiate active data connections. [ftp][ftps]
  • The matching rules for file dispatching are now applied to the full path, not only to the file name.

This release was focused on reducing the number of known defects and improving the quality of the product. Here is the list of the main defects fixed in this release:

  • When a transfer requires multiple files to be transferred, they are now queued so that the files are transferred sequentially, one at a time. [#3131]
  • When a location fails to start, it is no longer auto-started by a transfer. Now it needs to be manually started after the failure was investigated. All components/transfer trying to use a location which failed, will also have their operation failed. [#3176]
  • Locations are now auto-started in the correct state, emitting an event and not leaving them in a 'restart-required' state. [#3176]
  • The file transfer services secured by TLS/SSL and using a CRL will automatically stop/fail if the CRL can not be updated at runtime. In previous versions a warning was raised but the file transfer service continued to operate with a version of CRL which was previously loaded, resulting in an insecure operation. [security] [#3216]
  • The files already present on the source location for a transfer are now filtered based on the transfer configuration and processed only after they are stable. [#3223]
  • The file dispatcher event handler now no longer enters an infinite loop by handling its own events. [#3261]
  • No internal server error is now produced when failing to remove the remote file after the file was successfully transferred on the local machine. [client] [#3283]
  • Starting the Local Manager or the documentation pages from the Windows Start menu or using the command line using the admin-commands manager command, now successfully opens the default browser. [local-manager] [#3295]

These are just the highlights of this release. For more details, including the full list of changes, please see the full release notes.

• • •

The DROWN Attack and SFTPPlus

Thu 03 March 2016 | security

SFTPPlus Server versions 1.6 and newer are not vulnerable to the DROWN attack.

The DROWN Attack and SFTPPlus

SFTPPlus versions 3 and newer are also not vulnerable to it.

The DROWN attack targets server-side products, thus SFTPPlus client is not vulnerable to it.

SFTPPlus relies on OpenSSL for the SSL and TLS protocols used in implementing the FTPS and HTTPS protocols. The Unix and Linux versions of SFTPPlus use the OpenSSL libraries provided by the operating system. The Windows versions of SFTPPlus use the included OpenSSL libraries.

However, support for SSL version 2 was never available in SFTPPlus, thus SFTPPlus users are not exposed to any vulnerability related to the use of SSL v2. More so, SSL and TLS security contexts are always configured with NO_SSLv2. So, even if you are using an OpenSSL version with support for SSL v2, version 2 is explicitly denied in SFTPPlus.

The SFTP protocol is based on the SSH protocol and is not affected by SSL or TLS bugs.

• • •
← Previous Page | Next Page →