Infrastructure consolidation is a key trend nowadays, and
just about every enterprise is doing it. This has turned simple server rooms
into complex data centers. Managing them therefore has become a key challenge.
Plus, in allowing your remote offices to access them raises security concerns.
This has created a need for secure remote management solutions, and in this
article, we'll talk about one such solution called SSH Tectia client/server.
It provides end-to-end secure communication within a corporate network. You can
have secure system administration, secure application connectivity and secure
file transfers. As the name suggests, the software uses Secure Shell (SecSh)
technology to provide secure communication. Secure Shell secures connections
over the Internet by encrypting passwords and other data. It provides strong
authentication and secure communications over unsecured networks (like the
Internet). It provides security at the application layer of the TCP/IP protocol
The SSH Tectia client/server solution is available for Unix, Linux, Windows and Solaris. It comes in three versions-A, F, and T. SSH Tectia Server (A) is designed for secure system administration, enabling system administrators to remotely administer application servers and other network resources using secure terminal and file transfer connections. Server F version provides file transfers when used in conjunction with SSH Tectia Client with version A capabilities. And the T version provides Application tunneling and includes all features of F and A. In server side authentication, SSH Tectia uses cryptographic authentication for server hosts. Each server has a cryptographic key pair (a public key and a private key) that identifies the server. Whenever a Secure Shell client connects to a Secure Shell server, the server authenticates itself to the client cryptographically. This ensures that encryption and integrity protection are provided end-to-end between the client and the intended server, and eliminates the possibility to perform certain types of attacks.
In order for the cryptographic authentication to work, the client must know the server's public key so that it can securely authenticate the server. The public key of the server has to be distributed to each client. For user authentication SSH Tectia has different types of methods. These authentication methods can be combined or used separately, depending on the level of functionality and security you want. User authentication methods used by the client by default are GSSAPI, public-key, keyboard-interactive, and password authentication. Public-key and certificate authentication are combined into the public-key authentication method. To provide secure file transfers, it has a SSH Tectia file transfer client which is a FTP look like application. It can work with any versions of SSH tectia Server.
|SSH Tectia uses many different kinds of authentication methods to ensure that it provides a secure connection|
User application protection
It also has an application called SSH Tectia Connector, which can be used to protect user applications that use TCP as the transport protocol. However, applications that start as a system service before the user is logged on to the workstation or those that use UDP cannot be secured with SSH Tectia Connector. SSH Tectia Connector is a transparent end-user client that provides dynamic tunneling of client/server connections witho ut the need to re-configure the tunneled applications. It starts automatically when the user logs on to a Windows workstation.
It works silently in the background, protecting network
connections according to the security policies. It can also be used for
application protection using its static application tunneling features. All
that's required is to configure the application to connect to a local port
running SSH Tectia Client, and then the Client can be used to tunnel the
application to a specified remote host.
You can install Tectia on a Windows Server 2003 box from this month's PCQEnterprise CD. After installation, run the SSH Tectia Configuration tool from the Programs menu.
Configure the maximum number of connections to Tectia Server from the General tab. You can additionally enable the FIPS mode (FIPS 140-2) by checking that option. You also need to add the host keys (public and private) and certificates. Do this from the Identity page. You can also generate your own 2048 bit DSA key pairs from the same screen. The
Now we need to configure the network interfaces. Use the Network tab for this and add as many interfaces as you want Tectia to listen on. If you have only one Network interface in your server, you do not need to specify the IP addresses here.
Connections and Encryption
To configure the connections and encryption used in these connections, use the Connections and Encryption tab and create new connections. Here, you can add the interfaces to be used for the connection (setup from the Network tab).
Also configure the ciphers and MACs that will be allowed
for each connection. Here you will see something called 'Rkey Interval'
which is the number of seconds or transferred bytes after which the key exchange
will be done again. If values for both seconds and bytes are specified, rekeying
is done whenever one of the values is reached (first one to be reached). You can
customize this value, by default is 3600 seconds and 1 GB.
If you want to turn off the Rekey requests just enter a
zero as the value. But this will not prevent the client from requesting rekeys.
Select the ciphers and MACs from the Encryption tab as you require.
New authentication rules can be added. There are two sub-pages for this to be setup. You can use the Selectors tab to add the interfaces for which rules are being created. You must define here if authentication is allowed or denied. Next, use the parameters tab to configure the settings for each rule. There is a choice between using password authentication or public-key authentication or host-based authentication.
Once the server is configured, you will have to configure the client in a similar
To start using the SSH Tectia Server, open the SSH Tectia
Client, and click on the Quick Connect button. Provide the hostname, username
and the port number where the
Tectia server is running and click on Connect. Or if you have created a profile, just click on that profile from the profile menu and it will automatically connect you to the server. Similarly, you can use the File Transfer SSH Tectia Client to transfer files in a secure way.