Secure Communication through SSH

Remote Installation of PCQLinux 2006

Monitor your IT Infrastructure

Security Realms in Tomcat

A Web Interface for qmail

Infrastructure consolidation is a key trend nowadays, and just about every enterprise is doing it. This has turned simple server rooms into complex data centers. Managing them therefore has become a key challenge. Plus, in allowing your remote offices to access them raises security concerns. This has created a need for secure remote management solutions, and in this article, we'll talk about one such solution called SSH Tectia client/server. It provides end-to-end secure communication within a corporate network. You can have secure system administration, secure application connectivity and secure file transfers. As the name suggests, the software uses Secure Shell (SecSh) technology to provide secure communication. Secure Shell secures connections over the Internet by encrypting passwords and other data. It provides strong authentication and secure communications over unsecured networks (like the Internet). It provides security at the application layer of the TCP/IP protocol stack.

Direct Hit!
Applies to: IT Managers
USP: Configure Tectia on your LAN for secure, remote server administration
Links: http://www.ssh.com/ 
Google keywords: SSH secure communication
On the PCQEnterprise CD: \\IT Mgmt\\Tectia.zip

Version overview
The SSH Tectia client/server solution is available for Unix, Linux, Windows and Solaris. It comes in three versions-A, F,  and T. SSH Tectia Server (A) is designed for secure system administration, enabling system administrators to remotely administer application servers and other network resources using secure terminal and file transfer connections. Server F version provides file transfers when used in conjunction with SSH Tectia Client with version A capabilities. And the T version provides Application tunneling and includes all features of F and A. In server side authentication, SSH Tectia uses cryptographic authentication for server hosts. Each server has a cryptographic key pair (a public key and a private key) that identifies the server. Whenever a Secure Shell client connects to a Secure Shell server, the server authenticates itself to the client cryptographically. This ensures that encryption and integrity protection are provided end-to-end between the client and the intended server, and eliminates the possibility to perform certain types of attacks.

Authentication
In order for the cryptographic authentication to work, the client must know the server's public key so that it can securely authenticate the server. The public key of the server has to be distributed to each client. For user authentication SSH Tectia has different types of methods. These authentication methods can be combined or used separately, depending on the level of functionality and security you want. User authentication methods used by the client by default are GSSAPI, public-key, keyboard-interactive, and password authentication. Public-key and certificate authentication are combined into the public-key authentication method. To provide secure file transfers, it has a SSH Tectia file transfer client which is a FTP look like application. It can work with any versions of SSH tectia Server.

SSH Tectia uses many different kinds of authentication methods to ensure that it provides a secure connection

User application protection
It also has an application called SSH Tectia Connector, which can be used to protect user applications that use TCP as the transport protocol. However, applications that start as a system service before the user is logged on to the workstation or those that use UDP cannot be secured with SSH Tectia Connector. SSH Tectia Connector is a transparent end-user client that provides dynamic tunneling of client/server connections witho ut the need to re-configure the tunneled applications. It starts automatically when the user logs on to a Windows workstation.

It works silently in the background, protecting network connections according to the security policies. It can also be used for application protection using its static application tunneling features. All that's required is to configure the application to connect to a local port running SSH Tectia Client, and then the Client can be used to tunnel the application to a specified remote host.

Setup
You can install Tectia on a Windows Server 2003 box from this month's PCQEnterprise CD. After installation, run the SSH Tectia Configuration tool from the Programs menu.

Cryptographic keys
Configure the maximum number of connections to Tectia Server from the General tab. You can additionally enable the FIPS mode (FIPS 140-2) by checking that option. You also need to add the host keys (public and private) and certificates. Do this from the Identity page. You can also generate your own 2048 bit DSA key pairs from the same screen. The default keys provided with Tectia are located in the installation directory (C:\\Program Files\\SSHCommunications Security\\SSHTectia\\SSH Tectia Server).

Network interfaces
Now we need to configure the network interfaces. Use the Network tab for this and add as many interfaces as you want Tectia to listen on. If you have only one Network interface in your server, you do not need to specify the IP addresses here.

Connections and Encryption
To configure the connections and encryption used in these connections, use the Connections and Encryption tab and create new connections. Here, you can add the interfaces to be used for the connection (setup from the Network tab).

Also configure the ciphers and MACs that will be allowed for each connection. Here you will see something called 'Rkey Interval' which is the number of seconds or transferred bytes after which the key exchange will be done again. If values for both seconds and bytes are specified, rekeying is done whenever one of the values is reached (first one to be reached). You can customize this value, by default is 3600 seconds and 1 GB.

If you want to turn off the Rekey requests just enter a zero as the value. But this will not prevent the client from requesting rekeys.  Select the ciphers and MACs from the Encryption tab as you require.

Authentication rules
New authentication rules can be added. There are two sub-pages for this to be setup. You can use the Selectors tab to add the interfaces for which rules are being created. You must define here if authentication is allowed or denied. Next, use the parameters tab to configure the settings for each rule. There is a choice between using password authentication or public-key authentication or host-based authentication.

The client
Once the server is configured, you will have to configure the client in a similar fashion. On the client you can create multiple profiles for different servers if you are using different method of authentication for every server.

To start using the SSH Tectia Server, open the SSH Tectia Client, and click on the Quick Connect button. Provide the hostname, username and the port number where the

Tectia server is running and click on Connect. Or if you have created a profile, just click on that profile from the profile menu and it will automatically connect you to the server. Similarly, you can use the File Transfer SSH Tectia Client to transfer files in a secure way.

Swapnil Arora

  • Follow PCQuest on
  • become a fan on
  • Stay updated via
  • RSS

LEAVE A REPLY

Notify me of follow-up comments via e-mail address

Post Comment

Survey Box

Now that Microsoft has finally discontinued support for Windows XP, which OS are you likely to upgrade to?

Send this article by email

X