/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsInfrastructure consolidation is a key trend nowadays, and
just about every enterprise is doing it. This has turned simple server rooms
into complex data centers. Managing them therefore has become a key challenge.
Plus, in allowing your remote offices to access them raises security concerns.
This has created a need for secure remote management solutions, and in this
article, we'll talk about one such solution called SSH Tectia client/server.
It provides end-to-end secure communication within a corporate network. You can
have secure system administration, secure application connectivity and secure
file transfers. As the name suggests, the software uses Secure Shell (SecSh)
technology to provide secure communication. Secure Shell secures connections
over the Internet by encrypting passwords and other data. It provides strong
authentication and secure communications over unsecured networks (like the
Internet). It provides security at the application layer of the TCP/IP protocol
stack.
|
Version overview
The SSH Tectia client/server solution is available for Unix, Linux, Windows
and Solaris. It comes in three versions-A, F, and T. SSH Tectia Server
(A) is designed for secure system administration, enabling system administrators
to remotely administer application servers and other network resources using
secure terminal and file transfer connections. Server F version provides file
transfers when used in conjunction with SSH Tectia Client with version A
capabilities. And the T version provides Application tunneling and includes all
features of F and A. In server side authentication, SSH Tectia uses
cryptographic authentication for server hosts. Each server has a cryptographic
key pair (a public key and a private key) that identifies the server. Whenever a
Secure Shell client connects to a Secure Shell server, the server authenticates
itself to the client cryptographically. This ensures that encryption and
integrity protection are provided end-to-end between the client and the intended
server, and eliminates the possibility to perform certain types of attacks.
Authentication
In order for the cryptographic authentication to work, the client must know
the server's public key so that it can securely authenticate the server. The
public key of the server has to be distributed to each client. For user
authentication SSH Tectia has different types of methods. These authentication
methods can be combined or used separately, depending on the level of
functionality and security you want. User authentication methods used by the
client by default are GSSAPI, public-key, keyboard-interactive, and password
authentication. Public-key and certificate authentication are combined into the
public-key authentication method. To provide secure file transfers, it has a SSH
Tectia file transfer client which is a FTP look like application. It can work
with any versions of SSH tectia Server.
/pcq/media/post_attachments/398478c5355fcefe12b594dc900b61fa49adfcad76ddf0177621a79f14070a32.jpg) |
| SSH Tectia uses many different kinds of authentication methods to ensure that it provides a secure connection |
User application protection
It also has an application called SSH Tectia Connector, which can be used to
protect user applications that use TCP as the transport protocol. However,
applications that start as a system service before the user is logged on to the
workstation or those that use UDP cannot be secured with SSH Tectia Connector.
SSH Tectia Connector is a transparent end-user client that provides dynamic
tunneling of client/server connections witho ut the need to re-configure the
tunneled applications. It starts automatically when the user logs on to a
Windows workstation.
It works silently in the background, protecting network
connections according to the security policies. It can also be used for
application protection using its static application tunneling features. All
that's required is to configure the application to connect to a local port
running SSH Tectia Client, and then the Client can be used to tunnel the
application to a specified remote host.
Setup
You can install Tectia on a Windows Server 2003 box from this month's
PCQEnterprise CD. After installation, run the SSH Tectia Configuration tool from
the Programs menu.
Cryptographic keys
Configure the maximum number of connections to Tectia Server from the
General tab. You can additionally enable the FIPS mode (FIPS 140-2) by checking
that option. You also need to add the host keys (public and private) and
certificates. Do this from the Identity page. You can also generate your own
2048 bit DSA key pairs from the same screen. The
default keys provided with Tectia are located in the installation directory
(C:\Program Files\SSHCommunications Security\SSHTectia\SSH Tectia Server).
Network interfaces
Now we need to configure the network interfaces. Use the Network tab for
this and add as many interfaces as you want Tectia to listen on. If you have
only one Network interface in your server, you do not need to specify the IP
addresses here.
Connections and Encryption
To configure the connections and encryption used in these connections, use
the Connections and Encryption tab and create new connections. Here, you can add
the interfaces to be used for the connection (setup from the Network tab).
Also configure the ciphers and MACs that will be allowed
for each connection. Here you will see something called 'Rkey Interval'
which is the number of seconds or transferred bytes after which the key exchange
will be done again. If values for both seconds and bytes are specified, rekeying
is done whenever one of the values is reached (first one to be reached). You can
customize this value, by default is 3600 seconds and 1 GB.
If you want to turn off the Rekey requests just enter a
zero as the value. But this will not prevent the client from requesting rekeys.
Select the ciphers and MACs from the Encryption tab as you require.
Authentication rules
New authentication rules can be added. There are two sub-pages for this to
be setup. You can use the Selectors tab to add the interfaces for which rules
are being created. You must define here if authentication is allowed or denied.
Next, use the parameters tab to configure the settings for each rule. There is a
choice between using password authentication or public-key authentication or
host-based authentication.
The client
Once the server is configured, you will have to configure the client in a
similar
fashion. On the client you can create multiple profiles for different servers if
you are using different method of authentication for every server.
To start using the SSH Tectia Server, open the SSH Tectia
Client, and click on the Quick Connect button. Provide the hostname, username
and the port number where the
Tectia server is running and click on Connect. Or if you
have created a profile, just click on that profile from the profile menu and it
will automatically connect you to the server. Similarly, you can use the File
Transfer SSH Tectia Client to transfer files in a secure way.
Swapnil Arora