• No results found

CAIL Security Facility NSK Host to Host FTP Encryption

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CAIL Security Facility NSK Host to Host FTP Encryption"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

CAIL Security Facility

NSK Host to Host

FTP

(2)

CAIL Security Update

NSK Host to Host FTP Encryption

Overview

CAIL Security capabilities have been extended to include native NSK Host to Host encrypted FTP sessions.

CAIL FTP Host Proxy software provides secure FTP operation for NSK-NSK file transfers. On the server side the CAIL FTP Host Proxy software operates by placing an FTP server proxy in front of the NSK FTP server. On the client side CAIL software operates by placing an FTP client proxy after the FTP client. Users continue to use their normal NSK FTP clients. While this document is focused on NSK to NSK FTP

encryption, the same server side proxy can also handle encryption of FTP sessions from a PC client running CAIL FTP Proxy software.

In conjunction with CAIL secure session capabilities, CAIL FTP Proxy provides strong encryption including DES-40, DES-56, DES-168, CAIL4-128, AES-128, and AES-192. For fast connection times a fixed key can be used. As an option, the Diffie-Hellman key exchange technology can be utilized for more secure communications.

(3)

Installing CAIL FTP Proxy (Host to Host)

CAIL FTP Proxy software contains the following files:

CAILFTPHProxy.zip

Pick a drive that you want to use for CAILFTPHProxy. Use WinZip to extract CAILFTPHProxy.zip into the root directory on that drive. Any subdirectories will be created automatically. Note that for this document we assume the file was unzipped to the root of the “C” drive.

After unzipping you should have the following subdirectories under CAILFTPHProxy:

tandem

The tandem subdirectory contains the NSK Host components for CAILFTPHProxy. There will be eight files in this subdirectory:

pcftppx Server encryption/decryption program pcptpxh Server Diffie-Hellman module

pcftppxl license file

pcftpcl Client encryption/decryption program pcftpclh Client Diffie-Hellman module

StrtFTPS Server sample obey file StrtFTPC Client sample obey file

alterfil obey file to fup alter other files

All files that start with “pc” above must be uploaded as binary files to the NSK host. The other three files must be uploaded in text mode. All files should end up in the same subvolume.

After transferring all files, OBEY the file “alterfil” to change the file code for required files to 700.

Since the intent is to secure FTP connections between two NSK Hosts, repeat the above procedure on the second NSK Host. If there are more then two NSK Hosts to be secured, repeat the above for all Hosts.

(4)

Running the Server Proxy Component of CAIL FTP Proxy

To run the Server Proxy component of CAILFTPHProxy, edit the file “StrtFTPS” with Tedit or Edit. The file explains itself, but essentially you must change:

1) The “KEYSEED” so that it matches the “KEYSEED” specified in the Client Proxy obey file, if a KEYSEED is specified at all.

2) The “METHOD” (encryption strength), to match the “Method” specified in the Client Proxy obey file.

3) The “PROXYIPADDRESS” to the IP address of this host. This is the address that the Server Proxy listens on for incoming connections.

4) The “PROXYIPPORT” if the default port (5021) is already in use by another process. This is the port that the Server Proxy listens on for incoming connections from the Client Proxy, so it must match the RELAYIPPORT specified in the Client Proxy obey file.

5) The “RELAYIPADDRESS” to “localhost” or 127.0.0.1. This will be the address of the NSK FTP server on this host.

6) The “RELAYIPPORT” to the port your NSK’s FTP server listens for connections on, if it is not the default 21.

7) If your TCPIP process is named something other then $ZTC0, then you must add a “PARAM TCPIPPROCESS processname” to the file before the RUN

command.

8) The path to the main executable “PCFTPPX” in the “run” command, to match where you have placed it on the NSK host.

Now OBEY “StrtFTPS” to get the NSK proxy up and running. You may want to do a “Status $FTPS” to verify that it is up. If it isn’t, please call CAIL for support.

The NSK Server Proxy component of CAILFTPHProxy recognizes the following params:

KEYSEED <string> where <string> is used to create a key for enciphered sessions. Default is a string of nulls.

LOGMASK %nnnnnn where nnnnnn controls the types of messages that are logged:

Bit 0 (%100000) on logs fatal messages. Bit 1 (%040000) on logs warning messages. Bit 2 (%020000) on logs informational messages.

(5)

METHOD <method> where <method> specifies the encryption method. DYNAMIC use PC configured encryption method DES-40 40 bit DES/OFB

DES-56 56 bit DES/OFB DES-168 triple DES/OFB

DES-40-DH 40 bit DES/OFB with DH512 key exchange DES-56-DH 56 bit DES/OFB with DH512 key exchange DES-168-DH 168 bit DES/OFB with DH512 key exchange CAIL4-128 128 bit CAIL4/OFB

CAIL4-128-DH 128 bit CAIL4/OFB with DH512 key exchange AES-128 128 bit AES/OFB

AES-128-DH 128 bit AES/OFB with DH512 key exchange AES-192 192 bit AES/OFB

AES-192-DH 192 bit AES/OFB with DH512 key exchange PROXYIPADDRESS <TCPIP address> identifies the IP address on which this

proxy will accept connections from the remote Client Proxy. Default is 0.0.0.0.

PROXYIPPORT <TCPIP port> identifies the port number on which this proxy will accept connections from the remote Client Proxy. Default is 5021. RELAYIPADDRESS <TCPIP address> identifies the IP address to which this

proxy will forward clear text. Default is 127.0.0.1. This is the address of the NSK FTP server.

RELAYIPPORT <TCPIP port> identifies the port number to which this proxy will forward clear text. Default is 21. This is the port on which the NSK FTP server accepts connections.

TCPIPPROCESS <process name> identifies the process name of the TCP/IP process. Default is $ZTC0.

TRACE [ ON | OFF ] - where ON specifies that tracing is in effect. Default is off.

The NSK Server Proxy component of CAILFTPHProxy recognizes the following assigns:

LOGFILE <NSK file name> identifies the physical file used for logging diagnostic information.

TRACEFILE <NSK file name> identifies the physical file used for tracing all program i/o.

(6)

Running the Client Proxy Component of CAIL FTP Proxy

To run the Client Proxy component of CAIL FTP Proxy, edit the file “StrtFTPC” with Tedit or Edit. The file explains itself, but essentially you must change:

1) The “KEYSEED” so that it matches the “KEYSEED” specified in the Server Proxy obey file, if a KEYSEED is specified at all.

2) The “METHOD” (encryption strength), to match the “Method” specified in the Server Proxy obey file.

3) The PROXYIPADDRESS which is the address on which the Client Proxy will accept connections from the NSK FTP client. Default is 0.0.0.0. This would normally be “localhost”, or 127.0.0.1.

4) The “PROXYIPPORT” if the default port (6021) is already in use by another process. This is the port that the Client Proxy listens on for incoming connections from the NSK FTP client.

5) The RELAYIPADDRESS to the IP address of the NSK server running the Server Proxy. No default.

6) The “RELAYIPPORT” to match the PROXYIPPORT specified in the Server Proxy obey file. Default is 5021.

7) If your TCPIP process is named something other then $ZTC0, then you must add a “PARAM TCPIPPROCESS processname” to the file before the RUN

command.

8) The path to the main executable “PCFTPCL” in the “run” command, to match where you have placed it on the NSK host.

Now OBEY “StrtFTPC” to get the NSK Client Proxy up and running. You may want to do a “Status $FTPC” to verify that it is up. If it isn’t, please call CAIL for support. The Tandem client proxy component of CAIL FTP Proxy recognizes the following params:

KEYSEED <string> where <string> is used to create a key for enciphered sessions. Default is a string of nulls.

LOGMASK %nnnnnn where nnnnnn controls the types of messages that are logged:

Bit 0 (%100000) on logs fatal messages. Bit 1 (%040000) on logs warning messages. Bit 2 (%020000) on logs informational messages.

(7)

METHOD <method> where <method> specifies the encryption method. DES-40 -> 40 bit DES/OFB

DES-56 -> 56 bit DES/OFB DES-168 -> triple DES/OFB

DES-40-DH -> 40 bit DES/OFB with DH512 key exchange DES-56-DH -> 56 bit DES/OFB with DH512 key exchange DES-168-DH -> 168 bit DES/OFB with DH512 key exchange CAIL4-128 -> 128 bit CAIL4/OFB

CAIL4-128-DH -> 128 bit CAIL4/OFB with DH512 key exchange AES-128 -> 128 bit AES/OFB

AES-128-DH -> 128 bit AES/OFB with DH512 key exchange AES-192 -> 192 bit AES/OFB

AES-192-DH -> 192 bit AES/OFB with DH512 key exchange

PROXYIPADDRESS <TCPIP address> identifies the IP address on which the Client Proxy will accept connections from the local NSK FTP client. Default is 0.0.0.0. This would normally be “localhost”, or 127.0.0.1. PROXYIPPORT <TCPIP port> identifies the port number on which the Client

Proxy will accept connections from the local NSK FTP client. Default is 6021. If no FTP server is running on this system you can use port 21 which is what FTP clients will use by default.

RELAYIPADDRESS <TCPIP address> identifies the IP address to which the Client Proxy will forward encrypted data. This is the address of the remote FTP Server Proxy.

RELAYIPPORT <TCPIP port> identifies the port number to which the Client Proxy will forward encrypted data. Default is 5021. This is the port on which the remote FTP Server Proxy is accepting connections.

TCPIPPROCESS <process name> identifies the process name of the TCP/IP process. Default is $ZTC0.

TRACE [ ON | OFF ] - where ON specifies that tracing is in effect. Default is off.

The NSK Client Proxy component of CAIL FTP Proxy recognizes the following assigns: LOGFILE <NSK file name> identifies the physical file used for logging

diagnostic information.

TRACEFILE <NSK file name> identifies the physical file used for tracing all program i/o.

(8)

Running the NSK CAIL FTP Client

If you have installed with the port numbers used in the obey files, follow these steps to connect to the remote system via the secure CAIL FTP Proxy software. If you have used different port numbers, substitute them below:

1) Connect to the NSK Host running the Client Proxy with any terminal emulator, (preferably CAIL CTT/Suite)

2) Open an FTP session as follows: ftp 127.0.0.1 6021 – this should connect you to the local Client Proxy first, which will then encrypt everything and then forward it on to the Server Proxy on the remote NSK Host.

3) Log in and do any transfers as you normally would.

Securing Multiple NSK Hosts

To secure multiple NSK Hosts so that you can initiate transfers from any Host to any Host, you will have to run both the Server Proxy and the Client Proxy on all NSK Hosts. If we take an example of a site with 4 NSK Hosts, then you would have to run 3 instances of the Server Proxy, and 3 instances of the Client Proxy on each host.

The Client Proxies will all listen on “localhost”, or 127.0.0.1 on all Hosts, and each must listen on a unique port number for incoming connections from the local NSK FTP clients. The Server Proxies would listen on their respective IP addresses on all hosts, and must listen on a unique port number for incoming connections from the Client Proxies. To connect to the desired Host you would start the NSK FTP client and connect to localhost using the port number for the desired NSK Host.

References

Download now ( PDF - 8 Page - 29.01 KB )

Related documents

Content Marketing For Digital Commerce. A maturity index for UK s top 5 ecommerce sites

Breadth and depth - Multimedia - Editorial style - Product curation Distribution - Social - Email - Mobile Value - Educational - Entertainment - Planning Effectiveness - Social

EXTENDED FILE SYSTEM FOR F-SERIES PLC

Automatic FTP upload from the PLC to an external web-server: You can program the F-series PLC to make an FTP client connection to any web server on the local network or on

1968 - year of inflation

From January 1967 to July 1968, the money stock had risen at a 7 per cent annual rate, about three times the trend rate from 1957 to 1966, Studies indicate that changes in the

Florida Translational Research Program (FTRP)

• Any individual who is authorized by his or her organization to apply for state and federal grants, and possesses the skills, knowledge, and resources necessary to carry out

Panel: Overtime Compensation an Pay Equity in Higher Education (CLE)

1 The employee’s primary duty must consist of: 1) the application of systems analysis techniques and procedures, including consulting with users, to determine hardware, software

Modeling life stage dynamics of Pseudocalanus spp. (Copepoda: Calanoida) from Prince William Sound, Alaska

Figure 3.4.C shows the SAGE output for total Pseudocalanus abundance when the initial abundance of females was set equal to that of the first sampling day in the data set, and

Pacheco P., Multi-Span Large Bridges, 2015

The Forth Replacement Crossing is currently being built across the Firth of Forth to maintain and improve reliability of a vital transport link in Scotland. The total length of the

Network Vulnerability Assessment Report Sorted by host names

domain (53/tcp) Low The remote bind version is : 9.2.1 ftp (21/tcp) Low a FTP server is running on this port.. Here is its