CAIL Security Facility
NSK Host to Host
FTP
CAIL Security Update
NSK Host to Host FTP Encryption
Overview
CAIL Security capabilities have been extended to include native NSK Host to Host encrypted FTP sessions.
CAIL FTP Host Proxy software provides secure FTP operation for NSK-NSK file transfers. On the server side the CAIL FTP Host Proxy software operates by placing an FTP server proxy in front of the NSK FTP server. On the client side CAIL software operates by placing an FTP client proxy after the FTP client. Users continue to use their normal NSK FTP clients. While this document is focused on NSK to NSK FTP
encryption, the same server side proxy can also handle encryption of FTP sessions from a PC client running CAIL FTP Proxy software.
In conjunction with CAIL secure session capabilities, CAIL FTP Proxy provides strong encryption including DES-40, DES-56, DES-168, CAIL4-128, AES-128, and AES-192. For fast connection times a fixed key can be used. As an option, the Diffie-Hellman key exchange technology can be utilized for more secure communications.
Installing CAIL FTP Proxy (Host to Host)
CAIL FTP Proxy software contains the following files:
CAILFTPHProxy.zip
Pick a drive that you want to use for CAILFTPHProxy. Use WinZip to extract CAILFTPHProxy.zip into the root directory on that drive. Any subdirectories will be created automatically. Note that for this document we assume the file was unzipped to the root of the “C” drive.
After unzipping you should have the following subdirectories under CAILFTPHProxy:
tandem
The tandem subdirectory contains the NSK Host components for CAILFTPHProxy. There will be eight files in this subdirectory:
pcftppx Server encryption/decryption program pcptpxh Server Diffie-Hellman module
pcftppxl license file
pcftpcl Client encryption/decryption program pcftpclh Client Diffie-Hellman module
StrtFTPS Server sample obey file StrtFTPC Client sample obey file
alterfil obey file to fup alter other files
All files that start with “pc” above must be uploaded as binary files to the NSK host. The other three files must be uploaded in text mode. All files should end up in the same subvolume.
After transferring all files, OBEY the file “alterfil” to change the file code for required files to 700.
Since the intent is to secure FTP connections between two NSK Hosts, repeat the above procedure on the second NSK Host. If there are more then two NSK Hosts to be secured, repeat the above for all Hosts.
Running the Server Proxy Component of CAIL FTP Proxy
To run the Server Proxy component of CAILFTPHProxy, edit the file “StrtFTPS” with Tedit or Edit. The file explains itself, but essentially you must change:
1) The “KEYSEED” so that it matches the “KEYSEED” specified in the Client Proxy obey file, if a KEYSEED is specified at all.
2) The “METHOD” (encryption strength), to match the “Method” specified in the Client Proxy obey file.
3) The “PROXYIPADDRESS” to the IP address of this host. This is the address that the Server Proxy listens on for incoming connections.
4) The “PROXYIPPORT” if the default port (5021) is already in use by another process. This is the port that the Server Proxy listens on for incoming connections from the Client Proxy, so it must match the RELAYIPPORT specified in the Client Proxy obey file.
5) The “RELAYIPADDRESS” to “localhost” or 127.0.0.1. This will be the address of the NSK FTP server on this host.
6) The “RELAYIPPORT” to the port your NSK’s FTP server listens for connections on, if it is not the default 21.
7) If your TCPIP process is named something other then $ZTC0, then you must add a “PARAM TCPIPPROCESS processname” to the file before the RUN
command.
8) The path to the main executable “PCFTPPX” in the “run” command, to match where you have placed it on the NSK host.
Now OBEY “StrtFTPS” to get the NSK proxy up and running. You may want to do a “Status $FTPS” to verify that it is up. If it isn’t, please call CAIL for support.
The NSK Server Proxy component of CAILFTPHProxy recognizes the following params:
KEYSEED <string> where <string> is used to create a key for enciphered sessions. Default is a string of nulls.
LOGMASK %nnnnnn where nnnnnn controls the types of messages that are logged:
Bit 0 (%100000) on logs fatal messages. Bit 1 (%040000) on logs warning messages. Bit 2 (%020000) on logs informational messages.
METHOD <method> where <method> specifies the encryption method. DYNAMIC use PC configured encryption method DES-40 40 bit DES/OFB
DES-56 56 bit DES/OFB DES-168 triple DES/OFB
DES-40-DH 40 bit DES/OFB with DH512 key exchange DES-56-DH 56 bit DES/OFB with DH512 key exchange DES-168-DH 168 bit DES/OFB with DH512 key exchange CAIL4-128 128 bit CAIL4/OFB
CAIL4-128-DH 128 bit CAIL4/OFB with DH512 key exchange AES-128 128 bit AES/OFB
AES-128-DH 128 bit AES/OFB with DH512 key exchange AES-192 192 bit AES/OFB
AES-192-DH 192 bit AES/OFB with DH512 key exchange PROXYIPADDRESS <TCPIP address> identifies the IP address on which this
proxy will accept connections from the remote Client Proxy. Default is 0.0.0.0.
PROXYIPPORT <TCPIP port> identifies the port number on which this proxy will accept connections from the remote Client Proxy. Default is 5021. RELAYIPADDRESS <TCPIP address> identifies the IP address to which this
proxy will forward clear text. Default is 127.0.0.1. This is the address of the NSK FTP server.
RELAYIPPORT <TCPIP port> identifies the port number to which this proxy will forward clear text. Default is 21. This is the port on which the NSK FTP server accepts connections.
TCPIPPROCESS <process name> identifies the process name of the TCP/IP process. Default is $ZTC0.
TRACE [ ON | OFF ] - where ON specifies that tracing is in effect. Default is off.
The NSK Server Proxy component of CAILFTPHProxy recognizes the following assigns:
LOGFILE <NSK file name> identifies the physical file used for logging diagnostic information.
TRACEFILE <NSK file name> identifies the physical file used for tracing all program i/o.
Running the Client Proxy Component of CAIL FTP Proxy
To run the Client Proxy component of CAIL FTP Proxy, edit the file “StrtFTPC” with Tedit or Edit. The file explains itself, but essentially you must change:
1) The “KEYSEED” so that it matches the “KEYSEED” specified in the Server Proxy obey file, if a KEYSEED is specified at all.
2) The “METHOD” (encryption strength), to match the “Method” specified in the Server Proxy obey file.
3) The PROXYIPADDRESS which is the address on which the Client Proxy will accept connections from the NSK FTP client. Default is 0.0.0.0. This would normally be “localhost”, or 127.0.0.1.
4) The “PROXYIPPORT” if the default port (6021) is already in use by another process. This is the port that the Client Proxy listens on for incoming connections from the NSK FTP client.
5) The RELAYIPADDRESS to the IP address of the NSK server running the Server Proxy. No default.
6) The “RELAYIPPORT” to match the PROXYIPPORT specified in the Server Proxy obey file. Default is 5021.
7) If your TCPIP process is named something other then $ZTC0, then you must add a “PARAM TCPIPPROCESS processname” to the file before the RUN
command.
8) The path to the main executable “PCFTPCL” in the “run” command, to match where you have placed it on the NSK host.
Now OBEY “StrtFTPC” to get the NSK Client Proxy up and running. You may want to do a “Status $FTPC” to verify that it is up. If it isn’t, please call CAIL for support. The Tandem client proxy component of CAIL FTP Proxy recognizes the following params:
KEYSEED <string> where <string> is used to create a key for enciphered sessions. Default is a string of nulls.
LOGMASK %nnnnnn where nnnnnn controls the types of messages that are logged:
Bit 0 (%100000) on logs fatal messages. Bit 1 (%040000) on logs warning messages. Bit 2 (%020000) on logs informational messages.
METHOD <method> where <method> specifies the encryption method. DES-40 -> 40 bit DES/OFB
DES-56 -> 56 bit DES/OFB DES-168 -> triple DES/OFB
DES-40-DH -> 40 bit DES/OFB with DH512 key exchange DES-56-DH -> 56 bit DES/OFB with DH512 key exchange DES-168-DH -> 168 bit DES/OFB with DH512 key exchange CAIL4-128 -> 128 bit CAIL4/OFB
CAIL4-128-DH -> 128 bit CAIL4/OFB with DH512 key exchange AES-128 -> 128 bit AES/OFB
AES-128-DH -> 128 bit AES/OFB with DH512 key exchange AES-192 -> 192 bit AES/OFB
AES-192-DH -> 192 bit AES/OFB with DH512 key exchange
PROXYIPADDRESS <TCPIP address> identifies the IP address on which the Client Proxy will accept connections from the local NSK FTP client. Default is 0.0.0.0. This would normally be “localhost”, or 127.0.0.1. PROXYIPPORT <TCPIP port> identifies the port number on which the Client
Proxy will accept connections from the local NSK FTP client. Default is 6021. If no FTP server is running on this system you can use port 21 which is what FTP clients will use by default.
RELAYIPADDRESS <TCPIP address> identifies the IP address to which the Client Proxy will forward encrypted data. This is the address of the remote FTP Server Proxy.
RELAYIPPORT <TCPIP port> identifies the port number to which the Client Proxy will forward encrypted data. Default is 5021. This is the port on which the remote FTP Server Proxy is accepting connections.
TCPIPPROCESS <process name> identifies the process name of the TCP/IP process. Default is $ZTC0.
TRACE [ ON | OFF ] - where ON specifies that tracing is in effect. Default is off.
The NSK Client Proxy component of CAIL FTP Proxy recognizes the following assigns: LOGFILE <NSK file name> identifies the physical file used for logging
diagnostic information.
TRACEFILE <NSK file name> identifies the physical file used for tracing all program i/o.
Running the NSK CAIL FTP Client
If you have installed with the port numbers used in the obey files, follow these steps to connect to the remote system via the secure CAIL FTP Proxy software. If you have used different port numbers, substitute them below:
1) Connect to the NSK Host running the Client Proxy with any terminal emulator, (preferably CAIL CTT/Suite)
2) Open an FTP session as follows: ftp 127.0.0.1 6021 – this should connect you to the local Client Proxy first, which will then encrypt everything and then forward it on to the Server Proxy on the remote NSK Host.
3) Log in and do any transfers as you normally would.
Securing Multiple NSK Hosts
To secure multiple NSK Hosts so that you can initiate transfers from any Host to any Host, you will have to run both the Server Proxy and the Client Proxy on all NSK Hosts. If we take an example of a site with 4 NSK Hosts, then you would have to run 3 instances of the Server Proxy, and 3 instances of the Client Proxy on each host.
The Client Proxies will all listen on “localhost”, or 127.0.0.1 on all Hosts, and each must listen on a unique port number for incoming connections from the local NSK FTP clients. The Server Proxies would listen on their respective IP addresses on all hosts, and must listen on a unique port number for incoming connections from the Client Proxies. To connect to the desired Host you would start the NSK FTP client and connect to localhost using the port number for the desired NSK Host.