Technical Notes

Securely Transferring Files using Reflection, EXTRA! or INFOConnect
Technical Note 2172
Last Reviewed 06-Jul-2007
Applies To
Reflection for IBM 2007
Reflection Windows-based Products version 12.0 through 14.x (excluding Reflection NFS Client)
Reflection for Secure IT version 6.0 or higher
Reflection for the Web version 6.0 or higher
All EXTRA! Products version 9.0 or higher
INFOConnect Enterprise Edition version 8.0 or higher
Summary

Attachmate products offer several options for secure file transfers, including support for SSH/SFTP, tunneling FTP with SSH, and FTP with SSL/TLS. This technical note provides an overview of each of these options, listing their benefits and limitations, and noting which products support each option.

This information is provided in the following order:

SSH/SFTP

SSH is a protocol that establishes a secure channel between a local and remote computer. SSH provides strong, encrypted authentication and a secure encrypted tunnel through which users can execute commands and move data.

There are two file transfer protocols that use SSH for authentication and encryption, SCP and SFTP. This section addresses SFTP. For information about the differences between SCP and SFTP, see Technical Note 1918.

SFTP is not a 'secure version' of the standard FTP protocol. It is a completely different file transfer protocol. You cannot connect to an FTP server using SFTP protocol or to an SFTP server using FTP protocol. The SFTP protocol relies upon SSH to provide authentication and encryption.

Once connected, the client can do a number of file manipulation operations, such as uploading, downloading, renaming, and deleting files. The exact capabilities provided depend upon the SFTP server.

Benefits of SSH/SFTP

• SSH/SFTP uses a different port than FTP, so administrators can block FTP.
• SFTP uses a single port, making it easier to configure your firewall.
• Because SFTP is different than FTP, administrators can eliminate the insecure FTP protocol entirely.
• SFTP provides end-to-end secure file transfers.

Limitations of SSH/SFTP

• Many SSH servers have limited wildcard support.
• The available command set is limited. For example, there is no support for QUOTE or SITE.
• SFTP does not recognize many operating-system-specific file structures.
• SFTP defines only the transfer of binary bitstream data. However, some SFTP clients, such as Reflection's, also provide limited binary to ASCII conversion.

Tunneling FTP with SSH

Tunneling (port forwarding) provides a way to redirect insecure TCP communications (including FTP) through a secure SSH tunnel. Using this method, the FTP protocol establishes two distinct TCP connections between the FTP client and FTP server:

• The control connection is used to manage the session. This connection is initiated by the client.
• The data connection is used for file transfers and directory listings. This connection is initiated by the client, when the client sends the passive mode command to the server. Passive mode is the default mode for the Reflection FTP client.

Reflection can be used to create an SSH tunnel and tunnel FTP. If a passive mode FTP connection is made, both the control connection and data connections are secure, enabling users to connect securely to an FTP server and use the full range of FTP commands.

For more information about FTP tunneling, see Technical Note 1862.

Benefits of Tunneling

• Once connected to the FTP server, you have access to the full range of FTP commands.
• Provides a secure means for continued use of FTP.
• SSH uses a single port (port 22), making it easier to configure your firewall.

Limitations of Tunneling

• Because you are configuring two protocols, FTP and SSH, more configuration and administration is involved than when using just FTP.
• Because FTP is still used (through the SSH tunnel), the FTP protocol cannot be eliminated from the enterprise environment.
• If active mode FTP is used, rather than the default passive mode, the file transfer is not secured end-to-end.

FTP with SSL/TLS

The SSL (Secure Sockets Layer) protocol was developed by Netscape to secure HTTP, but can also be used to secure other protocols. The SSL/TLS protocol uses public key cryptography and certificates for authentication and negotiates session keys for symmetric encryption.

SSL/TLS runs in layers below the FTP client and above the TCP transport protocol. An FTP-SSL client can use SSL to provide authentication and encryption.

Benefits of FTP with SSL/TLS

• Once connected to an FTP server that supports SSL, you have access to the full range of FTP commands and the operating system specific file structure.
• This protocol provides good support for many operating-system-specific file structures.
• This protocol provides good support for IBM host datasets such as MVS.
• It enables continued use of FTP, but with security.
• SSL/TLS provides secure transfers, end-to-end.

Limitations of FTP with SSL/TLS

• The FTP server must support SSL.
• FTP cannot be eliminated from the enterprise environment.
• Administration is more complex because the required authentication uses certificates.
• By default, FTP with SSL/TLS does not provides user authentication, only host authentication.

Which Products Support Which Protocols

The following table shows which Attachmate products and versions support which secure file transfer protocols.

Product	Version	Supports SFTP	Supports tunneling FTP with SSH	Supports FTP with SSL/TLS
Reflection for IBM 2007	R1	Yes	Yes	Yes
Reflection Windows-based products	12.0 – 14.x	Yes	Yes	Yes
Reflection for Secure IT	6.0 or higher	Yes	Yes	No
Reflection for the Web	5.0 or higher	Yes	No	No
EXTRA!*	9.0 or higher	Yes	Yes	Yes
INFOConnect*	8.0 or higher	Yes	Yes	Yes

* EXTRA! X-treme 9.0 and INFOConnect 8.0 ship with Reflection Secure FTP 14.x, which is the same as Reflection FTP Client 14.x.

Related Technical Notes

1862	Local and Remote Port Forwarding and the Reflection for Secure IT Client
1918	The Relationship Between File Transfer, SSH, SCP2 (scp), and SFTP