Apr 032007
 


Overview

This is a post of an old high-level architecture design I’d worked on, to see how Open-source technology might fit into a Financial Organization’s (my then-employer’s client) Enterprise.

Long-term Goal

  • To design an Enterprise File Transfer mechanism based on high encryption/compression transport mechanism of Secure Shell (SSH).
  • Solution should be easy to use, easy to deploy and cost effective.
  • Solution should be scalable and robust.
  • Solution should integrate the two major OS platforms (UNIX and Windows) “seamlessly

Technical Solution Specs

Secure FTP solution for the Enterprise
Breakup of the requirements

  • Centralized “drop box” or “landing zone” type facility
  • Automated “feeds” type mechanism for further propagation/distribution of data/files
  • Should we try and integrate a transparent layer of version control that’ll maintain audit trails, etc?
  • Easy client access (preferably web-based)
  • Additional client access from Windows environment (fat clients as required)
  • Tight integration with existing authentication mechanism(s) – Active Directory + UNIX logins
  • Low learning curve (meaning, simple solution)
  • Fine-grained access control
  • Ease of administration (centralized user account + privilege management)
  • traceable usage history (auditable transfer logs, user access logs, user activity logs)
  • Easily replicable process of deployment/re-deployment

Possible Solutions (commercial and open-source)

  • Tumbleweed-based Secure transfer mechanism (already investigated and POC’ed)
  • Combination of Windows SSH/SCP/SFTP servers and clients and the pre-existing OpenSSH servers (on UNIX) with Jscape’s SFTP/FTPS applet based web front-end (opensource solution).
  • Vandyke Software’s Vshell software (which gives SSH servers + client command lines for both Windows and UNIX)
  • SSH Tectia software suite

Other Considerations

  • Inter-operability of different technologies
    • The biggest challenge in designing a comprehensive “seamless” Secure FTP solution for any enterprise is in the inter-operability between the disparate platforms. For example, the UNIX servers and the Windows servers need to be able to seamlessly communicate with each other in order for such a solution to be viable.
  • Integrated authentication mechanism
    • The UNIX systems can be made to authenticate against an LDAP server or the Microsoft Active Directory. With the introduction of either an LDAP_PAM module for LDAP based authentication or third-party plug-ins (such as Vintella’s VAS module) that will “hook up” with AD.
    • Keeping such an environment in mind, our solution should be designed to be able to automatically adapt to an eventual roll-out of such an authentication system.
    • This would, as a result, allow for easy, centralized management of user accounts and privileges.

Overview of the Open-technology solution

  • Web-based SFTP system
    • This solution is designed around existing OpenSSH server and client software currently running in the Enterprise (UNIX/UNIX-like platforms). Additional software components like Windows commercial SSH product(s) and Jscape Secure FTP applet will be required to realize this design.
    • Major components:
  • UNIX (Solaris/Linux platforms)
    • OpenSSH Server
    • Apache Web server
    • Jscape’s Secure FTP applet
    • HTML page to load the SFTP applet
  • Windows
    • Commercial SSH/SFTP server
    • IIS web server
    • Jscape’s Secure FTP applet
    • HTML page to load the SFTP applet

Application Client-side Requirements

Operating Systems (supported): Windows 98/2000/XP/ME, Linux, Solaris, Mac OS X
Browser: Internet Explorer or Netscape Navigator/Mozilla (gecko-based) browsers
Java VM: Java Plug-in 1.4.2 or higher enabled

NOTE: For Macintosh users, the MRJ (Mac Runtime for Java) does not include the necessary crypto classes required to establish a secure connection. If using MRJ, you will need to install the Sun JCE (Java Cryptography extensions) reference implementation.?

Strengths and Advantages

  • This solution leverages the existing SSH infrastructure in-house (OpenSSH on UNIX platform already exists in most shops or is available for free downloads) and a cost-effective OpenSource Java Applet based Web interface.
  • This is an extremely simple solution and with pre-determined “drop zone” servers in place at each location, using the mechanism of key-based authentication and command-line tools, administrators will be able to automate and schedule “feeds” transmissions to requested targets.

Additional Requirements

Design customizable scripting framework using Perl (and/or similar programming language) and XML that would allow for automated feeds to be implemented.

 Posted by at 4:16 pm