realsysadmin.com

Overview

This is a post of an old high-level architecture design I’d worked on, to see how Open-source technology might fit into a Financial Organization’s (my then-employer’s client) Enterprise.

Long-term Goal

• To design an Enterprise File Transfer mechanism based on high encryption/compression transport mechanism of Secure Shell (SSH).
• Solution should be easy to use, easy to deploy and cost effective.
• Solution should be scalable and robust.
• Solution should integrate the two major OS platforms (UNIX and Windows) “seamlessly

Technical Solution Specs

Secure FTP solution for the Enterprise
Breakup of the requirements

• Centralized “drop box” or “landing zone” type facility
• Automated “feeds” type mechanism for further propagation/distribution of data/files
• Should we try and integrate a transparent layer of version control that’ll maintain audit trails, etc?
• Easy client access (preferably web-based)
• Additional client access from Windows environment (fat clients as required)
• Tight integration with existing authentication mechanism(s) – Active Directory + UNIX logins
• Low learning curve (meaning, simple solution)
• Fine-grained access control
• Ease of administration (centralized user account + privilege management)
• traceable usage history (auditable transfer logs, user access logs, user activity logs)
• Easily replicable process of deployment/re-deployment

Possible Solutions (commercial and open-source)

• Tumbleweed-based Secure transfer mechanism (already investigated and POC’ed)
• Combination of Windows SSH/SCP/SFTP servers and clients and the pre-existing OpenSSH servers (on UNIX) with Jscape’s SFTP/FTPS applet based web front-end (opensource solution).
• Vandyke Software’s Vshell software (which gives SSH servers + client command lines for both Windows and UNIX)
• SSH Tectia software suite

Other Considerations

• Inter-operability of different technologies

• The biggest challenge in designing a comprehensive “seamless” Secure FTP solution for any enterprise is in the inter-operability between the disparate platforms. For example, the UNIX servers and the Windows servers need to be able to seamlessly communicate with each other in order for such a solution to be viable.

• Integrated authentication mechanism

• The UNIX systems can be made to authenticate against an LDAP server or the Microsoft Active Directory. With the introduction of either an LDAP_PAM module for LDAP based authentication or third-party plug-ins (such as Vintella’s VAS module) that will “hook up” with AD.
• Keeping such an environment in mind, our solution should be designed to be able to automatically adapt to an eventual roll-out of such an authentication system.
• This would, as a result, allow for easy, centralized management of user accounts and privileges.

Overview of the Open-technology solution

• Web-based SFTP system

• This solution is designed around existing OpenSSH server and client software currently running in the Enterprise (UNIX/UNIX-like platforms). Additional software components like Windows commercial SSH product(s) and Jscape Secure FTP applet will be required to realize this design.
• Major components:

• UNIX (Solaris/Linux platforms)
• OpenSSH Server
• Apache Web server
• Jscape’s Secure FTP applet
• HTML page to load the SFTP applet
• Windows
• Commercial SSH/SFTP server
• IIS web server
• Jscape’s Secure FTP applet
• HTML page to load the SFTP applet

Application Client-side Requirements

Operating Systems (supported): Windows 98/2000/XP/ME, Linux, Solaris, Mac OS X
Browser: Internet Explorer or Netscape Navigator/Mozilla (gecko-based) browsers
Java VM: Java Plug-in 1.4.2 or higher enabled

NOTE: For Macintosh users, the MRJ (Mac Runtime for Java) does not include the necessary crypto classes required to establish a secure connection. If using MRJ, you will need to install the Sun JCE (Java Cryptography extensions) reference implementation.?

Strengths and Advantages

• This solution leverages the existing SSH infrastructure in-house (OpenSSH on UNIX platform already exists in most shops or is available for free downloads) and a cost-effective OpenSource Java Applet based Web interface.
• This is an extremely simple solution and with pre-determined “drop zone” servers in place at each location, using the mechanism of key-based authentication and command-line tools, administrators will be able to automate and schedule “feeds” transmissions to requested targets.

Additional Requirements

Design customizable scripting framework using Perl (and/or similar programming language) and XML that would allow for automated feeds to be implemented.