|
|
|
|
|
|
||||
|
Chapter 8: Security
This chapter describes the two security protocols found in WS_FTP Pro: SSL and SSH. It also explains how to configure WS_FTP Pro to use these protocols to make secure connections.
SSL
SSL (Secure Socket Layer) is a protocol for encrypting and decrypting data sent across direct internet connections. When a client makes an SSL connection with a server, all data sent to and from that server is encoded with a complex mathematical algorithm that makes it extremely difficult to decode anything that is intercepted.
The following is a step by step illustration of how SSL works.
Step 1. The client makes the initial connection with the server and requests that an SSL connection be made. If Implicit SSL is used, the initial connection will be encrypted. If Explicit is used, the initial contact will be `in the clear.'
Step 2. If the server is properly configured, the server will send to the client its certificate and public key.
Step 3. The client compares the certificate from the server to a trusted authorities database. If the certificate is listed there, it means the client trusts the server and will move to step 4. If the certificate is not listed there, the user must add the certificate to the trusted authorities database before going to step 4.
Step 4. The client uses that public key to encrypt a session key and sends the session key to the server. If the server asks for the client's certificate in Step 2, the client must send it at this point.
Step 5. If the server is set up to receive certificates, it compares the certificate it received with those listed in its trusted authorities database and either accepts or rejects the connection.
If the connection is rejected, a fail message is sent to the client. If the connection is accepted, or if the server is not set up to receive certificates, it decodes the session key from the client with its own private key and sends a success message back to the client, thereby opening a secure data channel.
The key to understanding how SSL works is in understanding the parts that make SSL itself work. The following is a list of these parts and the role each plays.
Client. In this case, the client is WS_FTP Pro.
Certificate. The Certificate file holds the identification information of the client or server. This file is used during connection negotiations to identify the parties involved. In some cases, the client's certificate must be signed by the server's certificate in order to open an SSL connection. Certificate files have the .crt ending.
Session Key. The session key is what both the client and the server use to encrypt data. It is created by the client.
Public Key. The public key is the device with which the client encrypts a session key. It does not exist as a file, but is a by-product of the creation of a certificate and private key. Data encrypted with a public key can only be decrypted by the private key that made it.
Private Key. The private key decrypts the client's session key that is encrypted by a public key. The private key file has the .key ending. Private keys should NEVER be distributed to anyone.
Certificate Signing Request. A certificate signing request is generated each time a certificate is created. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.
How to make an SSL connection
To make an SSL connection with a server configured for SSL.
- Create a site profile and select either FTP/Implicit SSL or FTP/SSL (AUTH SSL) when asked for the server type.
- After you click Connect, WS_FTP Pro tells the server that you want to make an SSL connection. The server then transmits to you an identifying certificate, letting the client know who the server is. If that certificate is already listed in your Trusted Authority database, the connection is made.
- If that certificate is not listed as a trusted authority, the Non-Trusted Authority dialog box appears.
- Select the option you need and click OK. If the server does not require a certificate to be returned, the secure connection will be established. All data transmitted between you and the server will be encrypted.
If the server you are attempting to make a connection to asks WS_FTP Pro to send back a certificate, follow the direction for Client Certificate Verification.
Client Certificate Verification
If the server you are attempting to make a connection to requires your client to send an identifying certificate back to the server, you must:
- Configure the site and select either FTP/Implicit SSL or FTP/SSL (AUTH SSL) when asked for the server type.
- Create a certificate. Refer to the section "Generating a Certificate" for more information.
- Send the Certificate Signing Request file to your server administrator.
- Once the server administrator signs the Certificate Signing Request, it will be sent back to you.
- When you receive the file, follow the directions for "Selecting a Certificate", selecting the new certificate to go in the Certificate box.
- Connect to the server.
Generating a Certificate
- Click Create. The Create Client SSL Certificate wizard appears.
- Enter a name in the Certificate box. This will be the name of the certificate that is generated by WS_FTP Pro.
- Select a date you want the certificate to expire.
- Enter and then reenter a pass phrase for this certificate. The pass phrase is used to encrypt the private key.
Note: It is important to remember this pass phrase. The pass phrase can be any combination of words, symbols, spaces, or numbers.
- Click Next to continue.
- Enter information in all of the Certificate Information boxes:
City/Town. City or town where you are located. (Ex. Augusta)
State/Province. State or Province where you are located. (Ex. Georgia)
Organization. Company or individual user name.
Common Name. This can be either the name of the person creating the certificate or the fully qualified domain name of the server associated with the host.
E-mail. E-mail address of the person the certificate belongs to.
Unit. Name of organizational unit. (Ex. Research and Development)
Country. The country you are in. This must be a valid two letter country code. (Ex. US)
- After all of the boxes are filled in correctly, click Next to continue. If all of the boxes are not filled in, you cannot continue.
- Review the information on the last dialog and click Finish to create the certificate.
If you are creating a certificate to be used by WS_FTP Pro, you should send the certificate signing request (by E-mail) to your server administrator. If they require it, they will sign the certificate and return it to you. Once you receive the certificate, you must import it into your certificate database.
Importing a Certificate
To use a certificate sent to you, or one you have generated by WS_FTP Server, you must import the certificate into your certificate database.
- On the Program Options: Client Certificates dialog, click the Import button. The Import Certificate wizard appears.
- Click the Browse (...) button to select the certificate file.
- Click Next.
- Click the Browse (...) button to select the private key file for that certificate.
- Click Next.
- Enter the pass phrase that was used to create that certificate.
- Click Next.
- Enter the name that you want to use to identify the certificate on your certificate list.
- Click Next.
- Review the information on the final dialog and click Finish to add the certificate to the list.
Selecting a Certificate
Certificates are used on the site level, meaning that you must select a certificate for each site profile that you create (you can use the same certificate for all of your sites if you wish.)
Certificates are selected on the Site Options: SSL dialog by choosing the certificate name from the Client certificate pull-down list. The pull-down list displays all certificates in the Program Options: Client Certificate dialog.
Trusted Authorities
The Trusted Authorities dialog stores a list of certificate names that are trusted by the user.
Issued To. Who the certificate was issued to.
Issued By. Who the certificate was signed by.
Expires. Date on which the certificate expires.
Adding a Certificate
To add a certificate to the database:
- Click the Import button and select the path and file name for the certificate. The Add Certificate? dialog box appears.
Exporting a Certificate
To export a certificate from the Trusted Authorities database:
- Select the certificate you want to copy out of your database.
- Click the Export button.
Select the folder you want to copy the certificate to and enter the name you want to save the certificate file as.
- Click OK.
Removing a Certificate
- Select the certificate to be removed.
- Click Remove.
- A warning appears advising you to export the certificate before you remove it. Removing the certificate deletes the certificate file.
- Click OK to remove the certificate.
Non-Trusted Certificate
When you connect to a server using the SSL connection option, that server sends you a certificate. If that certificate is not listed on the Trusted Authority tab, or if it was not signed by a certificate on this list, this dialog box appears.
Issued To. Name of the person or company who the certificate belongs to.
Issued By. Name of the person or company who signed the certificate.
Active From. The date on which this certificate was activated.
Expires On. The date the displayed certificate will no longer be a valid certificate.
Allow this connection only. If this option is selected, the connection will be made, but WS_FTP Pro will still not recognize the certificate as a trusted authority. The next time you attempt to connect to this server, this dialog box appears once again.
Trust this certificate. If this option is selected, the connection will be made and the certificate will be added to the trusted authority database in the Trusted Authority tab, so future connections can be made without you being prompted.
Do not allow this connection. If this option is selected, the connection will be terminated.
SSH
SSH (Secure Shell) is a security protocol that allows you to make a secure connection to a server that has the SSH and SFTP (Secure File Transfer Protocol) protocols installed. Where FTP servers usually `listen' on port 21 for connection, SSH servers use port 22.
Where explicit SSL attempts to make a connection with unencrypted channels, SSH encrypts all communications to and from the client and server. When an SSH connection is made, SFTP is the protocol that is used to perform all tasks on that single secure connection.
How to make an SSH connection
Making an SSH connection requires little additional configuration to new or your existing site profiles.
When creating a new site profile through the New Site Wizard, simply change the Server Type to SFTP/SSH when prompted by the wizard.
If editing an existing site profile:
- Select the site from the configured sites list.
- Click the Edit button.
- Click the Advanced tab.
- In the Server type pull-down, select SFTP/SSH.
- Click OK.
When you use that profile to make a connection, the client will automatically attempt to make an SSH connection on port 22 of that server.
SSL vs. SSH
With both SSL and SSH, it is up to the administrator of the server you are trying to make a connection with to tell you which server type is being run at that address. If you do not know, and attempt to make an SSL connection or an insecure connection to an SSH server, the connection will fail, even if you change the port to 22 in the Site Profile.
Using a NAT Firewall
When using a NAT (Network Address Translation) firewall, you may encounter problems when trying to use SSL encryption. To fix this, you should configure WS_FTP Pro and the firewall to allow incoming connections to your PC. Pro needs to tell the server to connect to the external IP address, and the firewall should forward these incoming connections to your PC. You should also limit the number of ports that the firewall opens for these connections. In many cases, this will allow you to use SSL through a NAT firewall.
To configure SSL through a NAT Firewall:
 Ipswitch, Inc. http://www.ipswitch.com |
| |
|
|
|
| ©Ipswitch 2003 | |||
