Articles and news

SFTPPlus is not affected by the Meltdown and Spectre Vulnerabilities

Wed 21 February 2018 | article security

Meltdown and Spectre are vulnerabilities based on CPU design flaws which require the attacker to be able to execute application code which is created to exploit these vulnerabilities.

SFTPPlus secure file transfers does not allow any arbitrary application code execution. It will only read and write data without executing it. This is standard behaviour for doing file transfers over FTPS or HTTPS.

The SSH implementation of SFTPPlus is only allowed for the SFTP and SCP protocols. Shell access or any other SSH execution is denied. The SCP protocol is implemented using an embedded SCP protocol and no external scp application is called.

For the purpose of managed file transfers, SFTPPlus allows the execution of pre-configured application code with the pre and post transfer hooks. As long as the SFTPPlus is configured with trusted applications, this does not constitute an attack vector.

If you are running SFTPPlus Itanium architectures, for example with HPUX, you are not affected by these vulnerabilities, no mater what other software is in used on those systems.

SPARC architecture (example with Solaris 10) and POWER (example with AIX 7.1) are affected by the Spectre, while not being affected by Meltdown.

The embedded devices based on ARM64 CPUs are also affected by Spectre.

Administrators using the SFTPPlus MFT Client with pre and post transfer hooks should review the configuration and make sure that the hooks will trigger calls to trusted applications.

• • •

SFTPPlus Release 3.31.0

Tue 20 February 2018 | general release

We are pleased to announce the latest release of SFTPPlus version 3.31.0.

New Features

  • The option to enforce unique names for uploaded files is now available for the HTTP and HTTPS file transfer services. [server-side] [#4465]
  • A SOCKS version 5 (SOCKS5) proxy without authentication can now be used to connect to remote SFTP and SCP servers. [client-side][sftp][scp] [#4546]
  • A new event handler option is added in order to send filtered events to standard output. This can be used when running SFTPPlus in Docker or with other process supervisors. [#4645]
  • The option to enforce unique names for uploaded files is now available for the FTP, Implicit FTPS and Explicit FTPS protocols. [server-side] [#4650]
  • The file-dispatcher event handler can now be configured to automatically create destination folders. [#4652]
  • The close event description for SFTP and SCP client-side and server-side connection now contains the encryption used to protect connection. [client-side][server-side][sftp][scp] [#4668]
  • The HTTP and HTTPS file transfer services now allow uploading multiple files and adding files via drag and drop. [server-side][http][https] [#4673]
  • Support for Red Hat Enterprise Linux versions 7.0 to 7.3 with OpenSSL 1.0.1 was readded alongside support for RHEL 7.4 and newer using OpenSSL 1.0.2. [#4691]
  • A new secure configuration value is available for the ssl_cipher_list and ssh_cipher_list as part of the FTPS, SFTP, SCP, and HTTPS file transfer services. [security][client-side][server-side] [#4727]

Defect fixes

  • The transfer for SFTP and SCP locations is no longer interrupted when the remote server is requesting a SSH re-key exchange. This was affecting client-side transfers of files bigger than 1GB, as this is the point where some servers are re-keying. This is when either side forces the other to run the key-exchange phase which changes the encryption and integrity keys for the session. [client-side] [#4302]
  • It is now possible to stop the client shell at any time by pressing the Ctrl+C key combination. In previous versions this was not available while an operation was in progress. [#4626]
  • The AIX 7.1 build of SFTPPlus was updated to work with older OpenSSL versions. Previous versions of SFTPPlus (from 3.27.0 to 3.30.0) on AIX 7.1 required OpenSSL 1.0.2k or newer. [#4696]
  • SFTP and SCP client and server side can now handle key exchange process even for peers which advertise their SSH version string with trailing spaces. This can happen for Bitvise SSHD Server when configured to omit its version. [client-side][server-side][sftp][scp] [#4718]
  • The documentation for expression matching was updated to explain that regular expression matching is done as a search operation. For an exact match, use the start and end regex anchors. [#4724]

Deprecations and Removals

  • Events with ID 40015 and 40016 were replaced by already existing event with ID 40022. Event 40022 is now the only one emitted when there are errors during an upload operation. [server-side][http] [#4465]
  • The default configuration for SFTP, SCP, FTPS, and HTTPS connections was updated to exclude the 3DES cipher in order to prevent SWEET32 attacks. To not break backward compatibility for existing installations, this change affects only new installations. Existing installations will need to be manually updated to exclude the 3DES based ciphers. [#4727]

You can check the full release notes.

• • •

Tips to managing your file transfer requirements

Fri 16 February 2018 | article

Designing a file transfer system can be a difficult task. Which file transfer protocols should I use? Do I need server-side or client-side software or both? How do I authenticate my file transfer users securely?

Your first step in this journey is to understand your requirements. In this post, we summarize the requirements into sections for you to consider and think about.

After you have determined these requirements, feel free to contact the team or sign up for your evaluation of SFTPPlus MFT below!

Assess your requirements for a file transfer software

The first step is to list down all of your requirements for file transfer technology. While this may be obvious, there may be some items that you have not even considered when hunting for options.

1. What are your protocol requirements?

There are a number of file transfer protocols in place, with certain protocols being more secure than others. We have a guide about file transfer protocols which will help you make more informed decisions.

2. What are your workflow requirements?

Will the file transfer software be able to sync with your current workflow? Will there be any impediments or considerations that need to be taken into account when migrating your workflow into a file transfer solution? Will you be automating any transfer scenarios?

It is questions like these where it helps to get in touch with our Support team with your transfer scenarios. And from there, we can convert these scenarios into the basis of an actual configuration for you to use with our software.

3. What are your programmability requirements?

Will you require access to the API and will the developers be knowledgeable of the API codebase? What are your integration requirements that is required to be programmed as part of the file transfer solution?

4. What are your security requirements?

Will you require an AV programme to run post-process actions after transfers? Will you be able to specify exactly which ciphers should be used? Will the file transfer software meet your AAA framework? Having these requirements in mind will help meet your organization's security goals and will also help us in ensuring that the software is delivered in the most secure manner as possible.

5. What are your operational requirements?

Does the file transfer software support your operating system? Are there any upgrades required in order to run the required packages? Can the software be integrated with resilient and highly available systems?

These five questions are just the beginning in terms of thinking about your file transfer requirements. Please read on for more advice.

Assess proprietary or non-proprietary solutions

Do you require a solution with vendor lock-in and only proprietary protocols? If you are looking for a solution that has vendor lock-in, then you may want to think twice and reconsider the benefits of open standards.

SFTPPlus operates with open and standard protocols, as supported by RFCs, making portability an ease when moving between using one protocol (such as FTPES) in favor of another (such as SFTP).

With the use of permissive free frameworks, such as Twisted Python, our developers also contribute to the upstream libraries that we use.

SFTPPlus is supported across both proprietary (such as Windows) and non-proprietary OS' (such as FreeBSD). The list of supported platforms are available here.

Optimize performance with costs

In terms of costs, SFTPPlus marks at the more affordable side with the focus on being cost effective while also delivering a high-end functional product. While there are larger software suites available on the market, many of these incorporate a number of overhead and other additional costs in order to operate that is not related to the file transfer software itself. Our focus is only on delivering our main product offering and services in secure file transfer and to deliver it well.

Consider the IT infrastructure that will house your file transfer system

You will want to select an option that will integrate with your current IT workflow requirements.

If your users are already authenticating with Windows Domain Accounts on servers running Active Directory, then you will want to use the same authorization mechanism for authorizing file transfer users.

Will you be implementing file transfers within specialized environments such as a high availability network?

Part of your IT infrastructure may also include legacy systems. Are you running on Unix system or do you need an SFTP server for your AIX system? Or what about Solaris 10 which has OpenSSL 0.9.7? Our software has integrated with the above requirements, and more.

Choosing a solution that suits and integrates with your existing IT infrastructure will also reflect positively on sunk costs in terms of still being able to maintain operations with these infrastructures.

Investigate how file transfers will be initiated

Will you be searching for a proactive or a reactive solution? Will you be looking to initiate file transfers (for example, via a user logging in) or will the solution require the transfer to be initiated (for example, by a rule or an event)?

What types of transfer scenarios will you be working with? Push scripts? Pull scripts? Will there be additional processing required?

What types of rules do you need support for the file transfers? Will there be events-based rules? Scheduling? Will there be a filter requirement?

With managed file transfer, you can set many rules to initiate a transfer and automate these actions. If you have not faced these requirements until now, feel free to contact the Support team with your questions and scenarios.

Figure out your authorization, accounting and auditing implementation

Similar to considering the existing IT infrastructure, you will also need to figure out that your authorization, account and auditing implementation is supported by the secure file transfer software.

Will the accounts be authorized with the correct set of permissions?

Will you be able to utilize existing authentication mechanisms with the file transfer product?

Will you be able to conduct the appropriate auditing as required for compliance and obligations purposes?

All of these requirements should be on the table while searching for a secure file transfer solution.

Evaluate options to further secure your file transfer system

Compliance is a requirement for a number of organizations today, especially in regulated industries such as banking and healthcare. You will need to enquire to see if the secure file transfer product has features in place to help with compliance. Whether it is only allowing FIPS 140-2 ciphers, ensuring that you are compliant with PCI or GDPR standards, or checking that the audit trail is HIPAA compatible, you will want to ensure that the options to be compliant and secure are available to you.

What is the approach to quality assurance?

How is the secure file transfer tested? Is it run against an automated test suite, manually tested with smoke test scenarios? Is it tested against the platform that you are using?

What considerations do you also need to undertake testing from your test lab? Soak, systems integration and unit integration testing may also be required. This is to evaluate the file transfer product as an additional check to see that it meets the actual systems, environments, processes and interactions that are specific to your requirements.

Consider any required upgrade paths for the future

While this requirement may be far from your mind when you are looking for a new solution, you may want to take note of what the required upgrade paths are.

How will you export the configuration from one system to another? What happens if an OS upgrade or a patch is made to a system?

Our upgrade paths are well documented and we work with our customers that are working on upgrading their systems that may affect the file transfer component. We have worked with many scenarios - whether it is a full OS upgrade, new nodes or a small patch to fix a vulnerability.

Part of the upgrade may require you having a functional system. In this case, our licensing allows for some time in between testing the new system with the upgraded version and allowing the system to run with the current version.

Evaluating SFTPPlus MFT

Thank you for reading this article! We hope that you find the information useful.

Are you ready to evaluate SFTPPlus? Our product supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

Install SFTPPlus MFT today either as an on-premise solution supported on Windows, Linux, AIX, OS X, Solaris, HP-UX, FreeBSD or on the cloud as Docker containers or AWS instances.

Email us at sales@proatria.com or fill in the form below to start your evaluation version today.

• • •

SFTPPlus Client Release 1.5.65

Wed 14 February 2018 | general release client

We have released SFTPPlus Client version 1.5.65 which fixes a defect for recursive uploads over SFTP from a Windows client to a Linux server.

• • •

Announcing the SFTPPlus and Docker repository

Wed 31 January 2018 | blog

Docker containers have been a constant presence in the worlds of DevOps and cloud computing. We have recognized this only through a passing mention in our product page that SFTPPlus can run in a Docker container.

However, we have not gone beyond that, until now.

Now announcing SFTPPlus and Docker

We are pleased to announce the creation and release of a dedicated, public, MIT-licensed repository to make the creation and running of Dockerfiles more accessible. Whether you are already a customer of ours, currently evaluating SFTPPlus or you are interested in seeing a managed file transfer service run in Docker. Simply head over to our repo, clone, and follow the instructions to run an SFTPPlus instance in Docker.

SFTPPlus running in a Docker container does not lose functionality and makes full use of the infrastructure provided by a Docker container. You can audit and archive SFTPPlus server events (also knows as logs) using the default Docker log driver.

Once you have set up the SFTPPlus Dockerfile, what's next? Why not use Docker Compose to run multi-container Docker applications.

You can use Compose to create the following specialized instances like:

  • SFTPPlus instance - Handle file transfers over SFTP / FTPS / WebDAV. Data storage is backed by a volume.
  • Authentication and Authorization instance - Respond to authentication and authorization requests over HTTP. You can use this instance to authenticate other services inside your deployment.
  • Audit instance - Receive, over HTTP, events and logs generated by SFTPPlus. Use this instance to process logs and events from other services.
  • File Processor instance - Receives events over HTTP in order to further process them based on the rules specified by your business logic.

See our Github and documentation

You can view the scripts and instructions to get started quickly in our GitHub repository.

A users guide is available in our Docker documentation page.

Evaluating SFTPPlus MFT

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

Not on Docker? SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, OS X, Solaris, HP-UX, FreeBSD.

• • •