Securing FTP/iX

ManualsBrandsHP ManualsSoftwareMPE/iX 6.5 Operating System

=====================================================

1 file transferred successfully.

1 file was encrypted.

7.2 Using Linux/HP-UX intermediaries

HP-UX/Linux machines support SFTP (more information can be found on SFTP at www.openssh.org or

http://en. wikipedia.org/wiki/). These machines can serve as intermediaries between the source and

destination MPE/iX machines and transfer data across the internet using SFTP. However, the data transfer

between the MPE/iX server and the HP-UX server remains insecure. This method is simple and does not

require any configuration changes; however it is still recommended to also use the new FTP/iX security

features previously described

7.3 Sockisified FTP on MPE

This solution is useful if the MPE/iX FTP client is attempting to reach a FTP server behind a firewall which

allows ftp socks.

This configuration does not provide any encryption for logon passwords or data transfers.

This requires the firewall to be configured for the socksfied FTP at port number 1080. SOCKS on MPE/iX is

developed for MPE/iX 6.0 and can be downloaded from http://jazz.external.hp.com/src/ftp/index.html.

This has “minimally” been tested on more current MPE/iX releases.

Note: It is an unfortunate bit of history that the sockisified version of FTP for MPEiX was called SFTP.ARPA.SYS.

Just

to make it clear, the socksified FTP/iX client is not Secure FTP.

7.4

OpenSSH on MPE

Open SSH was partially ported to MPE/iX by Ken Hirsh several years ago. He ported a working ssh client

but was unable to port a running server. Details of the untested porting of OpenSSH are provided in the

following link. http://invent3k.external.hp.com/~KEN.HIRSCH/opensshnotes.html

7.5 Hardware Solutions

7.5.1

Isolating MPE behind IPv6

IPSec is a suite of protocols for securing the Internet Protocol (IP) communication by authenticating and/or

encrypting the data stream. Thus, it provides a secure channel for data/command transfers. Since, MPE/iX

does not have an IPv6 implementation it, it is an option to have a MPE/iX box behind an IPv6 router. The

intent is to keep the MPE/iX box in an entirely isolated network behind IPv6. But, a major concern would be

that IPV6 is not even minimally implemented in the industry. More information on IPv6 can be found at:

http://en.wikipedia.org/wiki/IPv6

7.5.2 HP procurve Network solutions

Modern network switches "isolate” local traffic based on the learning’s of network addressing.

In the not so

distant past, network switches echoed all LAN traffic to each switch port and this traffic could be sniffed

with common and more prevalent tools (ethereal as an example). Modern network switches (examples HP

Procurve 2300, 2500, 2700 series managed plug & play switches) split the traffic seen on any switch port

to the traffic that is sent on a broadcast address and the traffic that is for the specific "learned" network (IP)

address.

For our concerns of FTP/iX and non-encrypted logon/passwords, commands and data over an "intranet",

our customers with newer technology network switches should be less concerned as this traffic path is

isolated to the source and destination systems. That is not to say that the traffic could not be sniffed at the

Page

Secure FTP on MPE/iX

7/18/2008

http://jazz.external.hp.com/papers/Securing

FTP

Whitepaper.html