» 

Blog

Four Modern Alternatives to FTP Explained

Today's data-driven world is demanding, requiring accuracy, speed, integrity and above all -- security. It's a tall order to fill, and in the past, many organizations relied heavily on the legacy FTP protocol to transmit files. But over time, the security of this method has been tested by hackers.

FTP AlternativesFor example, a serious breach occurred at Yale University in 2001, when more than 43,000 user IDs were exposed and all data was carefully harvested from an FTP server. Acer customer details were stolen in a similar fashion the same year. And most recently, 7,000 FTP sites had their credentials circulated in underground forums, including an FTP server run by The New York Times.

Security and file transfers are a significant concern for IT security professionals, but what is the best way to safeguard your company's data?

Leveraging More Secure Options

As many organizations have evolved past traditional FTP, they are opting for modern and secure options for transmitting data, including:

SFTP. Also known as FTP over SSH, SFTP brings down the risk during data exchange by using a secure channel between computer systems to prevent unauthorized disclosures during transactions. Authentication of an SFTP connection involves a user id and password, SSH keys, or using both.  It is also firewall friendly, only needing a single port number to be opened.

HTTPS. Many sites are gravitating to HTTPS instead of the traditional HTTP, but what are the major differences? For starters, traditional HTTP doesn't encrypt traffic to your browser, which poses a security risk. In contrast, HTTPS provides an added encryption layer using Transport Layer Security (TLS). This creates a secure channel so the integrity of the data is not changed without your knowledge. HTTPS is ideally suited for file transfers where a trading partner requires a simple, browser-based interface for uploading data.

AS2. This is a popular method for transporting EDI data safely and reliably over the Internet. The AS2 generates an "envelope" for the data, allowing it to be sent using digital certifications and encryption. For example, Walmart has become well known for using EDI through AS2 and has played an important role in driving adoption in the retail industry.

Managed File Transfer. A method that supports the above options and makes FTP more secure is managed file transfer (MFT). This secure option streamlines the exchange of data between systems, employees and customers. Numerous protocols and encryption standards are supported, and MFT provides extensive security features that meet strict security policies to comply with PCI DSS, HIPAA, GLBA and other regulatory requirements.

MFT solutions provide advanced authentication and data encryption to provide secure and reliable file transfers. You can also track user access and transfer activity through reporting features.

Overall, managed file transfer offers the best option for securely managing the transfer of data quickly, efficiently with detailed audit trails. It's preventive, rather than reactive, which is what security professionals in today's environment need most.  


SHA-2 and TLS Security for AS2 Transfers

2016 is a pivotal year for organizations to upgrade the security used to protect their AS2 data transfers. In order to be compliant with the latest security standards, you need to be using a modern AS2 solution.

The End of SHA-1

SHA-1 (Secure Hash Algorithm) is a cryptographic hash algorithm created by the NSA and published in 1995. SHA-1 takes a message of any length and produces a 160-bit message digest. The message digest verifies the integrity of the message by comparing the hash that was calculated before and after message transmission. For example, the hash of a transmitted file is compared against the hash of the file before it was sent. If the hash values are the same, the file was not tampered with. If the hash values are different, the file was altered during transmission. In 2005, attacks have demonstrated the security in SHA-1 is weaker than intended, and a more secure SHA-2 standard was created. SHA-2 is actually a family of hash functions with hash values of 224, 256, 384, or 512 bits. Due to the stronger hash algorithms in SHA-2, Federal agencies have been directed to stop using SHA-1 and must use SHA-2. 2016 is the year software vendors are completing their migration to SHA-2. Google Chrome has begun displaying warning messages for SHA-1 certificates with expiration dates past January 1, 2016, and Microsoft instructed Certificate Authorities to stop issuing SHA-1 certificates earlier this year. Major organizations, like UPS, are requiring their AS2 trading partners to use SHA-2.

TLS

Transport Layer Security is a protocol that encrypts communications between client applications and servers. TLS is the successor to the Secure Sockets Layer (SSL) protocol version 3.0, and uses more advanced methods for message authentication, better alerting for problem certificates, and more robust cipher suites. After the POODLE vulnerability was discovered in late 2014, companies that are still using SSL instead of TLS are leaving themselves open to man-in-the-middle exploits. Google and Mozilla have already phased out the support of SSL 3.0 in Chrome and Firefox, and trading partners are demanding companies support TLS for AS2 transfers.

SHA-2 and TLS migration

GoAnywhere MFT fully supports SHA-2 and TLS for AS2 transfers. GoAnywhere is certified by the Drummond Group to validate our AS2 solution follows the RFC 4130 standard and is interoperable with other certified products. Using a Drummond Certified solution, and requiring your trading partners do as well, alleviates the challenges of AS2 and ensures your transfers fully meet the latest security standards. For more information on AS2 support in GoAnywhere MFT, visit the pages on our AS2 Client and AS2 Server.


What is AS2?

Applicability Statement 2 (AS2) is a popular file transfer protocol that allows businesses to exchange data with their trading partners.

AS2 combines the use of several secure and widely used technologies including HTTPS, SSL Certificates, S/MIME, and file hashing. By utilizing the strengths of each of them, AS2 has become the preferred protocol in many organizations for exchanging sensitive EDI files.

AS2 messages can be compressed, signed, encrypted and sent over an SSL tunnel making the file transfers very secure. And receipts can be sent back to the sender ensuring the messages were delivered successfully. The receipts can be digitally signed and will contain a checksum value that the sender will use to verify the message received is identical to what was sent.

Key Features of AS2

  • Message Encryption - By using the recipient's public certificate, the AS2 message contents can be encrypted to keep the data secure. Only the recipient will be able to decrypt the contents using their private certificate.
  • Digital Signatures - The message can be signed using the sender's private certificate which allows the recipient to verify the authenticity of the sender. The receipt that is sent back to the sender can also be signed to ensure the identity of the recipient's system. These digital signatures are used for message integrity and non-repudiation of origin. They are typically used in addition to authentication using a user name, password, and/or certificate.
  • Compression - In order to improve transmission time, compression can be added to decrease the size of the message.
  • Receipt - The Message Disposition Notification (MDN, which is commonly referred to as a receipt) plays an important role in AS2 as it acknowledges that the recipient received the message. It can also be used to verify the identity of the recipient when the receipt is signed. Receipts that are sent back immediately over the same connection are referred to as a synchronous MDN. Receipts can also be sent back at a later time in asynchronous mode. This allows the recipient to process and verify the data before sending back a status to indicate if the transaction was successful.
  • Message Integrity Check - The recipient will calculate a checksum of the message using MD5, SHA1, or a SHA2 hashing algorithm. This value is referred to as the MIC and is shared with the sender by placing it in the receipt. The sender will calculate a checksum as well using the same algorithm. These two values are then compared to guarantee that the message sent is identical to the message that was received.
  • Non-repudiation of Receipt -The use of signatures on the message and receipt creates a Non-Repudiation of Receipt (NRR) event, which is considered legal proof of delivery.

Challenges with AS2

Both organizations will need an AS2 solution in order to exchange data. Due to the complex nature of the AS2 protocol with encryption, signatures, and receipts; it is possible that there can be compatibility issues between two separate products. Fortunately, Drummond Group has a rigorous program that validates an AS2 product follows the RFC 4130 standard and is interoperable with other certified products. Using a Drummond Certified solution, and requiring your trading partners do as well, alleviates the challenges of AS2 and allows you to focus on the business aspects of data transfers.

GoAnywhere MFT™ is Drummond Certified™ for AS2 and supports SHA2 algorithms for stronger security, chunked transfer encoding to handle large files, multiple attachments per message, and filename preservation.


Linoma Software's GoAnywhere MFT Now Drummond Certified™ for AS2

Linoma Software™ is recognized among 13 global organizations to be Drummond Certified™ in the AS2-3Q15 automated interoperability test event.  The AS2 automation features in Linoma's managed file transfer solution, GoAnywhere MFT™, were reviewed and tested against the world's highest standards, as set by the Drummond Group, LLC.  Drummond Certified™ products are compliant and interoperable to make sure they truly interface with the systems of customers and partners.

Drummond Certified™ AS2-3Q15AS2 (Applicability Statement 2) is one of the most popular methods for transporting data securely and reliably over the Internet.  With it, businesses can easily exchange data (like EDI, XML, documents, PDFs, and text files) with trading partners.

"Although GoAnywhere has supported AS2 for quite some time, our customers were telling us that becoming Drummond Certified™ would help them in meeting trading partner requirements." commented Bob Luebbe, Chief Architect at Linoma Software. "To be Drummond Certified™ means being part of an elite group of software solutions, and one of the few that can also offer on-premise file collaboration and managed file transfer capabilities too."

In addition to becoming certified an AS2-3Q15 product, further testing of GoAnywhere MFT confirmed its compatibility with RFC 4130 and verified compliance with optional profiles for:

  • FN (Filename Preservation)
  • MA (Multiple Attachments)
  • FN-MA (Filename Preservation with Multiple Attachments)
  • CTE (Chunked Transfer Encoding)
  • SHA2 hash algorithms supporting SHA256, SHA384 and SHA512

A report listing the test results and technical parameters of a specific test may be downloaded from the www.drummondgroup.com website.


GoAnywhere MFT™ Enters the Drummond AS2 Certification Queue

Drummond Group logo - Drummond AS2 CertificationThis spring, Linoma Software started the extensive process of reviewing and testing its AS2 automation features against the world's highest standards, as set by the Drummond Group, LLC. Drummond Certified™ products are compliant and interoperable to make sure they truly interface with the systems of customers and partners.

GoAnywhere MFT™ recently completed the first phase of testing, the results of which confirmed compatibility with RFC 4130.  The testing also verified GoAnywhere's compliance with optional profiles for:

  • FN (Filename Preservation)
  • MA (Multiple Attachments)
  • FN-MA (Filename Preservation with Multiple Attachments)
  • CTE (Chunked Transfer Encoding)
  • SHA2 hash algorithms supporting SHA256, SHA384 and SHA512

GoAnywhere MFT was added to the Drummond AS2 Certification Queue where it will be tested against all AS2 Drummond Certified products. Linoma Software anticipates certification for GoAnywhere MFT this fall.


Linoma Starts Off the Year with Several Product Releases

When things get hectic and life gets crazy, let's face it, we could all use a release. All puns aside, Linoma Software has been busy the past 5 months issuing several releases which provide our current and future clients the business edge they need in this ever changing market. Linoma released updates for Surveyor/400, Crypto Complete, GoAnywhere Services and last but not least GoAnywhere Director.

In February, Linoma released Surveyor/400 3.7. Surveyor/400 allows users to easily query and download data from IBM i to their desktops and network servers. Version 3.7 provides support for Excel 2007 with custom formatting options to create professional-looking spreadsheets. Surveyor/400 additionally supports earlier versions of Excel, as well as CSV, fixed width text, HTML and XML documents.  Surveyor/400 conveniently provides over 20 IBM i tools in one application.

In addition to Surveyor/400, Linoma also released Crypto Complete 2.20 in February. The new release of Crypto Complete 2.20 incorporated tokenization. Tokenization should be considered when sensitive data is stored on multiple systems. Tokenization is the process of replacing sensitive data with unique identification numbers (e.g. tokens) and storing the original data on a central server in encrypted form. By centralizing sensitive data, tokenization helps to thwart hackers and minimize the scope of compliance audits such as PCI. Additionally, Crypto Complete 2.20 offers faster encryption for backups while eliminating the need for intermediate save files.

Let's fast-forward to June; Linoma released GoAnywhere Services 1.3.0. Version 1.3.0 adds enhanced security features with IP Filtering, Syslog feeds and additional Trigger actions, along with other updates and usability options. GoAnywhere Services is a secure file server that provides internal and external trading partners with a secure connection to your system for exchanging files within a fully managed and audited solution.

Also in June, Linoma released a new version of GoAnywhere Director. GoAnywhere Director 3.2.0 provides a connector for sending data using the AS2 version 1.2 standards. This includes support for multiple file attachments within a single AS2 message, synchronous MDN receipts and message integrity verification. AS2 messages can be sent over an SSL tunnel, making it a secure option for the transfer of sensitive data. Version 3.2.0 also includes Syslog server integration, advanced scheduling options, enhanced server certificate handling and FTP checksum validation options. GoAnywhere Director is a managed file transfer solution for the enterprise.

If you need any additional information about any of our product releases or if you need a solution and aren't sure what is the best product for your circumstance, give us a call. If we don't have the product your business needs, we can point you in the right direction.

It has been a great start to 2010 and we would like to say thanks to all of our clients for their continued support.