IBM® Sterling Secure Proxy acts as an application proxy between IBM Sterling
Connect:Direct® nodes or between a client application and a Sterling B2B Integrator
server. Sterling Secure Proxy provides a high level of data protection between
external connections and your internal network. Define an inbound node definition
for each trading partner connection from outside the company and an outbound
node definition for every company server to which Sterling Secure Proxy will
connect.
Protect file transfers from the public Internet.The Internet remains risky for file transfer
IBM Sterling Secure Proxy is a demilitarized zone (DMZ)-based application proxy that protects your file transfers from the public Internet.
IBM® Sterling Secure Proxy provides a demilitarized zone (DMZ)-based application proxy that shields file transfers from the public Internet. It uses trading-partner authorization, multifactor authentication, session breaks and other controls for validation before transfers enter your trusted zone.
- Protections against unauthorized access with Secure Sockets Layer (SSL) session breaks and multifactor authentication.to help reduce data vulnerability and protect your brand.
- Reduced file transfer costs that can help increase your file transfer community by taking advantage of the Internet.
- Increased perimeter security for your file transfer infrastructure using time-tested firewall navigation practices.
- Simplified authentication with self-service authentication customization for trading partners to help reduce dependency on your IT staff.
Sterling Secure Proxy Architecture
The components of the Sterling Secure Proxy architecture are:
- Sterling Secure Proxy Engine—the engine resides in the DMZ and contains the minimum components necessary to manage communications sessions. The engine configuration (Sterling Secure Proxy engine properties) is created at Configuration Manager and pushed to the engine. It is stored in active memory and is never stored on disk in the DMZ. No web services or UI ports are open in the DMZ.
- Configuration Manager (Sterling Secure Proxy CM)—Configuration Manager is installed in the trusted zone. Use this tool to configure your environment. When you save a configuration definition (Sterling Secure Proxy configuration store) at CM, it is pushed to an engine, using an SSL session. Configuration files are encrypted and stored on the computer where CM is installed.Note: Only one Configuration Manager should update an engine definition.
- Sterling Secure Proxy configuration store—This file is encrypted on disk and contains the following information:
- The user store with information on user credentials
- The system certificate store with the certificates used for SSL/TLS sessions
- The key store with the SSH keys
- The engine configuration store with all configuration information for the engine
- Sterling Secure Proxy engine properties file—These files are encrypted and contain the following information:
- The IP and port number to listen on for connections from Configuration Manager
- SSL key certificate, trusted certificate, and encryption cipher used for the connection from Configuration Manager
- Web server—Configuration Manager is installed with a web server. You open a browser and access CM through a web page to configure Sterling Secure Proxy and monitor the engine activity. The web server is installed when you install Configuration Manager.
- Adapter—an adapter identifies the protocol allowed for connections from trading partners. You can accept connections from clients that use different protocols; however, you must define a different adapter for each protocol. A single engine can run multiple adapters. In an adapter definition, you identify the port on which to listen for connections, the netmap to use with the adapter, the security policy, and the routing method to use. If you are using Sterling External Authentication Server, you identify the Sterling External Authentication Server to use in the adapter definition. If you are using a remote perimeter server, you identify the perimeter server to use in the adapter definition.
- Netmap—define a netmap to identify the trading partners authorized to communicate through Sterling Secure Proxy and the company servers where connections are made.
- For a Sterling Connect:Direct® netmap, create a node definition for all Sterling Connect:Direct nodes that will communicate through Sterling Secure Proxy. The node definition identifies the IP address and port to be used by the node and the policy to associate with the node. If SSL or TLS security is required for the connection, configure the protocol options in the node definition. You can also enable node-level logging in the node definition.
- For HTTP and FTP netmaps, define an inbound node definition for trading partner connections from outside the company. The inbound node definition identifies the IP address or address pattern to allow for the connection and the policy to associate with the node. If SSL or TLS security is required, configure the protocol options in the node definition. You can also enable node-level logging in the inbound node definition.
- For HTTP and FTP netmaps, define an outbound node for every company server to which Sterling Secure Proxy will connect. An outbound node definition identifies the address and port used to connect to the company server and enables SSL or TLS if this is required. You can also enable node-level logging and failover support in the outbound node definition.
- For SFTP netmaps, define an inbound node definition for trading partner connections from outside the company. The inbound node definition identifies the IP address or address pattern to allow for the connection and the policy to associate with the node.You can also enable node-level logging in the inbound node definition.
- For SFTP netmaps, define an outbound node for every company server to which Sterling Secure Proxy will connect. An outbound node definition identifies the address and port used to connect to the company server, the known host key that is used to authenticate the company server toSterling Secure Proxy, and the cipher suites and MACs used to secure the connection. You can also enable node-level logging and failover support in the outbound node definition.
- Policy—define a policy to identify the security features to implement for an inbound node definition or a Sterling Connect:Direct node definition.
- In all protocol policies, you can enable the capability to authenticate the inbound connection and identify what user ID and password to use to connect to the secure company server.
- For FTP, HTTP, and Sterling Connect:Direct policies, you can enable the capability to authenticate certificate information using Sterling External Authentication Server,
- In an HTTP policy, you can enable the capability to block commonly occurring HTTP exploits.
- In a Sterling Connect:Direct policy, you can enable the capability to send a warning message or stop a session if a protocol error occurs, as well as prevent a Sterling Connect:Direct node from performing a runtask, runjob, copystep, or submit step function.
- In an SFTP policy, you identify the method required to authenticate the inbound connection. Authentication methods supported are key, password, password or key, and password and key.
- Sterling External Authentication Server—a separately installed feature of Sterling Secure Proxy, Sterling External Authentication Server allows you to validate digital certificates passed by the client or trading partner during SSL/TLS session requests. You can also validate certificates against one or more certificate revocation lists (CRLs), and validate certificates based on a valid date range. See the Sterling Secure Proxy documentation library for more information.Sterling External Authentication Server can be configured to validate certificates and authenticate users. The functions performed by Sterling External Authentication Server are defined in an Sterling External Authentication Server definition. Sterling External Authentication Server performs one or more of the following functions:
- Certificate Validation
- Certificate Revocation List (CRL)—certificate revocation checking using a certificate revocation list (CRL)
- Multi-factor Authentication
- Certificate Policy Enforcement
- LDAP Authentication
- User ID mapping—remote trading partners can be given IDs and passwords that do not provide access to internal systems. The ID and password presented by the trading partner is mapped to an ID and password that can then access the internal system
- Tivoli Access Manager Authentication
- Generic Authentication
Before you can use Sterling External Authentication Server with Sterling Secure Proxy, you must configure Sterling External Authentication Serverdefinitions in Sterling Secure Proxy. Then, when configuring policies and protocol adapters, you select these server definitions. You can also select security features available in Sterling External Authentication Server such as certificate authentication, user authentication, and user mapping. Refer to the Sterling External Authentication Server documentation library for more information.
Excellent! This is a really informative and useful content. I liked benefits IBM® Sterling Secure Proxy.I will definitely use this proxy for my company. But Now my company used ssl secure proxy system from Zorba Proxy Network: www.moka9.com and it's working fine. Thanks.
ReplyDelete