This solution is a Secure Shell server that provides secure file transfer and remote administration services for UNIX servers. Reflection for Secure IT is a family of SSH clients and servers for Windows and UNIX—all designed to protect data in motion. With Reflection for Secure IT encryption, authentication, and logging features you can safely transfer files, manage remote servers, and access corporate applications over encrypted connections. These features can also help you comply with stringent data security regulations.
Note: Reflection for Secure IT UNIX Server includes a single license of Reflection for Secure IT UNIX Client.
VERSION 7.1 HIGHLIGHTS
- Improved support for PKI environments reduces administrative burden via centralized management of certificate functions.
- Enhancements to Secure File Transfer include Smart Copy, user least privilege support, reuse of FTP scripts, and the ability to monitor file-transfer activity in detail with additional event types for file-transfer logging.
- Additional support for LDAP user directories takes advantage of centralized user configurations for shell settings and home directory creation.
- Additional platform support includes AIX 6.1 on POWER, Red Hat Enterprise Linux 5 on Itanium, and Red Hat Enterprise Linux 4 on zLinux.
- Installation improvements in Solaris and Linux let organizations customize the installation location.
- Updated FIPS 140-2 validated cryptographic module leverages newer and stronger encryption algorithms.
- Support for TCP Wrappers enhances access control.
Technical Specifications:
Secure File Transfer
- SCP
- SFTP
- FTP over SSH
- chroot support
- Unattended scheduled file transfers
- SFTP and SCP file transfer resume after interrupted downloads
- SFTP Smart Copy eliminates redundant copying of identical source/target files
Granular access control customization (sub-configurations)
- Assignable rights:
- Terminal shell access
- Exec requests
- File transfer access
- SFTP activities (Browse, Download, Upload, Delete, Rename)
- Assignable to:
- Global
- Groups
- Users
- Per client system (by IP address or domain name)
Security Protocols
- SSH2 (IETF SecSh Internet drafts and RFCs 4250–4254, 4256, 4462, 4345, and 4716)
Cryptographic Library Validation
- FIPS 140-2 Level 1 (certificate #1027)
Algorithms
- Ciphers:
- AES (128, 192, and 256 bit CBC)
- AES (128, 192, and 256 bit CTR)
- 3DES (3 56-bit key EDE)
- Blowfish (128 bit)
- CAST (128 bit)
- Arcfour (128 and 256 bit)
- MACs:
- HMAC-MD5
- HMAC-SHA1, HMAC-SHA256
- HMAC-SHA512
- RIPEMD
- Key exchange:
- RSA
- DSA
- Diffie-Hellman
- GSS-API key exchange
Authentication
- Password:
- Keyboard interactive:
- Traditional password
- PAM (Pluggable Authentication Module)
- RSA SecurID (via PAM)
- RADIUS
- SSH user keys:
- RSA and DSA user keys
- Agent forwarding
- Kerberos:
- User (gssapi-with-mic) and host (gssapi-keyex) authentication
- PKI via the Reflection PKI Services Manager:
- Centralized configuration and management of PKI functions across multiple Reflection for Secure IT Windows and UNIX servers
- Standalone service module supported on most platforms supported by Reflection for Secure IT Windows and UNIX server
- FIPS 140-2 Level 1 validated for most supported platforms (certificate #1048)
- RFCs 2253, 2560, and 3280
- X.509 certificates for server and client authentication (X.509 versions 1-3)
- Version 2 X.509 CRL
- OCSP revocation checks
- Support for LDAP and HTTP certificate and CRL repositories
- Certificate extensions supported
• CDP
• IDP
• AIA
• Policy Constraints
• Basic Constraints
• Name Constraints
• Extended Key Usage
- Customizable configuration on per trust anchor basis
- Fully customizable mapping of SSH user account names to certificates
- LDAP:
- Directory-accessed user shell configurations
- Support for mkhomedir PAM module for automatic creation of LDAP user home directory
- Other:
- Configurable pre-authenticated session limit
Tunneling
- Local
- Remote
- FTP protocol
- X11 protocol
Accounting
- Logon events for all authentication methods
- Detailed file transfer event capture including Uploads, Downloads, and Directory listings
- Notification of exceeded maximum password attempts
- HP-UX SAM Auditing and Security tool support
- Sun Solaris Least Privilege Model support
Operating Systems
- HP-UX 11i v1 (PA-RISC)
- HP-UX 11i v2 (PA-RISC)
- HP-UX 11i v2 (Itanium)
- HP-UX 11i v3 (Itanium)
- IBM AIX 5.2 (POWER)
- IBM AIX 5.3 (POWER)
- IBM AIX 6.1 (POWER)
- Red Hat Enterprise Linux 4 (Itanium)*
- Red Hat Enterprise Linux 4 (x86)*
- Red Hat Enterprise Linux 4 (x86-64)*
- Red Hat Enterprise Linux 5 (Itanium)*
- Red Hat Enterprise Linux 5 (x86)*
- Red Hat Enterprise Linux 5 (x86-64)*
- Sun Solaris 8 (SPARC)*
- Sun Solaris 9 (SPARC)*
- Sun Solaris 10 (SPARC)*
- Sun Solaris 10 (x86)*
- Sun Solaris 10 (x86-64)*
- SUSE Linux Enterprise Server 9 (Itanium)*
- SUSE Linux Enterprise Server 9 (x86)*
- SUSE Linux Enterprise Server 9 (x86-64)*
- SUSE Linux Enterprise Server 10 (x86)*
- SUSE Linux Enterprise Server 10 (x86-64)*
- zLinux – Red Hat Enterprise Linux 4 (64-bit)*
- zLinux – SUSE Linux Enterprise Server 9 (32-bit)*
* Customizable installation directory available for Solaris and Linux platforms
System Requirements
- Any system that meets the minimum requirements for the UNIX/Linux operating system
- Network interface card
- For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
- For HP-UX 11i v1 on PA-RISC, the following patches (or their superseded patches) are required:
- PHCO_28605 s700_800 11.11 libnss_files cumulative patch
- PHCO_31923 s700_800 11.11 libc cumulative header file patch
- PHCO_34275 s700_800 11.11 libc cumulative patch
- PHKL_34805 s700_800 11.11 JFS3.3 patch; mmap
- PHSS_33033 s700_800 11.11 ld(1) and linker tools cumulative patch
- IBM AIX 5.3 Maintenance Level 5300-5
- Sun Solaris UltraSPARC CPU