DEDS Migration to secured FTP

For discussion with GNP Industry

Introduction

Communication Providers (CP) connect into BT (DEDS) using ISDN/VPN setups and use FTP to exchange Single Line Geographical Number port requests/response files.

CP uploads and downloads the Number port request and response files from DEDS server if CP is gaining the number.

DEDS uploads and downloads the Number port request and response files from CP server if BT is gaining the number.

2

3

Limitations of current setup• ISDN access to DEDS is slow due to limited bandwidth.

• Being older technology, ISDN setup is difficult and costly to maintain in terms of availability of equipment and skills to maintain them.

• VPN access is limited by availability of VPN ports on BT firewall. Ports are almost exhausted.

• Existing DEDS hardware has scalability limitations.

• Failover capability is limited and slow on existing infrastructure.

EXISTING SETUP

4

Primary DEDS

Secondary DEDS

Number Porting

application

FTP

CP n

CP 1FTP

XFB

DEDS CLUSTER

PROPOSED SETUP

5

NEW DEDS

NEW DEDS DR

DNS

SWITCHING

DNS

SWITCHING

Number Porting

applicationXFB

FTPS (one way SSL/TLS over internet)

CP n

CP 1FTPS (one

way SSL/TLS over internet)

Data Mirroring

Advantages of the proposed set up

Data transfer through a secured and Fast channel.

Move from an old ISDN set up to a scalable secured FTP channel which is exposed to the internet. ISDN call charges borne by CP’s would be eliminated.

Maintenance of ISDN, which is an old technology is not required.

Secured FTP clients/server are readily available and many of them are freeware.

CPs using Fax and Email as communication mode can easily migrate to electronic medium as the proposed setup is being exposed to internet.

Additional Benefit targeted with the proposed set up

Better failover capabilities for DEDS which would ensure minimal loss of service.

6

Rationale of FTPS

• FTPS is a widely used standard alongside SFTP. Each has its own advantages and disadvantages.

• Few specific reasons for choosing FTPS:

– Chrooting – Required to ensure each CP has isolated working area on DEDS server for Data Security.

– Time bound login –It is necessary to restrict CP access to DEDS outside of agreed service hours.

– Logging – Formatted logging which enables automated trapping and monitoring of error scenarios. It is also possible to generate MIS of upload/download activities. .

– Command Execution – To ensure CP can execute only certain commands necessary for transfer of files and restrict potentially harmful commands for health of DEDS.

7

What is Changing?

• DEDS hardware will be migrated to new scalable Architecture. This hardware will be accessed by CP’s systems using standard Internet URL calls.

• DEDS will be exposed to internet with IP filtering applied on BT firewall to accept calls only from registered IP’s

• FTPS replaces Normal FTP by using one way SSL/TLS and basic authentication.

• CP’s will upload/download the files to/from DEDS via One Way SSL/TLS over internet using FTPS client.

• DEDS would upload/download files from CP’s server using FTPS client. CP would need to host FTPS server on their servers to allow for FTPS transfers by DEDS.

8

Impacts of the ChangeNumber Porting order requests are initiated by the Gaining CP.

– For Numbers exporting out of BT, order files are uploaded by CP onto DEDS (BT) and responses are downloaded by CP from DEDS (BT).

• CP would need to host FTPS client (compatible with pureftpd product used on DEDS).

• X509 certificates will be used by BT on DEDS server as Server Certificate. CPs will be provided with the required public key certificate of DEDS(BT).

• CPs would need to install/import it on their servers to be able to connect to DEDS.• Port number to be used by FTPS client while connecting to DEDS would be

provided by DEDS support team. These ports will need to be configured by CP onto the FTPS client.

• Changes needed in the process /automation to suit migration to secured FTP.• CPs can continue using the same used id and password while accessing DEDS.

The folder structure on DEDS would also remain the same.

– For Numbers importing into BT, order files are uploaded by DEDS onto CP servers and responses are downloaded by DEDS from CP servers.

• CPs has to host FTPS server on its machine.• CPs will have to open up their firewall(s) to allow FTPS connections from DEDS. • CPs have to provide BT with the necessary public key for DEDS. This would need

to be installed on DEDS and would be used for authentication while connecting to CP machines.

• CPs will have to provide IPs, ports, usernames and passwords of their systems to DEDS. 9

How Migration will be managed?

Migration will be managed in three phases.

• Phase –I : New DEDS server will be available in live ready for CPs to migrate.

–Once Phase – I is complete, CPs may start migration to new DEDS. It is necessary that CP build the capabilities for FTPS transfer as mentioned in the previous slides.

• Phase –II : Number Port application will be migrated to new DEDS during phase – II. During Phase I & Phase II, BT will internally manage synchronisation of existing DEDS and new DEDS system.

• Phase –III : The old DEDS server will be decommissioned as all CPs would have migrated to FTPS connectivity with New DEDS.

• DEDS support team will guide the CP’s during the migration process.

10

How can CP’s go about it?

• Approach BT Product Manager / BT Account Manager contact to schedule migration to NEW DEDS.

• Complete FTPS client and server installation & configuration.

– FTPS clients and servers are available either commercially or as free-ware.

• Test connectivity to BT system with on-ramp server. (DEDS Support team will make this available)

• Test connectivity to NEW DEDS (Live)

• Start using new DEDS!

11

Milestones

• Phase-I : This is expected to be ready by end-May’10

• Phase-II : This is planned to start in Jun’10.

• Phase-III : Plan is to start decommission of OLD DEDS by end of Phase II, but this is subject to the CP transition plans to be discussed between CP’s and BT Account Managers / Product Line leads.

12

FTPS Client Samples• CoreFTP Lite (Windows) URL: http://www.coreftp.com• SmartFTP (Windows) URL: http://www.smartftp.com• IglooFTP Pro (Windows, Linux) URL: http://www.iglooftp.com• FlashFXP (Windows) URL: http://www.flashfxp.com• SDI FTP (Windows) URL: http://www.sdisw.com• LFTP (Unix, MacOS X) URL: http://lftp.yar.ru/• RBrowser (MacOS X) URL: http://www.rbrowser.com• FTPTLS (OpenBSD, possibly other Unix as well) URL: http://www-

user.tu-chemnitz.de/~grmo/ftptls/ Port: http://www-user.tu-chemnitz.de/~grmo/ftptls/port/ftptls-port.tar.gz

• Glub Tech Secure FTP Client (at least Unix, MacOS X and Windows) URL: http://secureftp.glub.com/

NOTE: BT does not recommend any specific product. The list above is for reference only. CPs are requested to take their own informed decision.

13

Thank You

14