FTP Replacement Briefing
15
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force Weather Agency FTP Replacement Briefing 08 Sep 06
description
FTP Replacement Briefing. 08 Sep 06. FTP Replacement. Description: Replace FTP for all traffic outside .mil domain Requirements Documents: - DoDI 8551.1, Ports, Protocols, and Services Management - DSAWG FTP Vulnerability Assessment, updated 13 Sep 05 - PowerPoint PPT Presentation
Transcript of FTP Replacement Briefing
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Air Force Weather Agency
FTP Replacement Briefing
08 Sep 06
2I n t e g r i t y - S e r v i c e - E x c e l l e n c e
FTP Replacement
Description: Replace FTP for all traffic outside .mil domain
Requirements Documents:
- DoDI 8551.1, Ports, Protocols, and Services Management
- DSAWG FTP Vulnerability Assessment, updated 13 Sep 05
- Air Force Weather Security Classification Guide, 1 May 2004
- AFI 33-202v1, Network and Computer Security
- AFI 33-201, Transmission Security
Briefing Objectives: Inform OFCM CEISC of encryption requirement and change to SFTP
Presentation for CCB, 16 Aug 06
3I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Background
On 9 Nov 04, JTF-GNO stated File Transfer Protocol (FTP) ports 20 and 21 would cease transferring data between DoD enclaves (.mil) and non-DoD enclaves (.edu, .com, .gov, .org, etc.) effective 9 Nov 06
AFCA clearly stated that any replacement product used must be FIPS 140-2 certified
AFWA has standing requirement to encrypt all data sent outside DoD channels
The AFWA formed a working group in May 06 dedicated to finding an FTP replacement for the Strategic Center and our customers
4I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Analysis
The following criteria were considered in evaluating the open source version and commercial version (Tectia) of SFTP: FIPS 140-2 compliance
Performance
Ports and protocols compliance
Ease of Integration
Interoperability
Cost
Maintainability
5I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Analysis (cont.)
A standards-based solution makes interoperability highly likely between open source and all commercial products use the same standard
Since SFTP appears to the user (at a command line or scripting level) to be an FTP clone, it would be simple to integrate as an FTP replacement
Software cost was not quantified. Note: In addition to Tectia, there are many commercial SFTP
products providing competition in the market for this standard solution. The working group only evaluated Tectia and free open source version.
6I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Performance
SFTP typically incurred about a 10-30% performance penalty, depending on the combination of SFTP versions in use
Some clients with relatively inefficient native FTP performance (e.g. Solaris 8) experienced a performance increase using SFTP
Conclusion: Based on performance, SFTP is a reasonable choice for encrypted secure file transfer
7I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Risks
Risk: Customers can’t comply with SFTP
Description: Non-.mil customers unable to transition to SFTP will cease send/receipt of data from AFWA
Mitigation: Assumption - Register all customers unable to meet deadline with AFNOSC and DSAWG. Registration must include a “get well” plan.
8I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Risks
NCEP Global ensemble data not available for development
AGROMET pushed to NCEP DMZ may be discontinued
FNMOC May not be able to easily implement SFTP (researching)
.COM, .EDU May not easily be able to implement open source or
commercial product
9I n t e g r i t y - S e r v i c e - E x c e l l e n c e
DATMS-U
No impacts expected as DATMS-U is considered part of the DoD network
10I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Identified FTP Comms
POCs reached are detailed in the Excel spreadsheet: Update FTP users contacted.xls
Review and update of listed POCs by member agencies requested
Issues to be identified after 09 Nov 06 SFTP testing period begins
11I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Implementation Timeline
SFTP available for limited use by AFWA 9 November
Projected WARNORD issued by Air Staff no earlier than January 2007
WARNORD +90: FTP cut-off date
Implementation schedule from WARNORD to cut-off date TBD
12I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Recommendation
Recommend CEISC member agencies review FTP communications to identify any additional data feeds between them and DoD and provide a POC to coordinate resolution NLT 30 Sep 06
13I n t e g r i t y - S e r v i c e - E x c e l l e n c e
SFTP
Questions?
14I n t e g r i t y - S e r v i c e - E x c e l l e n c e
SFTP
BACK-UP SLIDES
15I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Performance
%Delta of SFTP vs. FTP Performance
0% 0% 0% 0%
-44%
22%
-27%-12%
5%
136%
-6%
-26%
65%
-13%-30%
-31%
-60%
-40%
-20%
0%
20%
40%
60%
80%
100%
120%
140%
160%
AIX 5.2 Customer Windows 2003 Customer Solaris 8 Customer All-Customer Hosts
Remote Customer System
%D
elt
a (
Po
sit
ive
is B
ett
er)
Baseline FTP %Delta OpenSSH %Delta Tectia %Delta Tectia-to-Open
