Dedicated networking between partner companies is expensive; the Internet is handy and cheap. Yet security requirements are often high. Can you use the Internet and add extra security without great expense? SSH tunneling may do the job.
Like all other traffic in the digital universe, B2B transactions are increasing at an alarming rate. This is a win-win proposition; increased data-sharing generally increases both the strategic and tactical processes of any business alliance, which yields improved responsiveness and efficiency, and, consequently, stronger market performance. But this boon comes at a price, and more and more that price is the construction of many data pathways and system accommodations to keep information flowing from many points.
For many of these interfaces, you must carefully construct secure and permanent avenues for data exchange between your company and your partners—expensive but worth it. On the other hand, you may have found that, increasingly, such connections need to be made on the fly: cross-database access by remote users in the field, for instance; intercompany messaging/e-mail; and ftp/POP3 exchange of transactional data, for local processing purposes.
These kinds of transactions are not the sort that can justify a dedicated channel of information, and the dedicated channels are often not sufficiently flexible (or secure across the necessary conduits, such as the Internet) to accommodate them. New paths must be forged, therefore, to facilitate such ad hoc exchanges—and this raises new security issues. How do you cut a temporary tunnel through the Internet, or across some other insecure terrain, and keep it intruder-free?
Cheap but good
SSH tunneling may be your answer. A secure alternative to Telnet, SSH—Secure Shell port forwarding—adds certificate-based security to remote command-line interface with a server. You can use it for a variety of remote functions that could benefit from enhanced security: e-mail access, ftp and POP functions, and SQL sessions, to name a few.
How SSH tunneling works
The idea behind SSH tunneling (or, more precisely, port forwarding) is to forward TCP traffic that is insecure through Secure Shell. In essence, an ad hoc encrypted point-to-point tunnel is created across Internet resources, permitting you to secure POP3, HTTP, SMTP and ftp connections, among others. Access to corporate intranet Web pages may be secured in this manner, as well as remote SQL sessions.
What makes this particularly attractive as a feature of B2B relationships is that it calms the fears of senior management with regard to opening up private company resources to outsiders. Even if the outsiders belong to a partner company, executives get nervous about opening up database access beyond in-house boundaries, because of the security considerations. Increasingly, however, B2B means sharing information—so the added layer of security makes remote database access less worrisome.
Secure shell port forwarding requires only IP connections between remote client and server. Older VPN solutions, such as those using IPSec, aren’t so simple, because Network Address Translation can be problematic between networks; special protocols are needed because NAT breaks IPSec connections.
What’s going on here is that SSH connects TCP/IP ports on local and remote machines, specific to the protocol(s) being tunneled (which are port-specific). Think it through in reverse and it will be obvious: if SSH is monitoring a port, it can encrypt whatever it receives from the application connecting to that port (which specific protocols and applications must do on designated ports)—and decryption occurs on the other end in exactly the same way, because of the identity of the receiving port and the secure shell that’s enabled for that port. Once the tunnel is established, client-server authentication can take place as it normally would.
The central consideration, protocol-wise, is the use of ports. If you know your ports, you can very easily enable SSH Tunneling for B2B operations. The reason this consideration is central is that, in each of the functional examples below, port assignment is paramount.
You can download SSH client software readily over the Internet from any number of sources. There are several versions of OpenSSH for Windows as well as alternatives to SSH; Mac users have their own SSH as well as variations like Nifty Telnet SSH. Of course, Linux users aren't excluded (see www.openssh.org/portable.html). If you don't like these choices, a Google search will turn up dozens of others.
Play video
There are currently no comments for this post.