Hi Tom,
One approach is to have a Unix box (I prefer FreeBSD, because it's
pretty easy to secure, but other varieties would be possible) at
the state and at each provider. A lame ascii art layout:
State's ftp State's ssh Provider ftp Provider
internal ------- Unix ---------- A's Unix --------- A's internal
network box box network
On the state side, it's Unix box can be scheduled (via
crontab) to pick up, at the appropriate time daily via ftp
or whatever is convenient, the files to be transferred out.
Same thing on the the provider side. Then, at the appointed transfer
time, the state's Unix box uses ssh (or it's cousin scp, which
is kind of like an encrypted ftp) to send the appropriate file(s)
to the providers, and pick up the providers' files. Then the
state's Unix box can ftp or whatever the files to correct internal
place, and ditto for the providers.
The transfer between the Unix boxes can conveniently happen
across the public Internet, since files are encrypted, and the
Unix boxes can be locked down against all other accesses. I'm
not sure where you'd want to put the state's Unix box relative
to the firewall-1, I'd have to think about that.
In this scheme, the internal machines of each side only talk
directly to the Unix box of it's own side, so I'm presuming the
files needn't be encrypted on that leg. When the files are
transferred, they *are* encrypted by ssh/scp. There are several
options supported by ssh about how the Unix boxes authenticate
to each other, so this can be made quite secure.
This can be done *very* inexpensively, especially for a dedicated
task like this. You can run this on inexpensive Intel boxes
with FreeBSD, and all the software is opensource (e.g. free).
If you're not familiar with opensource Unix, though, you'll
probably want a consultant to help you set it up and verify
the security.
We use a variation of this scheme to send encrypted backup files
around our network, all automated. I have the job configured
to send me email daily about the results of the job, so I can
quickly verify that each night's backups succeeded.
Hope you find this helpful.
Regards,
Carol
"White, Tom" wrote:
>
> wanted:
>
> The ability to transfer data files between a variety of power/gas providers
> and a state social service agency. This must be done on an automated basis
> and the files contain confidential data. One file will be transferred to
> the state agency on a daily basis and several files will go the power/gas
> providers. It is envisioned that the power/gas providers will supply these
> files to one centralized state location.
>
> current status:
>
> - one provider allows for dial-in access to the data for one of the state
> agency local offices (they utilize the IBM advantis network and an
> information exchange mailbox).
> - another provider delivers reel tapes (they only have one of these tape
> machines left and it is used for nothing other than the state agency).
> - another wants to provide DAT tapes, but the state agency doesn't have a
> DAT tape drive at the local office.
>
> state network:
>
> - checkpoint firewall-1 firewall with a DMZ utilized for web services and
> file transfer via SSL.
> - Bay network contivity VPN device with public address (this doesn't sit
> behind the firewall).
> - FTP connections initialized from within the state network are allowed (I
> know how bad this is)
> - incoming e-mail messages are limited to 1.0MB
>
> providers:
>
> - initial provider is an IBM mainframe shop that utilizes the IBM advantis
> network to provide the file to an information exchange mailbox.
> - second provider is also an IBM shop.
> - future providers are not guaranteed to be IBM mainframe shops and as the
> state opens power/gas provision to the marketplace the odds are very good
> that a wide variety of computer centers will need to interface with the
> state.
>
> discarded solutions:
>
> - utilize the IBM advantis network. the state currently does not have a
> direct connection with this network and future providers also will not have
> this connection
>
> - utilize the DMZ file transfer via SSL. the current setup requires human
> intervention. we do not want to require intervention on the part of either
> providers or the state.
>
> - PGP encrypt the data and use standard FTP. the initial providers are an
> MVS only set of shops. I haven't located a PGP version for MVS.
>
> - PGP encrypt the data and use e-mail. The data files may not fit within the
> e-mail limitations of file size.
>
> what I need:
>
> Some suggestions as to how I can accomplish my task. I am currently
> investigating other possibilities on my own, but the members of this list
> must have dealt with this situation prior to now. Each of the discarded
> solutions can be reconsidered as possibilities if needed (I can see having
> the MVS shops ship the file to a workstation on their network, having it PGP
> encrypted there, and returned to the IBM mainframe for FTP transfers).
> Additionally, I need information on which direction each of the file
> transfers should be initiated (I prefer that the state initiate all file
> transfers from their side, thus they don't need to provide an open FTP
> server daemon).
>
> Any help would be appreciated.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Thomas H. White It is morning in Africa.
> Systems & Database Programmer As the sun rises on the plain the
> gazelle
> NYS HSASC awakens knowing if it cannot outrun
> the fastest
> Bureau of Security Administration lion it will die.
> [EMAIL PROTECTED] It is morning in Africa.
> (518) 473-8268 The lion awakens, knowing if it can't
> outrun
> the slowest gazelle, the lion and
> it's family
> will die.
> It is morning in Africa
> and you had better be running.
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--
Carol Deihl - [EMAIL PROTECTED]
Shrier and Deihl - Unix Network Admin and Internet Software Development
http://www.tinker.com/ - Tinker Internet Services
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
