SSH Hardens the Secure Shell

SSH Hardens the Secure Shell


September 23, 2005

There can hardly an IT administrator today that has not used SSH to log into a remote server.

SSH Communications Security, the company that originally developed the SSH protocol, has now upped the ante with a pair of new solutions aimed at the enterprise market. SSH, typically in the form of the open source OpenSSH application, is widely deployed in nearly every UNIX and/or Linux variant in existence today, though SSH Communications Security claims its SSH implementation is the only one that is enterprise-grade.

The newly announced SSH Tectia client/server solution 5.0 and SSH Tectia Manager 2.0 will work in UNIX, Linux, Windows and IBM mainframe environments and enables secure file transfer, application connectivity and system administration capabilities.

SSH Tectia client/server solution 5.0 is based on the latest SSH G3 protocol, which is the third generation of SSH and boasts of faster encryption throughput than its predecessors. SSH G3 is actually a re-write of the SSH Tectia codebase and is supposed to reduce latency and put less burden on the overall system. SSH Tectia with G3 technology has incorporated the Cryptico Crypicore algorithm based on the Rabbit Stream Cipher. Overall, SSH Tectia claims the speed is two to eight times faster than its predecessors depending on the OS and file size when using SFTP.

"We started to look at this when several large financial institutions came to us because of their acquisitions," Byron Rashed, senior marketing communications manager of SSH Communications Security, told internetnews.com. "The file size dramatically increased and the need for speed in Secure File Transfer was now a business challenge to them due to the cut-off times of sending this data from branches to the main data center and then to the Fed."

"Speed has always been an issue with customers, and this technology solves that concern," Rashed said.

SSH Tectia vs. openSSH

SSH Communications Security founder Tatu Ylonen wrote the original SSH protocol in 1995. In 1999 the OpenSSH project was started as a cleanup of the SSH 1.2.12 code which was the last free version of Tatu Ylonen's code.

SSH Tectia's current code is not open source.

The first OpenSSH implementation of the SSH 2.0 protocol was released in early 2000. OpenSSH claims that it has also,"led in the implementation of proactive security techniques such as privilege separation and auto-reexecution."

"Free software community [members] were rapid adopters of OpenSSH, with most free operating systems shipping OpenSSH within its first year of existence," OpenSSH developer Damien Miller wrote in a 2004 mailing list post celebrating the fifth anniversary of the project's creation. "Over the last five years, OpenSSH has become the most widely used SSH protocol implementation (by a large margin) and has been included in products from major vendors including IBM, Apple, HP, Sun, Cisco and NetScreen. Today, OpenSSH runs on everything from mobile phones to Cray supercomputers."

"In providing a free, popular and easy to use secure login and command execution protocol OpenSSH has been instrumental in speeding the deprecation of insecure protocols like telnet and rlogin," Miller wrote.

OpenSSH released its latest version 4.2 at the beginning of September calling it a " 100 percent complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support."

SSH Communications however doesn't see its open source cousin as competition.

"One thing to remember is that OpenSSH is basically a utility," SSH's Byron Rashed explained. "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."

Rashed argues that SSH Tectia is an enterprise-class security solution with robust features such as a management system to manage the SSH Tectia environment (SSH Tectia Manager), a FIPS 140-2 certified crypto algorithm (OpenSSH cannot be FIPS certified), and supports all the major platforms and authentication methods.

Perhaps even more surprising, Rashed contends that OpenSSH has an 11:1 vulnerability ratio vs. SSH Tectia.

"OpenSSH also uses OpenSSL libraries and these must be updated as well, opening up the possibilities of additional unknown vulnerabilities," Rashed said. "There is still some SSH1 codebase used in OpenSSH while SSH Tectia (and the predecessor SSH Secure Shell) uses only the SSH2 base that was written due to the vulnerabilities in SSH1 by SSH Communications Security and adopted by the IETF."

"Due to compliance regulations and security audits, more and more users have now been mandated to use commercial SSH due to the liability and support issues that enterprises can face," Rashed said.

There can hardly an IT administrator today that has not used SSH to log into a remote server.

SSH Communications Security, the company that originally developed the SSH protocol (define), has now upped the ante with a pair of new solutions aimed at the enterprise market. SSH, typically in the form of the open source OpenSSH application, is widely deployed in nearly every UNIX and/or Linux variant in existence today, though SSH Communications Security claims its SSH implementation is the only one that is enterprise-grade.

The newly announced SSH Tectia client/server solution 5.0 and SSH Tectia Manager 2.0 will work in UNIX, Linux, Windows and IBM mainframe environments and enables secure file transfer, application connectivity and system administration capabilities.

SSH Tectia client/server solution 5.0 is based on the latest SSH G3 protocol, which is the third generation of SSH and boasts of faster encryption throughput than its predecessors. SSH G3 is actually a re-write of the SSH Tectia codebase and is supposed to reduce latency and put less burden on the overall system. SSH Tectia with G3 technology has incorporated the Cryptico Crypicore algorithm based on the Rabbit Stream Cipher. Overall, SSH Tectia claims the speed is two to eight times faster than its predecessors depending on the OS and file size when using SFTP.

"We started to look at this when several large financial institutions came to us because of their acquisitions," Byron Rashed, senior marketing communications manager of SSH Communications Security, told internetnews.com. "The file size dramatically increased and the need for speed in Secure File Transfer was now a business challenge to them due to the cut-off times of sending this data from branches to the main data center and then to the Fed."

"Speed has always been an issue with customers, and this technology solves that concern," Rashed said.

SSH Tectia vs. openSSH

SSH Communications Security founder Tatu Ylonen wrote the original SSH protocol in 1995. In 1999 the OpenSSH project was started as a cleanup of the SSH 1.2.12 code which was the last free version of Tatu Ylonen's code.

SSH Tectia's current code is not open source.

The first OpenSSH implementation of the SSH 2.0 protocol was released in early 2000. OpenSSH claims that it has also,"led in the implementation of proactive security techniques such as privilege separation and auto-reexecution."

"Free software community [members] were rapid adopters of OpenSSH, with most free operating systems shipping OpenSSH within its first year of existence," OpenSSH developer Damien Miller wrote in a 2004 mailing list post celebrating the fifth anniversary of the project's creation. "Over the last five years, OpenSSH has become the most widely used SSH protocol implementation (by a large margin) and has been included in products from major vendors including IBM, Apple, HP, Sun, Cisco and NetScreen. Today, OpenSSH runs on everything from mobile phones to Cray supercomputers."

"In providing a free, popular and easy to use secure login and command execution protocol OpenSSH has been instrumental in speeding the deprecation of insecure protocols like telnet and rlogin," Miller wrote.

OpenSSH released its latest version 4.2 at the beginning of September calling it a " 100 percent complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support."

SSH Communications however doesn't see its open source cousin as competition.

"One thing to remember is that OpenSSH is basically a utility," SSH's Byron Rashed explained. "Many vendors use it because it is free and they can use it without a license, so the number of users for remote access is quite large, but it does not provide very good SFTP or application connectivity usage."

Rashed argues that SSH Tectia is an enterprise-class security solution with robust features such as a management system to manage the SSH Tectia environment (SSH Tectia Manager), a FIPS 140-2 certified crypto algorithm (OpenSSH cannot be FIPS certified), and supports all the major platforms and authentication methods.

Perhaps even more surprising, Rashed contends that OpenSSH has an 11:1 vulnerability ratio vs. SSH Tectia.

"OpenSSH also uses OpenSSL libraries and these must be updated as well, opening up the possibilities of additional unknown vulnerabilities," Rashed said. "There is still some SSH1 codebase used in OpenSSH while SSH Tectia (and the predecessor SSH Secure Shell) uses only the SSH2 base that was written due to the vulnerabilities in SSH1 by SSH Communications Security and adopted by the IETF."

"Due to compliance regulations and security audits, more and more users have now been mandated to use commercial SSH due to the liability and support issues that enterprises can face," Rashed said.

This article was originally published on internetnews.com.