Managed File Transfer

It is important for an organization to secure their network resources, and control who accesses resources. But as organizations grow and need to provide access for a greater number of partner users, the more vigilant they need to be with access control. One common method that companies use for access control is IP whitelisting.

When it comes to a Banking Organization, ensuring security is of utmost importance. Though IP whitelisting can be a great security feature, customer still look for additional security features at the Application level. One such requirement could be accepting the incoming connections based on the source IP addresses.

One simple solution to handle incoming connections based on IP addresses is to use the IP Filtering at the Inbound Secure Proxy Netmap level but that allows any users sending requests from that IP address to be accepted.

Let us consider a scenario where a partner is sending files over SFTP protocol to IBM Sterling B2B Integrator where we have IBM Sterling Secure Proxy in the DMZ zone receiving the incoming requests once the connection get past firewall. Requirement here is to perform User Authentication and verifying the Incoming IP address against that user to either accept or reject the connection. To cater this requirement, solution provided in this blog includes the below IBM Sterling MFT products,

• IBM Sterling Secure Proxy (SSP)
• IBM Sterling File Gateway (SFG) / IBM Sterling B2B Integrator (B2Bi)
• IBM Sterling External Authentication Server (SEAS) &
• LDAP - Active Directory

With the solution proposed below, an organization can accept incoming connections from the specified IP address and specified user. So, it provides a mechanism where it allows connections to be accepted for a specified user and IP.

LDAP User Configuration

Create a LDAP entry for the Partner User who will be connecting over SFTP protocol to send files.

• uid - the field that contains technical user username
• userPassword - the field that contains the password
• registeredAddress - the field that contains the IP address of the incoming user

SEAS Authentication Definition Configuration

Create an Authentication Definition in SEAS by providing,

• Authentication Name
• Description
• LDAP details in Authentication Profile (Protocol, Host, Port & LDAP Principle)
• LDAP Attribute Query Definition Properties
  • Select globally defined connection option and choose the LDAP Profile created
  • Select "Specify query parameters" option in Query Specification section
  • In the Query Parameters section provide the Base DN, Return Atributes (DN & IP Address)
  • For the match attributes make the following entries,
    • uid={userId}
    • registeredAddress={ipAddress}
• Save your configuration

SSP SFTP Policy Configuration

• Create a SFTP policy,
  • Give a Policy Name
  • In the Advanced tab,
    • select the "Required Authentication method"
    • Enable "Through External Authentication" for User Authentication Mechanism and Provide the External Authentication profile details. Ensure to provide the SEAS Authentication Definition name which was created in the External Authentication Profile text box.
    • Select "SSO token from External Authentication" for User Mapping
• Create Inbound & Outbound Netmap configuration for SFTP
• Create a SFTP Adapter by selecting the SFTP policy created and Netmap configurations created.

Sample Test Results where the connection is rejected based on the IP,

• Partner User created in LDAP                    -             ldapuser1
• Partner's registered IP Address in LDAP    -          195.43.245
• IP Address of the Incoming Connection     -            195.43.244

As expected, the connection was closed since the incoming IP and the registered IP address are different and it is captured in the SEAS.log (below is the sample screenshot of log file)