Reflection for Secure IT, UNIX Server

Reflection for Secure IT UNIX Server uses the SSH protocol to provide secure file transfer and remote administration services for UNIX environments. It is part of the Reflection for Secure IT family of SSH clients and servers for Windows and UNIX—all designed to protect data in motion.

Note: Reflection for Secure IT UNIX Server includes a single license of Reflection for Secure IT UNIX Client.

TECHNICAL SPECIFICATIONS

Secure Shell Access

• Secure remote terminal connections
• Secure remote command execution

Secure File Transfer

• SCP and SFTP protocol support
• SCP and SFTP special features:
  • Smart Copy (to eliminate redundant copying of identical source and target files)
  • File transfer resume after interrupted downloads
  • Recursive directory copying
  • Remote-to-remote transfers (SCP)
  • Automatic ASCII mode for specified file extension types (SFTP)
•  Support for High Performance Enabled (HPN) file transfer
• chroot environment support
• Unattended scheduled file transfers

Access Control

• Assignable rights (allow or deny):
  • Terminal shell access
  • Exec requests
  • File transfer access
  • SFTP activities (browse, download, upload, delete, and rename)
• Assignable to (subconfigurations):
  • Global
  • Groups
  • Users
  • Per client system (by IP address or domain name)

Tunneling

• TCP port forwarding (local and remote)
• FTP protocol
• X11 protocol 
• Background and “one-shot” (single use) forwarding ports

Standards Support

• Compliance with IETF Secsh Internet drafts and RFCs 4250–4254, 4256, 4462, 4345, and 4716

Cryptographic Library Validation 

• FIPS 140-2 Level 1 (Certificate #1027)

Algorithms

• Ciphers:
  • AES (128-, 192-, and 256-bit CTR)
  • AES (128-, 192-, and 256-bit CBC)
  • 3DES (3 56-bit key EDE)
  • Blowfish (128-bit)
  • CAST (128-bit)
  • Arcfour (128- and 256-bit)
• MACs:
  • HMAC-MD5
  • HMAC-MD5-96
  • HMAC-SHA1
  • HMAC-SHA1-96
  • HMAC-SHA256
  • HMAC-SHA512
  • RIPEMD160
• Key exchange:
  • Diffie-Hellman
  • GSS-API key exchange
  • RSA
  • DSA

Authentication

• Server authentication:
  • Public key (RSA and DSA)
  • PKI X.509 certificates
  • Kerberos (gssapi-keyex)
• User authentication:
  • Password
  • Public key
    • RSA and DSA user keys
    • Key agent utility for private key management
    • Agent forwarding
    • Host name aliasing for host key storage
    • PKCS#11 smart card support on Solaris 10 SPARC platforms
  • Keyboard interactive:
    • PAM (Pluggable Authentication Module)
    • RSA SecurID
    • RADIUS
    • Keyboard-interactive password
  • PKI X.509 certificates
  • Kerberos (gssapi-with-mic)
• Reflection PKI Services Manager:
  • Centralized configuration and management of PKI functions across multiple Reflection for Secure IT Windows servers, UNIX servers, and UNIX clients
  • Standalone service module supported on most platforms supported by Reflection for Secure IT Windows and UNIX servers  
  •  DoD PKI certified
  • FIPS 140-2 Level 1-validated for most supported platforms (Certificate #1048)
  • RFCs 2253, 2560, and 3280
  • X.509 certificates for server and client authentication (X.509 versions 1-3)
  • Version 2 X.509 CRL
  • OCSP revocation checks
  •  HSPD-12 support
  • Support for LDAP and HTTP certificate and CRL repositories
  • Certificate extensions supported:
    • CDP
    • IDP
    • AIA
    • Policy constraints
    • Basic constraints
    • Name constraints
    • Extended key usage
  • Customizable configuration on per trust anchor basis
  • Fully customizable mapping of SSH user account names to certificates
  •  SOCKS proxy support
  •  PKI client command line utility for querying services availability and certificate validity
• LDAP:
  • Directory-accessed user shell configurations
  • Support for mkhomedir PAM module for automatic creation of LDAP user home directory
• Other:
  • Configurable pre-authenticated session limit

Accounting/Auditing

• Logon events for all authentication methods 
• Detailed file transfer event capture, including uploads, downloads, and directory listings
• Notification of exceeded maximum password attempts
• HP-UX SAM auditing and security tool support
•  Sun Solaris Basic Security Module auditing support
• Sun Solaris Least Privilege Model support 
•  AIX System Resource Controller support

Performance

•  High Performance Enabled (HPN) support leverages dynamic TCP windows for improved file transfer performance
•  Granular control of data compression levels enables performance calibration

Operating Systems

• HP-UX 11i v2 (PA-RISC) 
• HP-UX 11i v2 (Itanium)
• HP-UX 11i v3 (Itanium)
• IBM AIX 5.2 (POWER) 
• IBM AIX 5.3 (POWER) 
• IBM AIX 6.1 (POWER) 
• Red Hat Enterprise Linux 4 (Itanium)* 
• Red Hat Enterprise Linux 4 (x86)* 
• Red Hat Enterprise Linux 4 (x86-64)* 
• Red Hat Enterprise Linux 5 (Itanium)* 
• Red Hat Enterprise Linux 5 (x86)* 
• Red Hat Enterprise Linux 5 (x86-64)* 
• Sun Solaris 8 (SPARC)* 
• Sun Solaris 9 (SPARC)* 
• Sun Solaris 10 (SPARC)* 
• Sun Solaris 10 (x86)*
• Sun Solaris 10 (x86-64)* 
• SUSE Linux Enterprise Server 9 (Itanium)* 
• SUSE Linux Enterprise Server 9 (x86)* 
• SUSE Linux Enterprise Server 9 (x86-64)* 
• SUSE Linux Enterprise Server 10 (x86)* 
• SUSE Linux Enterprise Server 10 (x86-64)*
•  SUSE Linux Enterprise Server 11 (x86)* 
•  SUSE Linux Enterprise Server 11 (x86-64)*
• zLinux: Red Hat Enterprise Linux 4 (64-bit)*
• zLinux: SUSE Linux Enterprise Server 9 (32-bit)*

* Customizable installation directory available for Solaris and Linux platforms

System Requirements

• Any system that meets the minimum requirements for the UNIX/Linux operating system
• Network interface card 
• For all Itanium systems, the library libunwind is required (HP-UX, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server)
• IBM AIX 5.3 Maintenance Level 5300-5 
• Sun Solaris UltraSPARC CPU