Using PuTTY and SSH instead of SSL

[JerrySalem]

I have a client who has been using PuTTY to create an SSH tunnel to their database for remote access.  I think they were doing this for historical reasons.  Their database was originally FM6.

They migrated to FM 11 successfully a couple of years ago.  Recently,  they moved to FM14 and have been experiencing problems.  Although largely consolidated, the solution still has a couple of files.  Since migrating to FM14, remote users have been experiencing numerous dropouts and other issues.

During testing, we haven't seen any of these problems.  Our test server uses SSL to encrypt the data in transit.

Has anyone ever used PuTTY while connecting to a FM server? 

TIA

Jerry

 

 

Edited January 28, 2016 by JerrySalem
typo

[Wim Decorte]

I don't think I completely follow the setup.  PuTTy is a secure shell client, the idea is that it gives you a shell to type in commands that get executed on the remote machine...

So you can't really create an SSH tunnel to a database.  You can create one to a machine and get on that machine's "command prompt / terminal".

Sounds like they think they have a VPN-like connection through PuTTy but that is not quite the same... PuTTy does not encrypt all traffic between the environments and while there are ways to use the SSH Tunnels feature in PuTTy that requires at least two PuTTy sessions and some brittle port forwarding.

 

 

[Mike Duncan]

I agree with Wim, in that it seems like a fragile setup that could be replaced with better options like SSL cert on the server or VPN. It also may be an issue that other ports might come into play other than 5003, especially if container fields are used.

Mike

[JerrySalem]

Agreed, they are doing something like a VPN using PuTTY.  I believe the way they have it set up it does encrypt the traffic.

I am looking to see if anyone else actually uses this type of configuration, or something similar.  

While PuTTY seems to have served them well for many years, I think it is time to 'get with the program' and move to SSL.  In order to do this, I need to convince the IT department.  

Thanks

[Wim Decorte]

9 hours ago, JerrySalem said:

While PuTTY seems to have served them well for many years, I think it is time to 'get with the program' and move to SSL.  In order to do this, I need to convince the IT department.  

 

I wouldn't think that should be too much of a problem.  The PuTTy tunnels feature that they are probably using is really nothing more than a "poor man's VPN", it's a bit of a hack.  I don't think any IT department worth its salt would be happy with that kind of setup.

If they use the same thing for other applications then they probably want a real VPN more than just enabling SSL on the FMS side.  Even if it is just for FM traffic they may prefer a VPN to have that extra level of authentication and reduce the # of open ports on their firewall.