Security Firewall Levels Available with the FastSync TCP/IP Mailbox System

Security Options for the CTI FastSync TCP/IP Mailbox System^®

Overview

TCP/IP by nature is an “open” system and therefore subject to security problems. This document briefly discusses the security options available for the CTI FastSync Hub (Windows version). A detailed description of these options can be found in the document entitled “The FastSync Firewall: Pros and Cons.”

There are three basic configurations for the FastSync Hub Mailbox system, listed in order of increasing security:

1. Non-Firewall, Shared Directory implementation

2. Non-Firewall, Private Directory implementation

3. FastSync Firewall implementation

Although the FastSync Firewall implementation can also have a Shared Directory or Private Directory option, the differences between the two are minor in the context of this document (refer to “The FastSync Firewall: Pros and Cons” for more information).

The remainder of this document discusses the differences between the three major implementations.

Non-Firewall, Shared Directory Implementation

The Non-Firewall, Shared Directory implementation is the least secure of the FastSync Hub for Windows implementations. Here, each client is assigned an account on the network server and given full access to a common shared directory in which all files are stored.

To understand how this system works, imagine a “Post Office” with a large lobby in which are kept multiple post office boxes. The post offices boxes are numbered and locked. There is no guard or administrator on duty in the lobby. Each client of this post office is given a master key which can open any post office box. Of course the clients are told the box number assigned to them and are instructed to use their key on only their own box, but there is nothing stopping an unscrupulous user from opening other boxes and reading other client’s mail. The only security provided by this barebones scheme is to prevent non-clients from accessing the post office boxes, since you must be a registered client to receive a key. The security is minimal as there is no guard on duty to prevent a non-client from attempting to “break in” to a post office box.

Although security in this implementation is lax, it offers the advantages of speed and simplicity (the client just walks in and picks up his or her mail; the administrator just has to keep track of one master key and does not have to post a guard on duty), making it an attractive solution for implementations where security is not an issue.

Non-Firewall, Private Directory Implementation

The Non-Firewall, Private Directory implementation offers a step-up in security over the Shared Directory model. It too requires each client to be assigned a network account. However, instead of storing all files in a single shared directory, each client is assigned a private directory in which only files sent to or from that client are stored.

This scenario works like the previous analogy, with an large unguarded lobby containing multiple locked post office boxes. The difference here is that each client now has a unique key that can only open his or her mailbox. Only the administrator has a master key which can open all boxes. This makes it much more difficult for any client to gain access to any other client’s mail. Once again, though, because the lobby is un-guarded, there is nothing to prevent a resourceful client from breaking into another client’s mailbox. In addition, if any person were to gain access to the administrator’s master key, that person would have complete access to everybody’s mail.

This implementation offers improved (but still not foolproof) security. It also offers the advantage of speed (once again each client can just walk in and pick up his or her mail), but is somewhat compromised in simplicity by the fact that the administrator must now keep track of multiple keys.

FastSync Firewall Implementation

The FastSync Firewall implementation provides the highest level of security. Remote Clients are not given a direct account on the network server. Instead they are given an industry standard FTP (File Transfer Protocol) account on an FTP server installed at the FastSync Hub Server. A client logs into the FTP server, at which point a “Mailbox Server” is launched. The Mailbox Server is a software program provided by CTI Communications to authenticate clients and direct traffic to the appropriate destinations. The combination of the FTP Server and Mailbox Server working in tandem is referred to as a “Firewall Server”.

To understand how this scenario works, let’s expand on the post office analogy from the previous two examples. When you walk into this post office you see no post office boxes; instead you see a counter with an armed guard (the FTP Server) and a clerk (the Mailbox Server) standing behind it. To get your mail you must approach the clerk and provide three pieces of identification. After verifying who you are, the clerk goes into the back room, gets your mail and hands it to you. If you try to break into the back room, the armed guard will shoot you. The only way to break into this system is to gain access to a valid client’s three forms of identification, and even here the villain will only be able to get the mail addressed to that client. Under no circumstances can anyone gain access to the mailboxes of all clients.

This form of security is virtually foolproof (of course no one will be shot if they attempt to break into the system; the system just makes it literally impossible to do so). It does come with a negligible compromise in the speed at which the initial connection is made, however, in that now each client must provide the three forms of identification and wait for the clerk to bring them their mail. It is a small compromise to make considering the security advantages. In addition, if multiple clients show up at the same time, they may have to form a line and wait for the clients ahead of them. (This last problem can be alleviated by hiring additional clerks and guards, or, in the case of the FastSync Hub system, by adding additional Firewall Servers). Although this solution alleviates the need to keep track of multiple keys, it also has the disadvantage of requiring the employment of a full-time guard and clerk, making this a more complicated implementation than the Non-Firewall, Shared Directory model.

Security Summary

The FastSync Firewall implementation of the CTI FastSync Hub for Windows file transfer system is a fast, easy-to-manage system providing virtually foolproof security. This is the recommended implementation for any file transfer system in which security is an issue. Although the Non-Firewall implementations are somewhat faster, and the Non-Firewall, Shared Directory implementation is easier to manage, the lax security afforded by these models makes them suitable only on systems where security is not a major issue.

More specific information about these security models, including details on how to configure the FastSync Post Office Administrator, Mailbox Server, FTP Server and Mailbox Client agents, can be found in the CTI document entitled “The FastSync Firewall: Pros and Cons.”

Typical Security Levels used by System in a Dial-Up Environment

Information on Virtual Private Networks. Using a VPN could provide you with additional advantages:

VPN operates over your own Internet connection, yet provides faster data transfers - especially when used with high-speed connections.
VPN is extremely secure and employs three types of data security: encryption, authentication and added integrity.
VPN reduces or eliminates the need for leased-line and dial-up systems.

See Article#1. Article#2. Article#3. Call CTI for additional VPN information.

Click here for information covering the FastSync I.P Mailbox System