Securing DMZ Gateway Data

DMZ Gateway allows or restricts incoming EFT Server Peer Notification Channel (PNC) connections based upon IP address. No username/password credentials are sent over the channel to establish the connection. The data over this channel is a binary header/payload message system with name/value pairs and serialized data. There is nothing sensitive contained in the PNC notifications that requires encryption.

The brokered sockets that "glue together" client connections to EFT Server are not encrypted unless you are using SSL- or SSH-based protocols. You should use SSL- or SSH-based protocols to encrypt sensitive information. If a client is using a plain text protocol to communicate to the EFT Server, then the path from the client to DMZ Gateway is in clear text, and the data traveling over the WAN is vulnerable to malicious users. Securing the data on the short path from DMZ Gateway to EFT Server provides little added security, because the route from the DMZ Gateway to the EFT Server is owned by the same enterprise, and not likely to have threats; however, if the client is connecting to the EFT Server using SFTP or an SSL-based protocol (FTPS or HTTPS), then the data is encrypted when it is sent to the DMZ Gateway, and the bytes are passed through to the EFT Server and to the WAN in that same encrypted format.

DMZ Gateway configuration is obtained only from EFT Server and used until changed at EFT Server. The configuration tells DMZ Gateway on which ports and IP addresses it should listen (e.g., 21, 22, 80), and which IP addresses are allowed access. The ports and IP addresses can be configured for each Site independently. EFT Server sends new configuration to DMZ Gateway, which restarts the listening sockets if needed. The configuration is never stored on DMZ Gateway.

If the PNC connection is broken, DMZ Gateway stops listening on all sockets and waits until EFT Server reconnects to the PNC. All existing sockets are not closed and continue working normally. Once EFT Server reconnects, DMZ Gateway restarts all listening sockets and continues operation.