Gateway

GoAnywhere Gateway è un avanzato reverse e forward proxy che permette alle organizzazioni un ulteriore livello di sicurezza per il file transfer con i partner commerciali. Con Gateway, i servizi di condivisione dei file possono essere mantenuti in modo sicuro all'interno della propria rete privata, senza esporre dati sensibili alla propria DMZ (Demilitarized Zone); si possono anche effettuare connessioni a sistemi esterni per conto degli utenti nella rete privata.

Ecco una veloce panoramica di GoAnywhere Gateway:

Scaricate la nostra brochure per maggiori informazioni.

Why GoAnywhere Gateway?

Gateway offre ai team IT numerosi vantaggi:

  • I file server (ad es. FTPS, SFTP, HTTPS e AS2) possono essere tenuti in sicurezza nella tua rete interna. Ciò consente di mantenere chiuse le porte in ingresso sulla rete, il che è essenziale per conformarsi agli standard di sicurezza dei dati come PCI DSS, HIPAA, HITECH, SOX, ISO 27000 e GLBA.
  • I file possono essere condivisi in modo sicuro con partner commerciali, utenti, clienti e fornitori evitando di archiviare documenti o file critici, anche temporaneamente, nella propria DMZ.
  • Come proxy forward, Gateway può effettuare connessioni a sistemi esterni per conto di utenti e applicazioni nella rete privata. Ciò consente di gestire più facilmente i file transfer dal firewall. In più le identità e le posizioni dei sistemi interni sono nascoste per aumentare la sicurezza.
  • GoAnywhere Gateway è una soluzione agnostica, esclusivamente software. Installalo su Windows, Linux, AIX, UNIX o altri sistemi operativi per migliorare la sicurezza dei file in qualunque ambiente funzioni meglio per te.
GoAnywhere Gateway Diagram

GoAnywhere Gateway Diagram

Le principali caratteristiche di GoAnywhere Gateway
  • Non è necessario aprire porte in entrata nella rete privata
  • Le credenziali dell'utente, le autorizzazioni, i certificati e le chiavi sono mantenute al sicuro nella rete privata
  • Nasconde le posizioni e le identità dei sistemi interni
  • Le configurazioni dei servizi vengono mantenute / archiviate nella rete privata
  • Supporta i protocolli di trasferimento file FTP, FTPS, SFTP, SCP, HTTP, HTTPS e AS2
  • Permette il bilanciamento del carico integrato per distribuire i carichi di lavoro su più sistemi

In sostanza, quando GoAnywhere Gateway viene aggiunto a GoAnywhere MFT, funge da interfaccia trasparente tra sistemi interni e sistemi esterni senza esporre file sensibili o la tua rete privata.

Per una migliore comprensione di GoAnywhere Gateway, consultare la sezione su come funziona.

Reverse and Forward Proxy - How it Works

GoAnywhere Gateway can serve as both a reverse and forward proxy. Typically GoAnywhere Gateway is installed in the demilitarized zone (DMZ) and GoAnywhere MFT is installed in the private/internal network.

At startup, GoAnywhere MFT creates an outbound connection to GoAnywhere Gateway, which is used as a "control channel" for passing commands and messages between the products. This control channel will initially provide the proxy details (IP and port mappings) to GoAnywhere Gateway, at which point it will start up "listeners" on the designated IPs and ports for incoming traffic.

Reverse Proxy

A reverse proxy is an intermediate connection point that serves as a gateway between users and your origin server. This type of proxy server retrieves files or other resources on behalf of a client. In the case of GoAnywhere Gateway’s reverse proxy, when an external client (trading partner) connects to a listener on GoAnywhere Gateway in the DMZ, GoAnywhere Gateway will make a request over the control channel to GoAnywhere MFT in the private/internal network. GoAnywhere MFT will then create a new outbound data channel to GoAnywhere Gateway. This data channel will be attached to the desired service (e.g. FTP, FTPS, SFTP, HTTP/s) and all traffic for that session will be routed over this new data channel including client authentication requests, data and commands. When the session is terminated, the corresponding data channel will be removed.

How It Works Diagram

How do reverse proxies work?

Forward Proxy

Similar to a reverse proxy, a forward proxy also serves as an intermediary between clients and servers; however, forward proxies filter connections going out (where reverse proxies filter connections coming in) from the internet to your servers.

The Forward Proxy in GoAnywhere Gateway allows you to route client requests from GoAnywhere MFT (in the private/internal network) to external FTP, FTPS, SFTP and SCP servers without revealing the identity or locations of your internal systems.  The Forward Proxy is additionally used by GoAnywhere MFT to route active and passive FTP and FTPS data connections through GoAnywhere Gateway.

When a process in GoAnywhere MFT needs to make an outbound connection through the proxy, a request is made to GoAnywhere Gateway with the address of the intended destination. GoAnywhere Gateway will then establish the connection to that destination and will bridge it to the requesting system.

Load Balancing

GoAnywhere Gateway can serve as a load balancer for distributing workloads across multiple GoAnywhere MFT installations within a cluster, as well as other systems within your network. If a system was to fail in the cluster, then GoAnywhere Gateway will send all new trading partner connections to the remaining systems in the cluster. This active-active framework provides greater high availability for mission-critical environments.

GoAnywhere Gateway Diagram

GoAnywhere Gateway Diagram

As a load balancer, GoAnywhere Gateway spreads connections evenly across the clustered systems. This load balancing algorithm is called "round-robin", which is a common load balancing standard.

FTP, FTPS and SFTP will use the round robin algorithm to load balance connections across the systems in the cluster. For each new connection from a trading partner, GoAnywhere Gateway will distribute that session to the next FTP/FTPS/SFTP server (in sequential order) within the cluster.

HTTP/S is a stateless protocol which also uses the round robin algorithm, however it can persist each connection (for a period of time) to the same HTTP/S server in order to maintain the integrity of the session. This is important because the user's HTTP/S session is typically only able to be serviced by a single HTTP/S server at a time.

PCI DSS and GoAnywhere Gateway

GoAnywhere Gateway is an important security component for protecting cardholder data and helping organizations to comply with the PCI DSS security standards. By allowing organizations to keep sensitive files and credentials out of the DMZ while not requiring inbound ports to be opened into the internal network, GoAnywhere Gateway is specifically useful for meeting the requirements in section 1.3 of the PCI DSS (text of the standard as follows).

1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.4 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.)
1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to:

  • Network Address Translation (NAT),
  • Placing servers containing cardholder data behind proxy servers/firewalls or content caches,
  • Removal or filtering of route advertisements for private networks that employ registered addressing,
  • Internal use of RFC1918 address space instead of registered addresses.

PCI DSSHelpSystems is a Participating Organization in the Payment Card Industry Security Standards Council (PCI SSC). As a member, HelpSystems receives training and provides review of existing standards or advance review of new standards or programs directly to the PCI SSC. HelpSystems is dedicated to the protection of payment card and other personally identifiable information while in motion and at rest through encryption, key management and secure file transport.