Implementing a Secure File Transfer Service with 4SFT
A data diode (one-way link) is a great place to start to overcome the problem of connecting air-gapped networks or provide a connection between different classification networks where data sharing needs to be controlled, and one of those networks needs to be ring-fenced.
A data diode will always maintain complete physical segregation and uni-directional flow control between networks, but for some clients that isn’t enough. Network owners also need to control what data is shared between those networks. File transfer is the most common method for data transfer between air-gapped networks and encompasses several different use cases, including providing patching and system updates, anti-virus definitions and threat intelligence, and data sharing.
4Secure has developed 4SFT to be a platform-agnostic advanced file transfer tool as part of our range of Trusted Filter™ products. The product comes with an intuitive GUI for configuration and multiple file transfer modes to support scheduling, mirroring, and more traditional file transfers, such as sending and deleting files. Additionally, a pre-processing engine allows the user to specify scripted actions to take place against files in a transfer queue, enabling advanced content checking, scanning and manipulation of data before the file transfer process.
The 4SFT pre-processing engine is an inline scripting solution that allows custom control scripts to be actioned against a file in the file transfer process. 4SFT interprets the outcome of these scripts and a pass or failure can initiate multiple quarantines or reporting scenarios. The pre-processing engine enables various data verification and content checking capabilities, including anti-virus scanning, magic byte and file extension checks, checksum verification, XML and JSON schema checking, data transformation and more. Third parties or application users can write scripts, and sample template scripts can be provided to make the process as painless as possible.
As an additional option, the 4SFT pre-processing engine can be configured to integrate with trusted third-party software, such as Glasswall.
An example of how 4SFT can be used as a secure file transfer service, is when patches need to be ingested into an air-gapped network in a timely manner, enabling rapid patching of operating systems and software. While a diode provides perfect hardware-enforced separation via a protocol break and unidirectional flow control, additional control is required around the content allowed to enter the secure network. Using 4SFT and the pre-processing engine, the following sanitising actions can be performed before every file is sent:
• Anti-virus checks with multiple AV engines of queued files to ensure malicious content is removed and unable to enter the secure system
• File type verification of queued files to ensure non-compliant file types are blocked and unable to access the secure system
• Checksum verification of queued files against a file manifest.
Once all checks are successfully completed, a compliant file will be sent. Any failed checks can be leveraged to quarantine or delete non-compliant files or alert in the application logs of the issue identified in the data verification process.
Book Consultation
Want to know more about our data diodes, how they work and what is right for you? Book a consultation with one of our cyber security specialists to discuss your requirements.
Any Questions?
Have a question? See what our customers have asked before and get a quick response to any of your queries using our knowledgebase FAQs.
Download White Paper
Download a copy of the white paper for a full detailed breakdown of this solution.