VanDyke Software

• Industry: Web Hosting/Web Development
• Products: VShell®for Windows and SecureFX®
• Summary: By turning off FTP and switching to VShell, this independent web development and hosting company reduced the resources it spends tracking down and recovering from external attacks. VShell secures usernames, passwords, and data and limits their customers' SFTP access to specific directories.

Organization

The Net Werx is an independent web development and hosting company specializing in web and email solutions for small- to medium-sized enterprise clients.

Challenge

Tim Trombley, The Net Werx founder and primary developer, found he was spending an increasing amount of time trying to prevent external attacks on the company's network and rebuilding after they occurred. "When we allowed customers to manage their hosted web sites via FTP, we were constantly warding off attacks on our systems," said Trombley. "It cost quite a bit in time and resources. And you're never really sure if you've fixed the problem, so on several occasions we ended up just nuking a few machines and starting over.... It was time to reign in the ropes." The Net Werx needed to replace FTP with a secure file transfer solution that would allow Trombley to control access for its twenty-plus customers.

"When we allowed customers to manage their hosted web sites via FTP, we were constantly warding off attacks on our systems.... It cost quite a bit in time and resources... It was time to reign in the ropes." – Tim Trombley, The Net Werx

Solution

Trombley decided he needed a Windows SFTP server that would allow him to limit his customers' access to specific directories. A Secure Shell SFTP solution made sense for Net Werx since its customers could choose from a wide selection of commercial and open source SSH2 clients in addition to Trombley's familiarity with the protocol's robust authentication, strong encryption, and data integrity.

Before selecting VanDyke Software's VShell server for Windows, Trombley evaluated other free and commercial servers. "I began by looking at what was available in the open source realm. Cygwin didn't give me enough granular control over users' access to our servers," said Trombley. A commercial SFTP server that Trombley evaluated "handled authentication, but again fell short of the access control that I was looking for. Fortunately, VShell was very affordable and offered all of the features I was looking for plus some I hadn't initially been looking for but now use every day."

With the VShell server, Trombley can now give customers SFTP-only access to specific directories. Each customer can be assigned to a defined user or group, and each user or group can be given a separate root directory that contains only the folders and files they need. Access control lists allow Trombley to limit external customers' access to Secure Shell services – SFTP is allowed while remote shell and port forwarding are denied. "I really like the access controls in VShell and the setup was really easy." The Net Werx customers can now update their sites using VanDyke's SecureFX file transfer client or any other SSH2-compliant SFTP client – the customer only sees the set of files and folders assigned to their virtual home directory.

The switch from FTP to SFTP wasn't specifically client driven. The Net Werx' customers are increasingly concerned about security, but not the details of how it's implemented or maintained. "No clients explicitly asked for us to turn off FTP, but in an overall sense, security on many fronts is important [to our clients], including antivirus, antispam, and other tools. They assume we are doing everything we can to protect their data."

Trombley also encourages his customers to look at VShell. "In some cases, we're hired to provide network administration services at a client's location in addition to providing web development and hosting services. We're primarily developers – the hosting is a byproduct of the web development for customers who want to keep it all in one shop. So, if we have a client wanting remote access, I definitely have them look at VShell." VShell simplifies server management and provides an important piece in their network security puzzle.

For system administration and development work, VShell also gives Trombley shell access to The Net Werx servers and client networks and provides port-forwarding of terminal services. "Port-forwarding is really nice. I use a Secure Shell client with VShell everyday to securely open Remote Desktop. By using port forwarding with SSH over port 22, hackers get a much narrower view of what's running inside the network. It has simplified management of our firewall configurations as well."

Swapping out FTP for SFTP with VShell ended an unnecessary drain on The Net Werx IT resources. Now that passwords, usernames, and data are no longer transferred in the clear, the company is no longer an easy target for hackers. Customer data and The Net Werx internal systems are more secure and Trombley is spending a lot less time responding to and recovering from external attacks.

• Industry: Non-profit
• Products: VShell® for Windows and SecureFX®
• Summary: Using VShell triggers to automate site synchronization, and Virtual Directories and Access Controls for simple configuration, this Georgia non-profit provides its member municipalities with a flexible, low maintenance e-commerce solution.

Organization

Based in Atlanta, GA, the Georgia Municipal Association (GMA) is a voluntary, non-profit organization that provides legislative advocacy and educational, employee benefit, and technical consulting services to its members.

GMA's membership includes over 485 municipal governments, accounting for more than 99 percent of the state's municipal population.

Challenge

GMA's mission is to provide leadership, tools, and services to assist Georgia's local governments in becoming more innovative, effective, and responsive. With municipal governments under increasing pressure to provide or improve online services, GMA saw an opportunity to provide its members with a secure, affordable, and easy-to-manage e-commerce solution.

"We leveraged the trigger feature in VShell to load our import engine to upload files in real time into our production system. I've written a shell script that works great in conjunction with VShell's triggers. Because of the triggers I'm able to update our SQL database in almost real time after a city updates their data." – Jeramie Mercker, Software Architect/Developer

A GMA-hosted e-commerce platform would allow members to offer their residents a variety of online services, from viewing property tax information and paying their utility and tax bills to purchasing tickets to community events and entertainment.

GMA's requirements included:

• Strong, industry-standard encryption
• Authentication to Windows 2000 using usernames and passwords
• Cost effectiveness (not at the expense of reliability or support)
• Able to be programmed to do real-time updates (with the ability to get between GMA code and the vendors)

GMA was able to resolve the issue of handling municipal financial transactions, but needed a secure way to synchronize orders and changes with the municipalities' main databases. GMA also wanted a solution that could automate certain routine functions, reducing the time required for basic system administration.

Solution

GMA selected VanDyke's VShell server for Windows and SecureFX (or other Secure Shell file transfer applications) on the client side. "We looked at other Secure Shell solutions, but none of them seemed to provide the programmability that VShell does with triggers," said Jeramie Mercker, a GMA software architect/developer.

"As part of the solution, we developed a custom import engine written in Visual Basic and implemented as a DLL hosted in COM+," said Mercker. "File specification mappings are stored in a SQLServer 2000 database and give us the capability to be very flexible in the file layouts/types that we can accept from our customers."

VShell is used to synchronize the cities' databases with the e-commerce solution's MS SQL databases. "We leveraged the trigger feature in VShell to load our import engine to upload files in real time into our production system," said Mercker. "I've written a shell script that works great in conjunction with VShell's triggers. Because of the triggers I'm able to update our SQL database in almost real time after a city updates their data.

"I didn't want to be polling the directory every half hour or so," said Mercker. "When a file is uploaded, the [VShell] triggers basically run one Visual Basic script. The script then passes the parameters of the trigger on to a specialized COM DLL that puts everything through Microsoft's Text Driver for ODBC to parse the data. The data is mapped to the table format necessary, imported, and then archived. It then sends an email to the sender to let them know the import has taken place, how long the import took, and how many records of each data type were imported.

"In some cases, like Duluth, GA, they only need to update one way, since the residents only use the solution to view their property tax information. Other cities provide the ability to both view and pay utility bills and property taxes, and apply for licenses or permits, such as alcohol licenses. In these cases, [they] get data from two different databases, import it into their SQL database, then export it back to the source for updating nightly. In the case of alcohol licenses, that data gets shipped to yet another database. Nightly scheduled batch jobs at our customers' sites upload and download required files without user intervention."

Ease of use and the need for system administration resources was also a factor in selecting VShell. "We looked at a variety of open source and some high-end commercial solutions," said Mercker. "Some were out of our price range (starting at $15,000 for 50 users, and we could possibly have up to 500 cities), and also required PKI. In other words, I would have to install a digital certificate on each [city] site. Unless the person at the city is really technically savvy, it would almost guarantee a site visit and training. This way, we buy VShell (unlimited connections), and we require that the city buying the solution pick up the cost of the client (we recommend SecureFX). We provide sample batch files using SFXCL to do the automated transfers. Any modifications that are necessary can be done over the phone. It's easy for us, easy for them, and no site visit is necessary.

"It's been extremely reliable and I haven't had a single bit of down time," said Mercker. "I downloaded VShell and set it up within a day back in April [2004]. Because of the flexible way you handle groups in both VShell's Virtual Directory structure and its Access Controls, I haven't had to touch the configuration ever since. Your pre-sales staff was extremely helpful in walking me through a few things, but [VShell] really just worked. And now it is simple for me to add a new city when one comes on board — it only takes me about five minutes to set them up."

When GMA began planning the e-commerce project, they evaluated what level of security was required. Their decision was driven not only by regulatory requirements, but also by internal best practices. A review of the "Open Records Act" revealed that the information they were presenting was not technically private data. But addressing security up front fit into GMA's proactive approach.

"Even if the data wasn't 'private'," said Mercker, "we couldn't afford to risk compromising data integrity while the data was in transit during synchronization to and from the cities' and municipalities' databases." GMA also decided to be proactive and anticipate that privacy requirements could change. "Rather than having to go back and re-architect the whole system in the future, we decided to go with a secure system up front," said Mercker. "This organization is really good about security and contingency planning. We've not only got contingency planning for our IT, but also for phones and any business-critical function that we provide." VShell and SecureFX provided the encryption and data integrity GMA needed for their e-commerce platform. Physical security and contingency systems were handled by setting up duplicates of in-house machines and internet-facing machines at a co-location site.

"The combination of VanDyke's VShell and SecureFX was, by far, the most economically priced solution that we found on the market. The feature set of VanDyke products has enabled us to provide exactly the functionality we needed for our customers. The fact that VanDyke has a great pre-sales support team and that you can evaluate VanDyke's software not just free, but hassle free, was a big win," said Mercker.

"With VanDyke Software, I've always been able to speak with the right person and my problems always get solved," said Mercker. Most software vendors' tech support lines seem tasked with getting the customer off the phone instead of solving their problem. On numerous occasions, I have had exactly the opposite experience with VanDyke staff. They've all been genuinely interested in not only helping me solve my problem, but also in helping me have a better understanding of how the products work so that I can better manage them. I've never been rushed off the phone and I've never been given instructions to do something "just because". I'm also not forced to waste my time being quizzed by various levels of tech support just to get to the person that can solve my problem.

With VanDyke Software VShell server and SecureFX, GMA now provides its members with an e-commerce platform that is simple to set up and use. VShell triggers automate synchronization and ensure nightly updates; VShell's Virtual Directory structure and Access Controls simplify adding new member; and Secure Shell's strong encryption ensures security of municipality and resident data.

"We measure the success of this implementation using the same key factors that led us to select VanDyke Software: quality, reliability, and value for our investment. All have exceeded our expectations and have led to a very successful implementation," said Mercker.

Online Catalog Division of A Premier Luxury Retailer

• Industry: Retail
• Products: SecureCRT®
• Summary: This online catalog division of a premier luxury retailer uses SecureCRT on its warehouse floor to access its custom warehousing application and get direct input from serial devices such as scanners and scales.

Organization

This premier luxury retailer, long known for its distinctive merchandise and superior service, operates an online catalog division for its various brand names.

Challenge

When it came time to update its warehousing technology, this luxury retailer's print catalog and online division decided to replace its dumb terminals equipped with special scanning wands with desktop PCs. With over 500 machines operating in their warehouses, going with PCs offered more flexibility and lower costs than a specialized, proprietary system.

"We like how SecureCRT settings work in our environment…. SecureCRT lets employees change user settings, such as background colors, without affecting the next employee who logs onto that machine." – System Administrator for the online catalog division

In order to make the switch to PCs, this retailer needed to find a Secure Shell terminal emulation client that would work with their custom warehousing software package. Since the machines would be handling inventory control and tracking as well as some sales functions, data security was essential. And with many different users on various shifts operating the PCs on the warehouse floor, the solution needed to work well in a multi-user environment and be easy to maintain and support.

Solution

"VanDyke Software's SecureCRT allowed us to go to PCs," said a lead member of this retailer's information services team. "Our custom warehousing software package encompasses the entire warehouse function – inventory, shipping, and sales recapping – and the PC gives our warehouse employees a lot more functionality. Before, if they needed to find a particular item, they'd go to the terminal, get on to the system, and find a half-line product description, which wasn't very helpful. Now they can access a product number in our warehousing system, go online, get a picture and full description, and have a better idea of what item they are looking for."

SecureCRT is also used to collect input directly from serial devices such as scanners and scales. "We use SecureCRT with handheld scanners to do inventory control and tracking in our warehouse software package. It works great for that," said the lead IT team member. "SecureCRT is installed on the PC and the scanner is hooked up as an external serial device. The same setup is used with our scales for shipping. We then print directly out of SecureCRT to ticket-type printers."

Another reason SecureCRT was selected is its ability to work well in the warehouse environment where many users log on to the same machine. SecureCRT allows one copy of the software to be installed on each machine, and provides each user with their own configuration folder. "We like how SecureCRT settings work in our environment," said the lead IT team member. "The configuration setup makes SecureCRT easier for us to maintain and support."

"We evaluated another product, but it created user profiles all over the place and settings affected everyone," said the lead IT team member. "If the user didn't like the appearance of the screen, they would save their settings, and the software would take their config file and overwrite the config file for all users. The next user who got on would see a screen they didn't recognize. SecureCRT lets employees change user settings, such as background colors, without affecting the next employee who logs onto that machine."

SecureCRT also offered lower overhead, which was an important factor in moving to their PC-based solution. According to the lead IT team member, SecureCRT saved this retailer twenty-five percent over other evaluated products. "We went with SecureCRT because it was lighter and more cost effective. The other system we evaluated did ten times more than we needed and we couldn't justify the cost."

For this retailer's catalog sales division, the switch to SecureCRT for secure connectivity to its warehousing software has provided its employees with a flexible and maintainable solution. "SecureCRT's strongest points are ease of maintenance and independent profiles," said the lead IT team member. "Our users don't need a lot of help with SecureCRT and an individual user's settings don't affect everyone." With fewer support issues related to end user configuration, SecureCRT frees up this retailer's IT resources to focus on other projects and IT issues.

• Industry: Internet & e-commerce
• Products: VShell® for UNIX
• Company Size: less than 25
• Summary: This e-commerce and web hosting company uses VShell for UNIX to provide its clients with SFTP-only access to their web sites.

Organization

eROI, Inc. helps its clients get more bang for their buck by generating and capturing qualified leads online. eROI's services include email marketing, e-commerce, search engine marketing, and web site development, as well as email marketing campaign management and a powerful e-commerce engine and event registration platform.

Challenge

In addition to its e-commerce and web development services, eROI provides its clients with reliable, high-bandwidth web site hosting. Initially, eROI's customers were able to make changes to their hosted web sites using standard FTP and any one of a number of FTP clients.

"With our hosting environment, we wanted to give clients the ability to get to their web site via SFTP only—and your stuff works great for that. I watch out for one port and turn off all the other services" —Brad Stec, System Architect and Developer, eROI

With increasing concerns about nonsecure protocols, eROI decided to turn off FTP and redesign its hosting environment. "We wanted to give our customers a way to update their web sites without having to worry about security," said Josh Ellison, a systems administrator at eROI.

The first thing that eROI did was turn off all nonsecure protocols. The next decision was how to give their client's access yet still contain them, ensuring the security of all customers. "We could have shelled FTP," said Brad Stec, eROI's system architect and developer. "But that's a traditional hacker "drive-through window". It's just too easy to find exploits. We also thought of just jail shelling them, but a hacker could figure out a way to exploit this," said Stec.

Solution

After considering other alternatives, including a custom shell operation, eROI selected VShell server for UNIX. The "RestrictSFTPtoHome" feature in VShell for UNIX was a major selling point for Stec. "I had your product during alpha testing," said Stec. "I said, 'this is what I need' and you guys invented it."

Using VShell for UNIX saved eROI significant development time that would have been spent on creating, maintaining, and supporting a custom shell operation. "You can set up this kind of environment using patches and scripts with Linux and OpenSSH, but users can break out of something like that," said Stec. "With our hosting environment, we wanted to give clients the ability to get to their web site via SFTP only—and your stuff works great for that. We have two to three admin accounts that have shell access and that's it. It's tighter that way. I watch out for one port and turn off all the other services," said Stec.

Setting up new client accounts with SFTP-only access is now a simple, standardized procedure with VShell. "It's just a config switch to create a new client account," said Stec. "With a custom jail shell, you'd have to add the user, load binaries manually—this can be automated, but it's not truly secure. If eROI did a custom solution and got hacked, we might not know it. And if we did know it, we might not know how or where the vulnerability is. I like only having one port open with one vendor [VanDyke] to stay on top of vulnerabilities. It simplifies my life and keeps our site more secure."

Stec also likes to see responsiveness when working with a vendor's customer support staff. "I'd suggest that I needed some kind of functionality and, within a few weeks, you guys would produce palpable results," said Stec. "You always improve your products in useful ways. I can actually use every enhancement you put into it."

An unanticipated and fortuitous benefit of using VShell for UNIX was its scalability. eROI quickly outgrew their initial VShell Workgroup Edition server setup and needed to upgrade to VShell Enterprise Edition. "It was easy for us to upgrade for a few hundred dollars to Enterprise servers," said Stec.

With the VShell solution in place, eROI's clients can now easily access and update their hosted web sites using any number of free Secure Shell clients or VanDyke's SecureFX® file transfer client—without worrying about security.

"We can now say to our clients 'you're truly secure'," said Stec. "We've never been hacked, never been virused, never been defaced."

• Industry: Internet & e-Commerce
• Company Size: 150 employees
• Summary: SecureCRT® is used at Tucows Content Division for terminal emulation and for securing TCP/IP applications.

Organization

Many know Tucows as one of the net's largest software download sites, and the first to provide software on a freeware or shareware basis. Tucows is also the largest ICANN accredited wholesale domain registrar and a leading internet services company, providing back office solutions and wholesale internet services to a network of more than 6,000 web hosting companies, internet service providers (ISPs), and other service providers.

Challenge

Tucows distributes over 40,000 software titles and other digital content through its website, www.tucows.com, and its network of more than 1,000 partner sites. In a typical year, Tucows and its partners serve more than 800 million page views and facilitate more than 87 million digital content downloads.

"I access up to 7 email accounts and with the Activator, I can run them all at once and keep windows I'm not using out of the way."  Brad Smith, Tucows Site Manager

Tucows' reputation and content business depend on the company's ability to protect its software library, web site, and backend systems. "Best practices require that you take certain necessary security precautions. Our reputation depends on it," said Greg Weir, Director of the Tucows Content Division.

As part of their security program, Tucows replaced nonsecure protocols such as Telnet and mandated the use of Secure Shell. On the domain side of the business, most developers work directly on Linux or Solaris servers. The Content Division, which manages the public component of the Tucows software library, needed an easy to use Secure Shell solution that would work well on their Windows workstations.

Solution

For the download site team at the Tucows Content Division, SecureCRT has become the de facto standard for terminal emulation and for securing TCP/IP applications.

"I've been using CRT™ since the mid-90s," said Weir. "When Tucows decided to implement policies to turn off Telnet, I moved to SecureCRT. Now, no machines are accessible using Telnet and everything is accessed with SSH."

The use of SSH and SecureCRT helps maintain the security needed to protect the Tucows library and to protect their web site from defacement. "Most people on the download site team use SecureCRT," said Weir. "Some use it to secure their email. Others use it to access boxes to run Perl scripts locally. The heaviest use is among developers."

One of the benefits of SecureCRT is the range of features available to simplify session management. "SecureCRT has more features than any similar product I've used," said Weir. "A great example is the Activator tray utility." Weir also makes use of the Session Manager to organize sessions in nested folders using copy and paste or drag and drop. "I like to be able to save sessions and transfer them around as I need to."

Brad Smith, Tucows Site Manager, uses SecureCRT for accessing his Pine email, connecting from the Flint, Michigan office to the company's email server in Canada. "As Site Manager, I maintain all the content on our software libraries " upwards of 40,000 changing entries. I handle relationships with software developers, and maintain the Tucows Ratings Criteria they must meet to be listed within the library… I access up to 7 email accounts and with the Activator, I can run them all at once and keep windows I'm not using out of the way."

For the high-volume environment at the Tucows Content Division, SecureCRT features like Activator have been invaluable for streamlining processes and enhancing productivity. "I have a list of like five applications I install after a format," said Smith. "To get on this list (remember I am a software reviewer who has reviewed over 40,000 titles) your program has to be one of the best out there. Hands down, SecureCRT makes this list…. It makes life easier, quicker enough said."

• Products: SecureCRT®
• Company Size: less than 25 employees
• Summary: SecureCRT is used for software development and remote administration of servers located at a dedicated hosting center.

Organization

Since its beginnings in 1994 as a coffee shop that provided free Internet access, CoffeeCup Software has grown to over eight million users in 72 countries. In addition to its 20 software programs, CoffeeCup Software operates a web hosting company, a search engine submission service, and "Instant Coffee", a service providing web templates, graphics, and fonts. It was rated number 400 in the Interactive 500, a ranking of Internet and e-commerce companies.

"We still remember the good old days when we were just a small coffee house," said J. Cornelius, Vice President of Operations. We strive to keep that same level of personal service with a smile that went with every cup of steaming hot Cappuccino." True to their beginnings, CoffeeCup Software has remained focused on their customers.

Challenge

CoffeeCup Software's dedication to their software users and web hosting customers carries over into their security policy and how they manage their customers' data and web sites. With millions of customers worldwide, CoffeeCup Software processes thousands of credit card transactions a month. According to Mr. Cornelius, "Knowing our data is secure is one of my top priorities. You can never be too secure. We risk violating the trust of our customers, and exposing them and their personal information to abuse."

" Since we don't have physical access to the machines, SecureCRT provides the only window through which we can see our systems function at the server level. . . SecureCRT allows me to work on those servers as if they were right here on my desktop. "—J. Cornelius, Vice President of Operations

Since CoffeeCup Software's servers are located in a remote dedicated hosting center, they needed a way to perform remote server administration and software development without putting any of their own or their customers' data at risk.

Solution

For CoffeeCup Software, Secure Shell (SSH2) stood out among other remote access alternatives. SSH2 provided the only viable solution for remote server maintenance and administration. "Anything less secure is simply too risky when dealing with sensitive data," said Mr. Cornelius.

Mr. Cornelius has been using SecureCRT since 1997. His past experience with SecureCRT was a major reason for selecting it as CoffeeCup Software's standard remote access solution. "Because of the reliability and ease-of-use of SecureCRT, we have been able to expand our remote computing with confidence."

Ongoing support and development was also an important factor in selecting SecureCRT. "The free SSH tools don't provide the same ease of configuration and portability. SecureCRT is the third thing I install on my new boxes, after the OS and a browser. Knowing there is a team of developers at VanDyke Software working to improve the software is important when selecting a tool that you want to use for the long haul. You can't rely on free software to run a business."

SecureCRT is used to maintain constant connections to a variety of CoffeeCup Software's servers. CoffeeCup Software's system administrators and software developers connect to Red Hat ES 2.3 servers in a clustered, load balanced environment located a few hundred miles away from their main office in a dedicated hosting center.

"Since we don't have physical access to the machines, SecureCRT provides the only window through which we can see our systems function at the server level. We have developed numerous shell and command-line tools for maintenance, monitoring, and development. SecureCRT allows me to work on those servers as if they were right here on my desktop," said Mr. Cornelius.

SecureCRT provides Mr. Cornelius with the ability to take advantage of better connectivity from a data center provider while maintaining near system level access to their machines.

How do they measure the success of the SecureCRT implementation? "A significant portion of what I do to manage the operations of CoffeeCup Software is accomplished using SecureCRT," said Mr. Cornelius. "How do you measure the success of a tool that is vital to your daily operations? It has to just work."

Adfa-Gevaert NV
Global Information & Communication Services

• Industry: Digital Printing
• Products: SecureCRT® and SecureFX®
• Summary: Agfa-Gevaert system administrators use SecureCRT for secure remote access to critical systems on the Agfa Global Network and in the Agfa-Gevaert DMZ (demilitarized zone), and SecureFX for secure file transfer of patches, logs, and other key files.

Organization

Agfa is a well-known manufacturer and system supplier of a wide range of consumer and business imaging products and solutions. Hardware, software, and digital imaging products account for an increasing part of the company's revenue in the markets of consumer imaging, graphic systems, healthcare, and industrial imaging.

"We like that the products are highly customizable. They've got a nice GUI, lots of features. It's a good package." —Tim Groenwals, Global Security Technology Manager

Challenge

Agfa-Gevaert, Agfa corporate headquarters, needs to provide secure system administration of critical business systems. This includes providing remote shell access and file transfer to its systems on the Agfa Global Network and its DMZ.

Solution

Tim Groenwals, Global Security Technology Manager for Agfa-Gevaert Global Information and Communication Services, investigated various shell access and file transfer solutions. "We went with SecureCRT and SecureFX," said Groenwals. "They give us all the functionalities we require — and a lot more. We like that the products are highly customizable. They've got a nice GUI, lots of features. It's a good package."

Agfa-Gevaert system administrators now run SecureCRT for secure remote access to critical systems and SecureFX for secure file transfer of patches, logs, and other key files. "We're using SecureCRT for connecting to our *nix servers, (UNIX, Linux, etc.)," said Groenwals. "We're now investigating a more general use for SecureCRT and SecureFX and their integration with our corporate certificate authority for extra security."

Multi-M/IA Internet Architects BV

• Industry: Internet/e-commerce
• Products: VShell® for Windows, SecureCRT®, and SecureFX®
• Summary: Using VanDyke Software's end-to-end solution, Multi-M/IA implemented a secure, collaborative environment for their employees. VanDyke's software is interoperable with OpenSSH and CVS running on Multi-M/IA's Linux server and client machines.

Organization

Multi-M/IA is an internet consulting firm that provides e-business solutions for its clients including web site development, management of internet and e-business projects, and integration of internet initiatives with existing business processes. The company specializes in the integration of their clients' internet efforts with their other communication channels and business processes.

Multi-M/IA's clients are spread across industry and geographic boundaries and include companies such as TNT Post Group, General Motors, McCann Erickson, and The United Nations (UN).

"I was able to deploy and configure VShell, SecureFX, and SecureCRT on our ten PC Windows network with ease. The total setup took about four hours and I haven't had to look at it since." – Leo Simons, UNIX Administrator

To provide their clients with the best possible e-business solutions, Multi-M/IA employs and collaborates with a wide variety of information and communication technology executives, marketing professionals, database engineers, programmers, and outside consultants and partners.

Challenge

Multi-M/IA needed to develop a collaborative network environment for its employees, consultants, and partners that provides secure file revision and project management.

Multi-M/IA's requirements include the following:

• Highly secure remote connections
• Products with proven stability and security track records
• Ease of deployment and maintenance
• A file transfer client with an easy-to-use interface
• Interoperability between Windows and Linux
• A complete solution with a low total cost of ownership

Basic account and logon information has to be protected. However, the most important asset to protect is their customers' data. At the same time, Multi-M/IA needs to ensure efficient operations by supplying their employees with an uncomplicated, polished interface.

Solution

Multi-M/IA requires interoperability since they manage several externally hosted Linux servers and need secure access to SOAP services (SOAP allows applications to communicate with each other over the internet, regardless of platform).

Multi-M/IA had been using a Cygwin and OpenSSH solution. They found that this solution was a challenge to maintain, primarily because of the difficulty that Windows users have using command-line windows.

A VPN was out of the question since it was beyond the scope of their needs and they did not want to commit the resources required to maintain a VPN. "VPN gave me a lot of headaches as it is implemented really badly within Windows 2000," said Leo Simons, a UNIX administrator at Multi-M/IA who also manages a small Windows workgroup.

Multi-M/IA looked at a variety of solutions, but Simons found that most solutions did not meet his requirements of relatively easy setup and maintenance and straightforward user interface. In addition, total cost of ownership increased to hundreds of dollars per seat for some products.

Simons decided to evaluate VanDyke Software products as a possible solution and found that the combination of security, interoperability, ease-of-use, and stable track record was unique to VanDyke's products. "I decided to investigate VanDyke packages," said Simons. "I was able to deploy and configure VShell, SecureFX, and SecureCRT on our ten PC Windows network with ease. The total setup took about four hours and I haven't had to look at it since."

Multi-M/IA selected a combination of VanDyke software and open source software. VShell was deployed on the Windows 2000 Workgroup server, which provided simple configuration and administration. For their Windows end users, the company chose a combination of SecureCRT, SecureFX, and WinCVS (an open source Windows client for the open source CVS version control system). SecureCRT was used for port forwarding and SecureFX using SFTP provided secure remote file access for employees.

OpenSSH and CVS were set up on the Multi-M/IA Linux server and client machines. Files are served by the Windows Workgroup server. CVS and SOAP are hosted on external, dedicated Linux servers. SOAP services are secured with Secure Shell tunneling. A firewall at all connection points to the internet (both servers and clients) blocks all incoming traffic except Secure Shell (port 22).

By combining VShell, SecureCRT, and SecureFX with open source and Linux servers and clients, Multi-M/IA achieved a secure, user-friendly environment that met their total cost of ownership requirements. VanDyke's implementation of the Secure Shell protocol provided interoperability with OpenSSH running on the Linux platform. The VShell server and the SecureCRT and SecureFX clients gave Multi-M/IA an easy to set up and maintain system with a polished, easy-to-use interface that required little training and reduced support.

Nick Temple, E-Commerce Consultant

www.nicktemple.com

• Industry: Consulting
• Products: SecureCRT® and SecureFX®
• Summary: With SecureCRT and SecureFX for remote access and file transfer, this e-commerce consultant can quickly respond to customer needs from the road or his office, while maintaining the security of their systems and data.

Organization

Nick Temple provides application development and e-commerce consulting services to clients throughout the United States, primarily to financial sector companies. Temple often works remotely, developing on his clients' servers from his office or on the road.

Challenge

As a consultant with geographically dispersed clients, Temple needs reliable, proven software to securely administer client servers from his office or from the road. To effectively serve his customers, Temple needs to securely access and control his clients' machines from his office or laptop when on the road. He also needs to script tasks, for example, to let a trusted support person restart selected services. "My clients place a lot of trust in me to not expose their sensitive customer data, in particular, credit card numbers and other financial data. Security is an absolute necessity. And of course, sending passwords in clear text over the internet is just a bad idea," said Temple.

Solution

Using SecureCRT and SecureFX, Temple benefits from Secure Shell remote shell access, data tunneling (port forwarding), and file transfer. He chose SecureCRT and SecureFX because they seemed to be a Windows client standard. With three to four years experience with VanDyke products, Temple felt comfortable using them to access customers' sensitive resources and data.

"My clients place a lot of trust in me to not expose their sensitive customer data, in particular, credit card numbers and other financial data. Security is an absolute necessity. And of course, sending passwords in clear text over the internet is just a bad idea." —Nick Temple, E-commerce consultant

SecureCRT has also served Temple well in the past. "Before SecureFX, I port forwarded passive FTP connections over the SecureCRT client. I'm sure that the free versions work as well — that's what I use for the servers, as it's built into Linux — but SecureCRT is feature-rich, easy to use, and easily scriptable... I use SecureCRT to remotely administer all our servers, allowing me to do critical maintenance wherever I am." He also uses SecureCRT to remotely administer customer databases.

Temple develops on his clients' remote servers that are behind a firewall and not directly connected to the internet. He needs to access a command shell, upload and download files, and test HTTP. Temple gets this done using SecureCRT. With a Secure Shell client like SecureCRT, he can connect to the server, and then create an encrypted tunnel to connect to any remote machine behind the firewall.

Temple's setup generally has only the standard Secure Shell port open on the firewall. He connects to the firewall and then port forwards 22 on the remote machine locally to another port, for example, to 300. This creates the tunnel. He then connects SecureCRT to port 300, which gives him direct access to the remote machine. He can then port forward selected services such as web access (HTTP) to the local machine, for example, for remote testing on development servers. Rz/sz software is installed on the UNIX server machines for remote downloads.

"This setup allows me to work on any machine from my laptop or from my office via a 'Secure Shell VPN'," said Temple. "I'm not sure I could function without it, and definitely not at the level of productivity required. Other setups may work, but this allows completely encrypted traffic, even over the remote LAN."

SecureCRT and SecureFX enhance Temple's ability to provide value for his customers. With remote access and transfer, he can quickly respond to customer needs while maintaining the security of their systems and data. "SecureCRT allows me to work for clients remotely, increasing both customer satisfaction and my ability to maximize billable hours," said Temple. "By having secure connections, clients are assured that their data is safe with me."

How does Temple measure the performance of the products? "It's simple — can I reliably work remotely or not? Support's important, too. Do I get a call at 3:00 am to fix something that should be able to be handled by a customer support rep? Not entirely joking, the bottom line is how much sleep I get."

School of Biological Sciences, University of Bristol

www.bristol.ac.uk/biology

• Industry: Education
• Products: VShell® for Windows and SecureFX®
• Summary: VShell and SecureFX provide multiple SFTP root access points and a highly secure file transfer client, reducing the complexity of managing secure file access for multiple offsite and guest users.

Organization

As a dynamic, research-based organization, The School of Biological Sciences at the University of Bristol is committed to fundamental biology and cutting edge advances in new technologies.

Seamless communication and data sharing are critical to the activities of over 190 academics, researchers, postgraduates, and skilled support staff who work at the school. The school also supports over 500 undergraduates who require access to the school's data resources.

Challenge

The staff's teaching and research activities involve close collaboration with other departments of the university and with outside organizations. This requires the school to provide remote network access to a variety of outside entities with varying levels of access privileges. The network needs to be protected from outside attacks and the university has a regulatory requirement to secure its data —non-compliance is not an option.

The School of Biological Sciences needs to ensure network security while providing file access for offsite and guest users across multiple servers and platforms. One of the major issues for the Information Systems (IS) Manager is the time required to manage user accounts and privileges. Multiple expiration dates and limited-access profiles have to be updated on a daily basis.

The files accessed by users are located on multiple servers organized in a Windows NT Domain/Windows 2000 Active Directory network structure. The administrator also needs to remotely manage one of the school's database servers running MySQL. The ideal solution would provide both secure file transfer services and tight integration with Active Directory.

Solution

Dominic Hiles, the IS Manager for the School of Biological Sciences, deployed the VanDyke Software VShell server and SecureFX secure file transfer client to develop a custom solution for managing NT domain accounts. According to Hiles, VShell was selected because of its tight integration with Windows 2000 Active Directory structure and the availability of multiple SFTP roots.

VShell's multiple SFTP root configuration provided the IS Manager with a way to manage a large variety of access requirements. Multiple SFTP root access points can be customized to provide access to appropriate files and folders for different users or groups based on their domain group or SFTP domain membership. The IS Manager has the flexibility to set up folders or volumes containing files to be accessed by external users. Staff can be given access to a virtual directory structure that can include multiple drive volumes. The user sees a virtual directory structure, which displays only those files and folders to which they have been granted access. The IS Manager can also enable or disable file transfer privileges on an individual user or group basis for role-based control of secure file transfers.

Users and groups can be based on membership in a Windows Access Control List (ACL), providing tight integration with the Windows server. VShell also provides the ability to enable or disable user shell access and port forwarding services in similar fashion. VShell's SFTP root access points, in conjunction with Windows 2000 directory file structure, provided an intuitive way to manage users and groups and the flexibility to eventually customize access profiles for every user.

SecureFX was selected as the SFTP client based on its support for VShell's multiple SFTP root implementation. With VShell, offsite users with any SSH2 client are now able to use SFTP or SCP2 commands to transfer files as well as list and delete files and directories. Transfers are fully encrypted with ciphers of up to 256 bits.

With VShell's SFTP features and SecureFX file transfer client, the IS Manager at the School of Biological Sciences deployed a server-client solution that provided a way to efficiently manage secure network access to multiple users, both on and off site.

• Industry: Retail
• Products: SecureCRT®
• Summary: Using SecureCRT, Nebraska Book's PRISM software customers securely access bookstore inventory and accounting data, protecting passwords, confidential data, and credit card information.

Organization

Nebraska Book Company, Inc. is one of the largest used textbook wholesalers in the United States, owning and operating over 100 college bookstores and providing textbooks, information systems, and consulting services to more than 3,000 college campuses.

Nebraska Book's computer hardware and software packages, include its PRISM software suites, a comprehensive inventory management and point-of-sale solution for college bookstores. PRISM is installed in all Nebraska Book retail locations and in the stores of many of their commercial market customers. PRISM automates and manages all phases of inventory, ordering, receiving, invoicing, and returns for textbooks, trade books, and general merchandise.

"Because we handle credit card numbers, the inability to secure and protect this data could be catastrophic.... SecureCRT provides the security capabilities needed to support our application." —Walt Timmerman, Nebraska Book Company

Challenge

Each bookstore using the PRISM suites runs the software on an IBM RS6000 server. Employees access PRISM using terminal emulation software on desktop PCs throughout the store. Since PRISM handles sensitive information, including credit card information, Nebraska Book needed to provide its customers with a secure terminal emulator that would protect critical data from misuse or theft.

"We recently implemented new security features in our PRISM application software, specifically encryption, to protect and secure bookstore data," said Walt Timmerman, Manager of System Sales at Nebraska Book. "Because we handle credit card numbers, the inability to secure and protect this data could be catastrophic."

Solution

Nebraska Book now provides SecureCRT with their PRISM software for secure terminal emulation. SecureCRT is installed on the desktop of all PCs connected to the PRISM host system. "VanDyke's SecureCRT solution provides security features unavailable in the emulation package we were using," said Timmerman. "We now have our customers use the VanDyke SecureCRT emulation package on PCs to access our application software. SecureCRT provides the security capabilities needed to support our application."

With SecureCRT, Nebraska Book's PRISM customers can securely access their inventory and accounting data. Because SecureCRT is simple to use, training time is reduced for store employees from store managers to customer service personnel.