Transcription
Certified File Transfer Professional (CFTP)Official Study GuideVersion 1.3Page 1 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3Table of ContentsTable of Contents . 2I. Introduction to CFTP . 6CFTP Certifying Body . 6CFTP Training and Test Procedure . 6II. File Transfer Concepts . 6When File Transfer Should Be Used . 6When File Transfer Should NOT Be Used . 7File Transfer’s Role in Collaboration . 7File Transfer Client and Server Concepts . 8“Data in Motion” and “Data at Rest” Encryption Concepts . 9Encryption Concepts. 10Symmetric Encryption . 10Asymmetric Encryption . 11Common Encryption Algorithms . 12Hashing Concepts . 13Common Hash Algorithms . 14Salting Hashes . 15Providing Integrity Checks. 16PKI (Public-Key Infrastructure) Concepts . 17Role in Security in Transit . 18Role in Security at Rest . 18Obtaining a Certificate. 18IPv4 and IPv6 . 20Private vs. Public Addresses . 20Network Address Translation . 21Proxies . 21Reverse Proxy . 21Forward Proxy. 21III. Basic File Transfer Protocols . 22FTP . 22Active Mode . 24Passive Mode (or “Firewall Friendly”) . 25ASCII / Binary / EBCDIC Formatting . 26Custom “Quote” Commands . 27EPSV and EPRT . 28Integrity Checks . 29FTPS (SSL/TLS) . 30FTPS “Explicit” or “RFC-Compliant” Mode . 30FTPS “Implicit” Mode . 31Page 2 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3FTPS vs. Firewalls and NAT . 32Strong Authentication (via Certificates) . 33SFTP (SSH) . 34SFTP vs. “FTP Tunneled Over SSH”. 34Strong Authentication (via Keys) . 35SCP (SSH). 36IV. Advanced File Transfer Protocols . 37HTTP . 37HTTP URLs . 37“Non-URL” HTTP Parameters . 38HTTP Security. 38HTTP File Uploads . 38HTTP Advanced File Uploads . 39HTTPS (SSL/TLS) . 40Communicating Certificate and Key Strength . 40Strong Authentication (via Certificates) . 41SSL Versions and TLS . 41WebDAV . 42Email Protocols . 43SMTP. 44POP3 (“POP”) . 44IMAP . 44Mail Protocol Port Summary . 45NDM (“Connect:Direct”) . 46Genesis of MFT . 46V. Applicability Statement (AS*) Protocols . 47AS2 (“Applicability Statement 2”) . 48AS2 “Sync” (Synchronous) Mode . 48AS2 “Async” (Asynchronous) Mode. 49AS2 “Async Email” Mode . 50Other AS* Protocols. 51AS1. 51AS3. 52AS4. 52AS* Selection Guide . 53Drummond Certification . 54VI. Accelerated File Transfer . 55Accelerated File Transfer Basics . 55Multi-Threading . 55TCP/IP Latency . 55TCP/IP Throughput . 55Page 3 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3UDP/IP Blasting . 57Controlled UDP . 57Aliases . 58Accelerated File Transfer Issues . 59Issues with Firewalls . 59Issues with VPNs . 59Issues with QOS . 59Issues with Standards . 59VIII. File Synchronization and Sharing . 60File Sending (“Email Metaphor”) . 60Basic File Send (Browser-Based). 61Basic File Send (Email-Based) . 63File Sharing (“Folder Metaphor”) . 64File Synchronisation . 66Policies . 68Challenge Mechanisms . 68Retention Policy . 69Mobile Devices. 69VIII. “At Rest” Encryption . 70Symmetric Encryption . 70Key Retained on Server . 71Key Sent to Sender . 72“Automatic Encryption” . 72“Zip Encryption”. 72Asymmetric Encryption . 73PGP Encryption . 74SMIME Encryption . 74“Strong Zip” Encryption . 74IX. File Transfer Operations . 75Server Troubleshooting Guide . 75File Transfer Service Levels . 76Sample File Transfer SLAs . 77Automated File Transfers . 78Transfer Windows . 78Scheduled File Transfers . 78Trigger Files . 79Event-Driven File Transfers . 80Continuous File Transfer . 81File Transfer Resume (“Checkpoint Restart”) . 81File Transfer Workflows . 82Monitoring . 82Page 4 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3Server Functions . 82Notifications . 83Automation. 83Reporting . 83Dashboard . 84High Availability and Disaster Recovery Considerations . 85Disaster Recovery. 85High Availability. 85X. Compliance . 87List of main regulations affecting file transfers . 87FIPS (Federal Information Processing Standards). 87GDPR (General Data Protection Regulation). 87GLBA (Gramm–Leach–Bliley Act). . 87HIPAA (The Health Insurance Portability and Accountability Act). . 87ISO 27001 (Information security management systems). . 87PCI-DSS (Payment Card Industry Data Security Standard). . 87SOX (Sarbanes-Oxley Act) . 87Appendix A: Protocol Selection Guide . 88Appendix B: Acknowledgements . 89Page 5 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3I. Introduction to CFTP“Certified File Transfer Professional” ("CFTP") is a vendor-independent file transfer certification for ITprofessionals. A CFTP is qualified to evaluate, deploy, configure, maintain and support secure filetransfer, managed file transfer and workflow automation technology such as: FTP servers, FTPS servers and SFTP servers"Web Transfer" and "Web Client" servers, including WebDAV serversAccelerated File Transfer, including "Extreme File Transfer" and UDP-Based solutions"Ad Hoc" File Sharing and File Synchronization (or “EFSS”)CFTP Certifying BodyThe certifying body behind the CFTP program is the Certified File Transfer Professional Advisory Board.It is managed and administered by Pro2col, Ltd, a vendor-independent technology firm that encourage filetransfer interoperability, education, and best practices through training and professional certification.The CFTP exam, process and study guide are shaped by a group of experienced advisors with a widerange of managed file transfer and secure file transfer experience. The training and examination wasalso tested with dozens of early adopters, without whom there would be no curriculum at all. (See fullacknowledgements in Appendix A)CFTP Training and Test ProcedureThe Certified File Transfer Professional certification exam is an open book test based on material found inthis study guide and recorded online training.Each CFTP exam consists of 60 questions randomly selected from a much larger pool of approvedquestions. Answers are multiple choice, and all answers are presented in a randomized order. (Thechances of any two exams being identical is remote.) Each exam must be completed in 90 minutes orless, and a passing grade is 80% (at least 48 correct questions).II. File Transfer ConceptsFile transfer is used every day by hundreds of millions of people and businesses to share documents,provide remote access to information and automate business process. The data moved by file transferprocesses is also often called “bulk data” or “batch data” because files often communicate more than oneidea, transaction or receipt.When File Transfer Should Be UsedFile transfer works best when the output from a business workflow needs to be handed off to anotherperson or process, and any response to the output can wait at least a few seconds. File transfer is alsoPage 6 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3used when information already stored in files (e.g., “documents”, “extracts” or “reports”) simply needs tobe shared with other people or processes, and no response is needed.For example, a workflow that involved posting purchase orders and turning around a response in fiveminutes would be an excellent candidate for file transfer. A workflow that involved end users sharingspreadsheets with other end users would also be an excellent candidate for file transfer.When File Transfer Should NOT Be UsedFile transfer is NOT the best choice when data must be streamed, or responses to original data areexpected back almost immediately. Examples of streamed data that would NOT be appropriatecandidates for file transfer include live video broadcasting and audio applications like VOIP. Examples ofworkflow that would NOT be appropriate candidates for file transfer (because they require exceedinglyquick responses) include stock trade orders to be executed within milliseconds, and low-level commandand-control signals within a computer system.File Transfer’s Role in CollaborationMany organisations use file transfer as a collaboration tool between geographically distant parties. Both“ad hoc” file send and share models and the shared folder models are popular. However, file transfersolutions do not typically offer the file locking or versioning available in “collaboration-first” solutions or in“source control” or “document control” repositories.Page 7 of 89Copyright 2018 Pro2col Ltd. - All Rights ReservedDo Not Copy or Distribute Without Written Permission – More Information at Pro2col.com
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide – Version 1.3File Transfer Client and Server ConceptsAlmost all file transfer implementations use a “client/server” computing architecture. In a client/serverrelationship, the client opens a connection and initiates activity while the server receives the connectionand responses to activity requests. When file transfer uses a client/serve
Certified File Transfer Professional (CFTP) - Official CFTP Study Guide - Version 1.3 I. Introduction to CFTP "Certified File Transfer Professional" ("CFTP") is a vendor-independent file transfer certification for IT professionals. A CFTP is qualified to evaluate, deploy, configure, maintain and support secure file
