Introduction

MOVEit DMZ Enterprise is a secure file transfer server. It is a vital component of the MOVEit family of secure file processing, storage, and transfer products developed by Ipswitch, Inc.. These products provide comprehensive, integrated, standards-based solutions for secure handling of sensitive information, including financial files, medical records, legal documents, and personal data.

layout.png (19377 bytes)

MOVEit DMZ safely and securely collects, stores, manages, and distributes sensitive information between your organization and external entities. Web browsers and no cost/low cost secure FTP clients can quickly, easily, and securely exchange files with MOVEit DMZ over encrypted connections using the HTTP over SSL (https), FTP over SSL (ftps) and FTP over SSH (sftp) protocols. And all files received by MOVEit DMZ are securely stored using FIPS 140-2 validated AES encryption, the U.S. Federal and Canadian government encryption standard.

In addition, a web interface offers easy online administration and monitoring of MOVEit DMZ activities while a programmable interface (via MOVEit DMZ API Windows and MOVEit DMZ API Java) makes MOVEit DMZ accessible to custom applications.

MOVEit DMZ includes an optional MOVEit Wizard plug-in that works with Internet Explorer, Firefox and Mozilla to help web-based users to quickly upload and download large and/or multiple files and folder trees to and from MOVEit DMZ.

Encryption capabilities throughout the MOVEit product line are provided by MOVEit Crypto. The AES encryption in MOVEit Crypto has been FIPS 197 validated. The entire cryptographic module has been FIPS 140-2 validated after rigorous examination by cryptographic specialists in the United States' National Institute of Standards and Technology (NIST) and Canada's Communications Security Establishment (CSE).

CryptoFIPS.gif (11054 bytes)

MOVEit DMZ also has an approved Certificate of Networthiness (CoN) from the United States Army. This certification involves a review of how MOVEit DMZ meets Army requirements for network security, integration, interoperability, and ease of management and support.

Physical Specifications

The MOVEit DMZ software itself resides on a Microsoft Windows Server platform hardened against threats from the Internet and trusted networks. Organizations that need to support very large volumes of file transfers and/or many users may require additional hardware, but for many organizations the minimum recommended specifications of a MOVEit DMZ should suffice:

The latest production recommendations can be found in the online Support Knowledge Base.

Network Specifications

In a typical network topology MOVEit DMZ is best located on a secured "DMZ" segment accessible to both internal and external users."DMZ" is short for DeMilitarized Zone - a network "no man's land" where both internal and internet hosts are allowed to connect. By default, connections originating from a DMZ network segment are not to be trusted and are usually not allowed unless there is a compelling case to allow a particular service through.

BasicDMZ01.gif (18318 bytes)

Web and secure FTP clients can upload and download files to MOVEit DMZ from internal and external networks. For security reasons, MOVEit DMZ is NOT permitted to establish connections with or push files to systems on either your internal network or on an external network. (If a "proxy push" or "proxy store-and-forward" solution is desired, MOVEit Central can be used with MOVEit DMZ to fill this role.)

MOVEit DMZ's Security Advantages Over Other "Secure FTP" Solutions

There are three "areas" where files are at risk when transferred between an external network (such as the Internet) and your internal network:

Most secure Web and FTP file transfer products reside on a system in a DMZ and use industry-standard SSL or SSH to provide secure transfers between the INTERNET and DMZ. (MOVEit DMZ does as well.) Unfortunately, that is as far as most products go; they fail to secure files stored on the DMZ (at risk if the DMZ box gets hacked) and fail to secure files being transfered between DMZ and MY ORG (at risk if a hacker sets up a sniffer inside the DMZ).

MOVEit DMZ secures all three areas by using SSL/SSH-encrypted transfers for ALL transfers and by using FIPS 140-2 validated AES encryption to secure files on disk.

In addition, only MOVEit DMZ offers complete end-to-end file integrity over FTP. In other words, files transferred with secure FTP or web clients which support file integrity checks through the MOVEit system can be proven to be 100% identical to their source files through the use of SHA-1 cryptographic hashes. (When combined with authentication, complete file integrity provides non-repudiation.)

Accessing MOVEit DMZ

"Client" access to MOVEit DMZ is available through several interfaces, including HTTPS, FTP over SSL, and FTP over SSH.

The built-in web interface provides access to anyone with a desktop web browser (see the complete list of supported browsers). Authorized administrators may configure the MOVEit DMZ server from authorized locations while customers and partners use a simpler portal to move files in and out of the MOVEit DMZ system.

Also available through the web interface, the optional MOVEit Upload/Download Wizard provides for faster and more reliable file transfers using the web than are normally available through "stock HTTP". The MOVEit Wizard is also the only browser-based client that supports file integrity checking.

A secure FTP interface is also available on the MOVEit DMZ server for people or programs with secure FTP clients. The MOVEit family offers two free, scriptable command-line clients, MOVEit Freely (FTP) and MOVEit Xfer (HTTPS) both of which support file integrity checking. Ipswitch also offers WS_FTP Professional, a Windows file transfer client with a robust feature set, which also supports file integrity checking. Many third-party companies manufacture secure FTP clients for desktops and servers which will also interface with MOVEit DMZ's secure FTP over SSL and FTP over SSH servers.

For IT departments who desire more control over the MOVEit DMZ environment than the FTP protocol can provide, the MOVEit DMZ API products provide easy access to and control of MOVEit DMZ via a COM object (for Windows) or Java classes (for *nix, Windows, IBM, etc.). MOVEit DMZ API also supports file transfers with full integrity checking and ships with several command-line utilities for administrators who would rather script than program.

If desktop-to-server automation or the ability to access MOVEit DMZ as a local folder is desired, consider using MOVEit EZ. MOVEit EZ is a "tray icon application" which synchronizes content between a user's desktop and MOVEit DMZ and schedules transfers.

When coupled with MOVEit Central and the appropriate licensing, MOVEit DMZ supports AS2 and AS3 file transfer. (MOVEit DMZ can be used as a standalone AS3 server, but without MOVEit Central it has no way of encrypting or decrypting specific messages.)

More information about these clients and the dozens of third-party clients which can also be used to securely exchange files with MOVEit DMZ can be found in the "Client Support" document.

Ad Hoc Transfer

The Ad Hoc Transfer Module, which requires a separate license, provides a secure way to do person-to-person file transfers. Registered MOVEit DMZ users can use a browser or an Outlook plug-in to send files and/or a message (which is called a 'package') to an email address. Composing a MOVEit package that includes files is like composing an email with attachments.

However, there are differences. File attachments sent as part of a package are uploaded to a MOVEit DMZ server. A 'new package notification' email will be sent to the recipients, to inform them that a package is waiting for them. Recipients can click on the web link in this notification, sign on to MOVEit DMZ, and view the package, where they can download the files.

If enabled, a recipient can also reply to a package and send additional attachments, which will also be uploaded to the file transfer server. The organization administrator can set options that determine who can send and receive packages, enforce user- and package-level quotas, and control package expiration and download limits.

Large files and multiple attachments can be sent quickly and securely, avoiding the limitations of a mail server.

MOVEit Central

If more than ten scheduled file transfers, immediate movement of files to/from backend servers from MOVEit DMZ, or connectivity to other servers is desired, MOVEit Central is the best tool to use.

MOVEit Central can support thousands of file transfer tasks and is used in production to securely move hundreds of thousands of files a day at major data centers. MOVEit Central instantly knows when a file has arrived on MOVEit DMZ or a Windows file system and can immediately begin transferring that file to its final destination. MOVEit Central supports the most popular secure protocols used across industries, including FTP, SSH, FTP over SSL, SMIME, PGP, email and AS1/AS2/AS3.

In short, when paired with MOVEit DMZ, MOVEit Central completes a secure transfer system which can securely receive, record and send files to/from to almost anyone supporting a secure transfer protocol.