We are supposed to be implementing a file-transfer solution between us and a third-party, which uses a dedicated private line between us and them, and FTPS (i.e. FTP over SSL/TLS) to transfer files.
However, I am reading through the current iteration of the specification, and have discovered the following paragraph:
The communications channel will consist of an encrypted and authenticated session between your and our PEP devices. This session will use the TLS v1.1 protocol standard (RFC4346) and will make use of mutual authentication using PKCS #3 Ephemeral Diffie Hellman key exchange to generate a shared secret.
When I first saw this, I thought it was describing the TLS used by the FTPS connection. However, now I'm not so sure. The above infers some sort of additional tunnelled communication: i.e. FTPS, over a TLS tunnel(?), itself over a dedicated line -- possibly some sort of SSL-based VPN.
I seem to be missing a piece of the puzzle here, with regards to the PEP. The specification document's glossary defines this as a Policy Enforcement Point but, from a practical standpoint, I can't even claim to know what this is. In any case, I doubt I currently have one.
I've got the following components in place:
A Windows Server, where I was intending to install the FTPS server component (IIS 7.5), an FTPS client library, and bespoke software to move the files around
A Cisco ASA firewall, which is separating the server from the ADSL router that has been put in to provide the dedicated line.
A PCI-card hardware security module, installed in the Windows server, which stores the private keys for FTPS server certificate (and, presumably, the key for the certificate that backs this PEP/TLS connection).
What is the PEP, and where does the it fit into this scenario?
Is there a service that I should be looking at installing, to establish this tunnelled connection?
(I thought maybe an SSTP VPN connection, but I may be missing the point.)
