VA Technical Reference Model v 24.7

• This entry is available as an open source technology.

• Windows Client - Approved w/Constraints
• Windows Server - Approved w/Constraints

Runtime Dependencies:

• No runtime dependencies have been identified.

Comparable Technologies:

• AbsoluteTelnet Secure Shell (SSH)
• Cluster Secure Shell (ClusterSSH)
• DOSBox
• NoMachine RemoteDesktop
• Open Secure Shell (OpenSSH)
• OpenSC (Smart Card)
• Tectia Secure Shell (SSH) Client/Server
• Tera Term

Companion Technologies/Supported Standards:

• Microsoft Visual Studio

Adoption Benefits

• This technology may improve productivity for specific staff whose responsibilities include administering and managing network resources without being physically present at the device location.

• This technology is available at no cost through open-source licensing and supports VA`s open source initiative.

• This is a well-documented technology. 

Adoption Risks

• There are Threat & Assessment Analysis Portal (TAAP) bulletins associated with this technology.

• There are published vulnerabilities that affect versions up to 0.75 of this software.

• Due to the rapid release schedule of this technology, the VA may be unable to update to the most recent patch and may require a deployment model requiring the use of specific versions.

• Although this vendor utilizes Federal Information Processing (FIPS) 140-2 encryption, there is no indication based on the vendor documentation or the Cryptographic Module Validation Program (CMVP) that this technology is Federal Information Processing Standards (FIPS) 140-2 certified.

• There are known Common Vulnerabilities and Exposures (CVEs) associated with this technology. Please see https://nvd.NIST.gov/vuln/search for more details.

• As open-source software, this product may be left without clearly defined support options which may result in suboptimal enterprise level support.

• The potential exists to store Personally Identifiable Information (PII), Protected Health Information (PHI) and/or VA Sensitive data and proper security standards must be followed in these cases.

• There are other approved solutions that provide similar functionality available on the TRM. The use of several similar solutions may increase organization requirements for support and maintenance. 

• PuTTY uses a key generator such as putygen.exe to generate a pair of keys which are not with Federal Information Processing (FIPS) 140-2 certified. On the other hand, PuTTY-CAC uses the private/private keys stored on the hard token (PIV Card) which are FIPS 140-2 compliant. Successful authentication to remote servers is based on how PuTTY is configured. This authentication via keys is separate from AD authentication, and additionally requires the on-going management and proper placement of SSH key.

• Configuration should be performed by an Administrator using the Solution Delivery Business Systems Engineering hardening guide to prevent the risk of misconfiguration which is likely to increase the VA’s attack surface.

• There are many concerns that stem from the use of open-source software

  that need to be considered.

  • Difficulty managing open-source licenses (e.g., MIT, Apache, GNU, BSD,

  etc.) and compliance risks.

  • Failure to track open-source components and update those as new

  versions become available.

  • Open-source software quality risks.

  • Difficulty tracking of open-source vulnerabilities due to lack of centralization of information.

Architectural Risks

• This technology is not portable as it runs only on Windows platforms.