Introduction:
At Dispel, we understand that transferring files from a local machine to a virtual desktop (VDI) can sometimes be seen as a potential security risk. For this reason, we often restrict such actions to maintain the integrity of your system. However, we also recognize that secure and reliable file transfers are essential for certain operations, particularly when communicating with your OT network. To meet this need, we offer secure methods to transfer files between your local machine, a Dispel VDI, and your OT network.
In most of our deployments, there are two primary file transfer pathways:
Between your local machine and the VDI
Between the VDI and your OT network.
For clarity, below is a Diagram that can give you a better look at what these transfer events look like.
In order to address both of these file transfer events, our priority is to provide you with the file transfer methods that are most appropriate for your specific requirements while ensuring that all traffic is encrypted and secure. This guide will help you understand the available options and identify the solution that best aligns with both your operational needs and our security standards.
The First Hop: Local Machine to Dispel VDI
At Dispel, we prioritize security when it comes to file transfer. Our approach is to recommend the most secure method available to ensure your operations remain protected from potential security risks. However, while we always encourage using the highest security protocols, if your specific requirements cannot be met by the most secure methods we can always work to scope out how Dispel can best ensure your operational needs are met.
By following this approach, we help ensure that security vulnerabilities are minimized and your data remains safe throughout the transfer process.
Third-Party Cloud Storage Integration
At Dispel, we can enable secure access to your preferred third-party cloud file storage directly through your virtual desktop. By whitelisting access to the cloud storage domain you specify, we ensure seamless integration within our platform.
What cloud storage services can Dispel integrate with?
Box
Dropbox
SharePoint
OneDrive
If you use another cloud storage service, we can integrate it as long as you provide the necessary domain information. Furthermore, most cloud storage solutions offer strong security features such as encryption-in-transit and encryption-at-rest for your files, along with multi-factor authentication (MFA) to protect user accounts. For these reasons, we recommend using the providers listed above.
Additionally, many cloud storage services offer robust auditing features, allowing you to track user activity and actions performed on specific files. You can also configure file scanning and other security policies to further protect your data.
Mapping Local Computer’s Drives to VDI and Enabling ClipBoard Sharing:
Dispel supports the ability to map a user’s local drive to a virtual desktop (VDI) through a direct connection, but this feature is only available for RDP connections—it is not possible for browser-based access. While convenient, this method presents certain security challenges.
Drive mapping allows files to move freely between your local machine and the VDI, which is may not be audited. This lack of oversight can be a concern, particularly for organizations with strict compliance requirements or multiple external vendors.
Additionally, we cannot guarantee the security of files coming from a local machine, which may have untrusted or internet-connected drives.
To mitigate some of these risks, we install Windows Defender on our VDIs. Defender can detect, quarantine, and remove dangerous files, adding a layer of security. If a file is flagged, it is moved to a “quarantine zone” and cannot interact with other system files. You can also monitor Defender’s activity via the Event Viewer for more visibility into any detected threats.
Another option available upon request is Clipboard Sharing. While typically disabled by default, Clipboard Sharing allows users to copy and paste content between their local machine and the VDI during an RDP session. Like drive mapping:
Clipboard Sharing is may not be audited, making it difficult to track what is transferred.
Furthermore, it is best suited for small, short file transfers rather than moving large files quickly, which is where drive mapping excels.
Due to the lack of auditability, we generally recommend against enabling either feature by default unless it is necessary for your day to day needs. However, if required, there are additional steps that can be taken to increase security, such as using Process Monitor to track file and text transfer events or exporting Clipboard history for monitoring purposes.
The Second Hop: Dispel VDI to OT Network
Each Virtual Desktop Infrastructure (VDI) we deploy is designed to feel like an on-site workstation, customized with the necessary programs and applications to ensure a seamless user experience. Our goal is to replicate the same level of functionality that you would expect from your on-site machine, including the file transfer processes. This forms the foundation for how we develop and implement file transfer workflows within our platform.
In some cases, more complex file transfer scenarios arise—such as those involving Rockwell systems. These custom solutions require tailored approaches that focus on integration rather than security alone. While we continue to prioritize security in all our deployments, the complexity of these integrations often becomes the primary challenge we address. If you have any questions regarding whether or not we can integrate a specific method present in your systems, please feel free to reach out via the Dispel Help Channel.
Network Protocols for File Transfer
Dispel supports a variety of secure network protocols for file transfer, allowing us to integrate seamlessly with your existing systems. Below are some of the most common protocols we integrate.
SFTP (SSH File Transfer Protocol)
SFTP uses SSH encryption (port 22) to secure both file transfers and control commands. Authentication can be done using either username/password or public/private keys. This ensures end-to-end encryption, making SFTP an extremely secure option for file transfers. SFTP is a highly interactive protocol, ideal for transferring large files that may need pausing and resuming. It’s commonly used by customers who prioritize security and require a reliable file transfer process.
SCP (Secure Copy Protocol)
SCP also uses SSH encryption (port 22), offering the same security level as SFTP, but it’s designed for one-off, quick file transfers. SCP is typically faster than SFTP because it doesn’t require waiting for packet confirmations, making it ideal for smaller file transfers. The security differences between SCP and SFTP are minimal, as both rely on the same encryption protocols. However, SCP is better suited for customers looking for efficiency in smaller file transfers.
FTPS (File Transfer Protocol over SSL/TLS) and FTP (File Transfer Protocol)
FTPS adds SSL/TLS encryption to standard FTP, using port 21 for control commands and port 990 for encrypted data transfer. While FTPS offers encryption for both the control and data channels, it can be complex to configure due to its multi-port setup, which may cause firewall issues. FTP, on the other hand, does not offer encryption and is inherently insecure. As a result, we would rarely recommend using FTP for any file transfers unless necessary. Traffic through Dispel is always encrypted, and so integrating FTP can typically be done through a secure method.
Choosing the Right Protocol
SFTP: Best for transferring large files with high security and the ability to pause/resume.
SCP: Ideal for fast, smaller file transfers.
FTPS: Suitable for users who need certificate-based authentication but have more complex requirements due to SSL/TLS configurations.
Ultimately, the choice of protocol depends on your security needs and file transfer operations. If you require key-based authentication and only need to open one port (22) on your firewall, SFTP or SCP would be ideal. For customers who need certificate-based authentication, FTPS may be necessary, but it comes with more configuration challenges. At Dispel, our goal is to make file transfers secure without complicating your operations. We’re here to help you choose the right protocol based on your specific architecture.
WinSCP and VNC: GUI-Based File Transfer Solutions
Both WinSCP and VNC offer graphical user interfaces (GUI) for secure file transfers and remote access, making them user-friendly options for customers who prefer not to use command-line tools.
WinSCP
WinSCP is a file transfer client for Windows that supports various protocols, including SFTP, SCP, FTPS, and FTP. Its primary advantage is its ability to provide secure file transfers using either SSH encryption (for SFTP and SCP) or SSL/TLS encryption (for FTPS). However, unencrypted FTP is also an option, though it is not recommended due to security risks.
Security: Encrypted using SSH for SFTP/SCP or SSL/TLS for FTPS.
Port: Uses port 22 for SFTP/SCP, 21 for FTP.
Use Case: Ideal for customers looking for a secure, GUI-based solution for managing file transfers across multiple protocols.
VNC (Virtual Network Computing)
VNC provides a remote desktop-sharing solution that uses the Remote Frame Buffer Protocol (RFB). It allows users to remotely control another computer, transferring files by interacting directly with the remote desktop. However, VNC connections themselves are not encrypted by default. For security, SSH tunneling or encrypted VNC variants such as RealVNC or TightVNC should be used.
Security: Not encrypted by default, but can be secured with SSH tunneling or encrypted VNC implementations.
Port: Typically uses port 5900.
Use Case: Ideal for customers who prefer a graphical interface for remote file management, with the added benefit of GUI-guided file transfers.
Usage Cases and Security Considerations
Understanding Your Use Cases
At Dispel, we prioritize integrating your existing file transfer methods into our platform. If you have any questions about our support for file transfers, here’s what you can expect from us!
Dispel offers a wide range of secure file transfer tools, we want to ensure you fully understand our capabilities and how they can fit into your existing systems. For example, if you already use a service like Box, we can quickly discuss how Dispel integrates with it, ensuring a seamless and secure experience from your end.
It’s important to note that while we provide secure remote access, we are not a secure file storage company. Our goal is to integrate with your current tools, not to replace them. If file transfer is a part of your secure remote access (SRA) needs, we can show you how to make the most of the solutions you’re already using. To make sure we’re aligned with your needs, here are three key questions we’ll help you answer:
How often do you transfer files?
How large are the files you transfer?
What security or integration requirements are essential for your file transfers?
By addressing these questions, we can ensure that the file transfer solutions we offer are the best fit for your operations.
Additional Comments and Concerns
When transferring files between your local machine, virtual desktop, and OT network, it’s essential to take additional precautions to maintain security. Here are some important considerations:
Isolation: Your OT network should remain isolated from external networks to minimize exposure to potential threats. Only secure protocols should be used for file transfers to maintain this separation.
Logging and Monitoring: It’s critical to use transfer protocols that provide robust logging and auditing capabilities. This helps track and detect any unauthorized transfers, ensuring the integrity of your system.
Authentication: For enhanced security, we recommend using key-based authentication methods instead of relying solely on username and password. This adds an extra layer of protection to your file transfer process.