Home > Help

Help

Having issues using on of our services? Look at some of the guides below

Insight SFTP Service

Introduction

Note The data in this document contains all public information, nothing in this document is commercially sensitive

This guide will help you get access to our Insight SFTP server sftp.confused.com so you can pull your data files. Some of our partners may encounter issues when trying to access these data and more often than not this is due to Network Security Policies that have been applied at both client (you) and server (us) that are necessary to protect you as the consumer of your data and also protect the individuals whom these data denote.

Each of you will all have different bespoke network configurations so this document will use our systems as an example case study.

Where appropriate external links have been provided to help you understand some of the technical terms used in this document.

Know Your IP Addresses

You will need to give us the Public IPv4 addresses for your development environment and production environment. Before cloud computing this was a simple as many of you had on premise corporate (proxy servers)(https://www.varonis.com/blog/what-is-a-proxy-server) and physical data center providers.

Then the Cloud came along to provide the increased demand for financial technology, but in turn added complexity to our systems.

Local Development

Insight Services is based in Cardiff so if we lookup our IP using the free service whatismyipaddress.com then it shows that we are in London. This is actually our VPN provider who use a large pool of IPs that can change as the scale for demand increases.

https://whatismyipaddress.com/

This is not helpful when we want to secure cloud assets or access to a partners system that needs us to have a fixed IP, so in these cases we use a Proxy server to route our Internet traffic for specific domains through fixed IP addresses, the example below show how we have explicitly routed one our service providers such as our paid for IP Geolocation API through the fixed IP in our Dublin data center, this then allows us to leverage the IP restriction features in this service.

https://whatismyipaddress.com/

So why do we bother with London at all? Why not route all traffic via our Dublin and Amsterdam assets? Well we like to keep our operational costs as low as possible without compromising our services to you.

Production

In production we don't have a proxy server, instead we route all outbound network traffic through a firewall, and our firewall has a fixed IP. While we do get the benefits of a fixed IP, the primary purpose is to apply controls on what traffic we allow out to prevent unwanted egress from vulnerably risks, such examples include XXE and Log4J exploits whereby an attacker can use vulnerabilities in your systems to send data out of your environment and into theirs.

Rvu Cardiff Egress

Give us your IP addresses

Once you have worked with your network engineers and gained a basic understanding of how you network architecture is configured we need you to give us your IPs in a single IP entry, Range or CIDR.

Examples include:

Single '147.161.143.104','147.161.143.104','147.161.143.105','147.161.143.106'

Range '147.161.143.104-147.161.143.107'

CIDR '147.161.143.104/30'

Ideally you will give us no more than 4 IPs for your office VPN and no more than 4 IPs for your production and test environments.

We can accommodate far more but If you find that your are giving us ranges that denote your entire range of your networks then this indicates that you have a very high level of attack surface and that you are susceptible to some of the egress attacks we have discussed above.

Note that hacker groups like LulzSec don't specifically target an organisation, they tend to look for unprotected public IPs and see if they can compromise it, if they succeeded then they look at who it belongs to. So the bigger the range you give, the higher the chance you will attract unwanted attention.

Note Note we do not accept IP addresses from banned countries as defined by our compliance policy.

We also check our firewall if IPs are active within a 90 day period, any that are not active in this time range are removed.

Test Connectivity

Once we have added your IPs our firewall you will be able to test connectivity by browsing to https://sftp.confused.com/Web/Account/Login.htm.

It is possible your corporate proxy server may block your access to the domain sftp.confused.com as your organisation may have a policy of only allowing you to access work related websites ans other work related internet resources

If you are prompted with a login screen we are ready for the next steps.

Check your ports are open

By default most network engineers will only leave ports 443 (HTTPS, i.e. secure web browsing and APIs) and port 80 (HTTP, unsecured web browsing) open. We will need your engineers to unblock port 22 (SFTP) on your systems.

if you are using a windows system you can enable telnet in the control panel.

Note You may need your Help desk to either allow you the access rights to install telnet or have them do it for you.

Once installed, run the following command.

 Telnet sftp.confused.com 22

if connection is successful you will get he following

SSH-2.0-8.1.0.0_openssh GlobalSCAPE

You get to this point, all connection issues have been resolved between you or your application, your network and our network.

Get Your Account

Ask us for the account you need, we will create them and share the information via Keeper One Time Share and use the SFTP client of your choice.

If you are still having issues accessing we constantly record successful and failed access both on the firewall and the server level, we can also test your account is authorized and can upload/download files, so contact us if you have an issues.

Checklist

  1. Confirm your outbound IP addresses of your development, test ad production environments, get these to us ASAP.
  2. Wait for us to confirm we have permitted your IP addresses in our SFTP services. This should take mo more than 2 working days.
  3. Get your network engineers and/or infosec teams to allow access sftp.confused.com on both ports 22 and 443.
  4. Get your network engineers and/or infosec teams to allow access to keepersecurity.eu on port 443.
  5. Test connectivity using steps listed above or use similar tools preferred by your network engineers.
  6. Once you have confirmed basic connectivity we can share your account details via Keeper one time share.
  7. Start pulling files.