FTP and it's security

Discussion in 'Server Networking' started by Spin, Jul 11, 2006.

  1. Spin

    Spin Guest


    Everyone knows that FTP is inherently insecure. What with it's passwords
    sent in clear text and the un-encrypted data stream. But what about using a
    program like WinZip to encrypt the data that is being FTP'd? Wouldn't that
    meet today's security standards, especially in a situation where an FTP
    hosts only accepts data from a certain IP address?

    We have a government manager who says FTP is insecure and wants to implement
    an SSH solution. I say we have no time to do that an that WinZip encrypting
    the documents being FTP'd out are good enough. I don't need more work I am
    already busy enough.
    Spin, Jul 11, 2006
    1. Advertisements

  2. Spin

    Scott M. Guest

    Scott M., Jul 11, 2006
    1. Advertisements

  3. I would agree that SSH or something along those lines that encrypts the
    networking traffic is a better solution that may also be able to insure
    integrity. Ipsec can be used on the internal network. WinZip will do nothing
    to protect against password sniffing if that is a possibility and also I
    believe that cracking WinZip files may not be all that difficult in some if
    not most cases. However if it is your call then it is up to as you what you
    want to as we don't know how sensitive your data and password are and what
    the consequences would be if they are compromised. --- Steve
    Steven L Umbach, Jul 11, 2006
  4. The manager is correct in wanting this changed.

    Sending pwd protected zip is not addressing the clear text AuthN of FTP.
    As someone could sniff the traffic (yes, you did say IP to defined IP set),
    and assume that you do not have in place a process to regularly change
    the pwd used on the zip, etc. they feasibly could collect sufficiently large
    sample of you zips to defeat what you have put in place.

    Use Secure FTP, or your existing FTP solution where IPsec policy
    forces all traffic to be within ESP encapsulation, or an HTTPS based
    Roger Abell [MVP], Jul 11, 2006
  5. Spin

    Ian Guest

    Filezilla Server in TLS mode is pretty secure. For a long time we used this
    as our 'intranet' as it worked considerably better than VPN for users on slow
    or dodgy connections in the Middle East.

    The main point with any FTP server is to ONLY allow uploads to specified
    areas. That way, if a password is leaked the damage that can be done is
    limited. We handled this by putting an '!Upload' folder in each disk area and
    making this writeable. (The ! puts it at the top of the folder-list for
    convenience) The rest of the disk-area was readonly to FTP.

    We had several determined attempts to compromise our standard FTP server
    (none succeeded but the frequency of them became worrying, causing us to look
    for another solution) -But very few attempts on the TLS server.


    The other main option is to use a standard FTP server, and tunnel the
    connection through SSH or Zebedee. In this case, the encryption-key can be
    predefined which adds another layer of security, since even if a password is
    leaked, that password will only be of use on a company computer which has the
    Ian, Jul 11, 2006
  6. Spin

    Neteng Guest

    The lower down the OSI model you can encrypt, the more secure it is
    (generally). Implement HTTPS or S/FTP, easy to setup and meets your security
    Neteng, Jul 11, 2006
  7. Well, I would say it depends on what your security requirements are and the
    sensitivity of the data being protected. It is not true that FTP is
    insecure, it depends on how you use it. FTP is fine for example if you
    permit anonymous FTP with no password for downloading files, such as
    antivirus updates. You might also be able to restrict which IP addresses can
    access the files. IP address spoofing is non-trivial to do with TCP
    applications like FTP.

    If more security is needed, you have several choices: SSH, FTPS, SFTP, and
    WebDAV over HTTPS. The last option is the only option that you can do with
    an ordinary browser, without needing to obtain and install new client
    software on all interested clients. See www.webdav.org for some example
    solutions. This might reduce your overhead, if you have a lot of clients
    that are outside your control.

    With all of these solutions, you have the possibility of additional
    administrative overhead of generating and maintaining user accounts... and
    then forcing those passwords to expire and change, and making sure good ones
    are chosen, can be problematic.

    Note that there are some vulnerabilities with SSH, SSL, etc.... a man in the
    middle can sniff your password very easily, and most users would not notice.
    The user may get a warning, which is often ignored. Use of client
    certificates might reduce the chance of this happening, but then you have to
    generate and distribute the client certificates.
    Karl Levinson [x y], mvp, Jul 11, 2006
  8. Spin

    Robert Moir Guest

    "good enough" depends on how secure you need it to be. The impact of the
    risk of an item being compromised actually happening, in other words. For
    anything beyond the trivial, I'd be unhappy with encrypting files with
    winzip for a number of reasons.

    1) You're relying on the users remembering to always "encrypt" files.

    2) You're relying on users always picking good passwords when they
    "encrypt" files and not using the same password for files that go to
    different organisations (or even different people with different access in
    the same organisation).

    3) You're relying on the Winzip password mechanism being secure.

    4) You're relying on there being a secure method of exchanging passwords
    with just the people that are meant to have them. And no, emailing them
    the password isn't secure.

    It's up to you, but I wouldn't be overly happy with that as a solution.

    Rob Moir, Microsoft MVP for Security
    Blog Site - http://www.robertmoir.com
    Virtual PC 2004 FAQ -
    I'm always surprised at "professionals" who STILL have to be asked:
    "Have you checked (event viewer / syslog)".
    Robert Moir, Jul 11, 2006
  9. On the other hand, for protecting antivirus updates, it's too much

    It's true that Winzip encryption ranges from trivial to crack to fairly
    secure for now, depending on what version and settings you're using.
    There's also PGP and other file encryption methods, all with some risk and
    administrative overhead. As mentioned before, IPSec may be an easy option
    for encrypting FTP without installing new file transfer client software,
    just remember that TCP port 21 is only one of the two channels used, and the
    ports used for the second data transfer session varies depending on whether
    Active or Passive FTP is used.
    Karl Levinson, Jul 12, 2006
  10. Agreed, unauthenticated FTP for download of non-sensitive data is
    not inherently problematic. Any other use of FTP however, is if naked
    on the network. I took the implications of the poster to indicate that
    they were not using unauthenticated download, and hence had some
    degree of concern that they protect to whom that data is made visible.
    Roger Abell [MVP], Jul 12, 2006
  11. Spin

    Robert Moir Guest

    Yep, $10,000,000 question is: what is the impact of the security risk
    actually happening?
    I'd always assume the worse. Not that I don't trust people, but we all
    make mistakes, so I assume that mistakes will happen where its possible
    for them to happen, so I look for ways to remove that possibility. That's
    why I like securing the channel rather than the files, so that the user
    doesn't have to remember to do anything other than just dump them in some
    kind of "outbox".
    Robert Moir, Jul 12, 2006
  12. Spin

    S. Pidgorny Guest


    Transmission security is of no help here. It's more important to make sure
    the origin and integrity by signing the updates, or even more crucial - the
    OS updates.

    Actual financial impact analysis can be performed, but that's hard and
    dependent on the business risk framework.
    S. Pidgorny, Jul 13, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.