Go Premium for a chance to win a PS4. Enter to Win


Are OS provided FTP commands with PGP encrpytion enough?, File transfers, Windows, Unix

Posted on 2002-06-17
Medium Priority
Last Modified: 2010-04-21
FTP command line versus other new methods. Strengths, weaknesses, risks, etc... Keeping costs in mind and using existing hardware without adding additional hardware

Our company performs FTP in several different departments from several different systems. Mostly Unix but a few Windows boxes.
We decided to step back and review all uses and then recommend a strategy.

Currently we are using the standard FTP commands that come with Unix and DOS to FTP.

-First we perform a PGP to encrypt a file.
-We then place the file on our server in the directory to where the external (outside the enterprise) would retrieve the file (they could drop off a file)

-When the person logs in they are to only a directory they have access to/
- They then perform a PUT or GET send/receive a file.

Instead: I suppose we could use an FTP Server with a certificate that would ensure a secure SSL connection. I think this secures the channel but not the data. We could uss SCP to something like that tht I do not fully understand.

Our goal is to make things simple, cost-effective, and minimize risk. We must be able to push files to other systems or have users retrieve files regardless of platform for the most part.

We have looked at a few products but always come back to -Why should we set up an additional server and ensure a user has a certain client (in the case of SSL and Certificates), if we can accomplish the same thing with locked down directories by userid???

*****While the above I described is not very techie, current, or robust, it does allow
people to perform "puts" and "gets" without running FTP software as a service at either end thus making life a little easier, easier to set up and troubleshoot.

I suppose we could get more complicated and talk about WEBDAV and such but not sure we need all of this.

We are ONLY allowing certain people to come through our firewall via IP address to "Get" items. To "Put" items we do not need any special rules in the firewall.

While this perhaps may be old school thinking-it is cheap, allows 2 way transfers, has PGP security (not the best but probablyy pretty good as the name implies)

We would like people to comment on the the above, shoot holes in it, risks we would incur, and perhaps present other very cost effective solutions-that have ease of installation.

However it is important that we can send AND receive. And we must be able to send and receive in an unattended manner (scheduled, batch type or scripted jobs)

Thanks< Peter
Question by:pacumming
  • 5
  • 4
  • 3
  • +1
LVL 51

Expert Comment

ID: 7083978
what is PGP encryption used for?
to secure the traffic, or to make shure that only authentificated/authorized persons can read the file?

If encryption is just to secure the transport, I suggest ssh/scp.
This requires a shd on your server, and a scp client. ssh/scp is in wide use on almost all platforms (including Windoze).
There are also some Java based clients which can be used via a java-capable web-browser, then you even don't need a ssh/scp client.
LVL 14

Expert Comment

ID: 7084081
This is a pretty difficult problem to solve.  PGP is pretty much dead now that NAI has killed the commercial version.  But there's really no replacement out there either.

"Secure" FTP could work, but it requires special client software.

Probably the best answer at this point is HTTP/S file uploads.

One product that supports this is Valicert, though there are also some Perl scripts floating around out there if you want to roll your own.
LVL 21

Expert Comment

ID: 7084292
The userid & password will be unencrypted, and so can be "snooped". I presume your external users only have ftp access and are chrooted to a subdirectory, so a hacker should only be able to trash files in that directory or fill the filesystem up.

I also assume that your firewall only allows incoming traffic on FTP ports. If not, consider creating a "DMZ" by placing the system outside your firewall and giving it its own (tighter) firewall between it and the outside world.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 51

Expert Comment

ID: 7086201
> .. PGP is dead ..
.. and GnuPG does all the work now (and hopefully will be full compatible to ancient PGP soon)

Author Comment

ID: 7090746
We have a DMZ. Right now we would have outbound traffic only. I do worry about the password in clear text but is that really true and how much of a risk is it in reality?

Now we know how to do https and such. BUT the thhing we need is to be able to run in an unattended mode even with https---how can that be unattended? What packages allow a send and a receive assuming we had the server on our side?

Also when people mention to load ssh and scp and so on--we need a solution that is basically a package where we do not have to load various components and test them out.
UNLESS we were to stick with FTP and use the commercial version of PGP or some equivlanet encrpytion out there.

We would like some how to ascertain that the file has been picked up from our server or transmitted to the users box--but not sure the best way to do this.

Thanks for options for a newbie when it comes to Unix and such. I mainly deal with Windows and the Internet but have not played with unattended transfers and putting together protocols and things.

Thanks, Peter
LVL 51

Expert Comment

ID: 7090810
> we need a solution that is basically a package where we do not have to load various components and test them out.

You still have such packages: PGP and ftp.
So, why do you worry about using another one?
SSH is just *one* package and gives a solution for all your questions.

You still did not give an answer to my question:
    what is PGP encryption used for?

> .. ascertain that the file has been picked up from our server or transmitted ..
WHat exactly do you need?
  1) log entry that it was picked
  2) information that it was transfered
  3) varification that it was transfered correctly

1) is done by sshd automatically,
2) either needs manual interaction, or a script which sends confirmation somehow
3) somehow similar to 2)

> .. run in an unattended mode ..
see ssh
LVL 51

Expert Comment

ID: 7090815
oops, just another idea: rsync
soves the problem of verification and confirmation also
see http://rsync.samba.org/
LVL 14

Expert Comment

ID: 7090881
Or at least rsync over SSH...

But, this assumes that both ends are *ix.

Meanwhile, as for FTP servers getting cracked because they send plaintext passwords, yes it is definitely possible for a determined attacker to do this (usually by infiltrating something else that can sniff the packets).

Whether the data is interesting enough for anyone to bother and how much you will lose if this does happen is something you have to answer.

For example, if this is (other people's) healthcare data or financial data, you're breaking the law if you don't encrypt the session.

If it's information about the strategic direction of your company, your competitors may be highly motivated to get a hold of it.

If it's graphics that another company is sending you that you'll use in a brochure you're printing that a human is going to look at (and therefore can see with their own eyes if the graphic looks sane), then I wouldn't worry about it.

Meanwhile.... as for automating HTTP/S transerfers... yes, there are tools to do this.  Commercial tools like Valicert, and non-commercial tools like the wget (http://www.gnu.org/directory/wget.html) and winnie (aka wput - http://jigsaw.w3.org/Winie/)

Author Comment

ID: 7091117
Thanks. Lets put it this way. Perhaps you have answered it.
Is there a product that runs on Unix and Windows that will satify ALL of the following:
-file encryption or SSL (the channel)-do not want to VPN
-will allow sending data to another box
-will allow a sender to send data to us. Thus receipt of a file
-password is encrypted as opposed to plain text FTP
-can run in command line mode and be scheduled in a batch or script
-and does not take about 2-3-4 components to get it working.

Also what do you think the majority of people are doing now in terms of sending and receiving data outside of using a VAN solution such as GEIS?

What do you think the trend may be in the future?

Thanks, Peter
LVL 14

Accepted Solution

chris_calabrese earned 600 total points
ID: 7093034
Yes, the product is Valicert.

As for what most people ar doing, larger companies tend toward private networks (frame, VAN, or VPN), mid-size companies tend toward FTP with PGP, and small companies tend toward plain old FTP with no encryption.
LVL 51

Expert Comment

ID: 7093902
and again: answer to all last questions: SSH
(assuming that "file encryption" means "secrure encrypted chanel", 'cause this question from me is still unaswered)
LVL 14

Expert Comment

ID: 7093994
Oops, forgot about the SSH servers available for Windows these days.  That would work too.

Author Comment

ID: 7095794
Ahoffman, please write me an email at pcumming@yahoo.com

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question