Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Are OS provided FTP commands with PGP encrpytion enough?, File transfers, Windows, Unix

FTP command line versus other new methods. Strengths, weaknesses, risks, etc... Keeping costs in mind and using existing hardware without adding additional hardware

Our company performs FTP in several different departments from several different systems. Mostly Unix but a few Windows boxes.
We decided to step back and review all uses and then recommend a strategy.

Currently we are using the standard FTP commands that come with Unix and DOS to FTP.

-First we perform a PGP to encrypt a file.
-We then place the file on our server in the directory to where the external (outside the enterprise) would retrieve the file (they could drop off a file)

-When the person logs in they are to only a directory they have access to/
- They then perform a PUT or GET send/receive a file.

Instead: I suppose we could use an FTP Server with a certificate that would ensure a secure SSL connection. I think this secures the channel but not the data. We could uss SCP to something like that tht I do not fully understand.

Our goal is to make things simple, cost-effective, and minimize risk. We must be able to push files to other systems or have users retrieve files regardless of platform for the most part.

We have looked at a few products but always come back to -Why should we set up an additional server and ensure a user has a certain client (in the case of SSL and Certificates), if we can accomplish the same thing with locked down directories by userid???

*****While the above I described is not very techie, current, or robust, it does allow
people to perform "puts" and "gets" without running FTP software as a service at either end thus making life a little easier, easier to set up and troubleshoot.

I suppose we could get more complicated and talk about WEBDAV and such but not sure we need all of this.

We are ONLY allowing certain people to come through our firewall via IP address to "Get" items. To "Put" items we do not need any special rules in the firewall.

While this perhaps may be old school thinking-it is cheap, allows 2 way transfers, has PGP security (not the best but probablyy pretty good as the name implies)

We would like people to comment on the the above, shoot holes in it, risks we would incur, and perhaps present other very cost effective solutions-that have ease of installation.

However it is important that we can send AND receive. And we must be able to send and receive in an unattended manner (scheduled, batch type or scripted jobs)

Thanks< Peter
  • 5
  • 4
  • 3
  • +1
1 Solution
what is PGP encryption used for?
to secure the traffic, or to make shure that only authentificated/authorized persons can read the file?

If encryption is just to secure the transport, I suggest ssh/scp.
This requires a shd on your server, and a scp client. ssh/scp is in wide use on almost all platforms (including Windoze).
There are also some Java based clients which can be used via a java-capable web-browser, then you even don't need a ssh/scp client.
This is a pretty difficult problem to solve.  PGP is pretty much dead now that NAI has killed the commercial version.  But there's really no replacement out there either.

"Secure" FTP could work, but it requires special client software.

Probably the best answer at this point is HTTP/S file uploads.

One product that supports this is Valicert, though there are also some Perl scripts floating around out there if you want to roll your own.
The userid & password will be unencrypted, and so can be "snooped". I presume your external users only have ftp access and are chrooted to a subdirectory, so a hacker should only be able to trash files in that directory or fill the filesystem up.

I also assume that your firewall only allows incoming traffic on FTP ports. If not, consider creating a "DMZ" by placing the system outside your firewall and giving it its own (tighter) firewall between it and the outside world.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

> .. PGP is dead ..
.. and GnuPG does all the work now (and hopefully will be full compatible to ancient PGP soon)
pacummingAuthor Commented:
We have a DMZ. Right now we would have outbound traffic only. I do worry about the password in clear text but is that really true and how much of a risk is it in reality?

Now we know how to do https and such. BUT the thhing we need is to be able to run in an unattended mode even with https---how can that be unattended? What packages allow a send and a receive assuming we had the server on our side?

Also when people mention to load ssh and scp and so on--we need a solution that is basically a package where we do not have to load various components and test them out.
UNLESS we were to stick with FTP and use the commercial version of PGP or some equivlanet encrpytion out there.

We would like some how to ascertain that the file has been picked up from our server or transmitted to the users box--but not sure the best way to do this.

Thanks for options for a newbie when it comes to Unix and such. I mainly deal with Windows and the Internet but have not played with unattended transfers and putting together protocols and things.

Thanks, Peter
> we need a solution that is basically a package where we do not have to load various components and test them out.

You still have such packages: PGP and ftp.
So, why do you worry about using another one?
SSH is just *one* package and gives a solution for all your questions.

You still did not give an answer to my question:
    what is PGP encryption used for?

> .. ascertain that the file has been picked up from our server or transmitted ..
WHat exactly do you need?
  1) log entry that it was picked
  2) information that it was transfered
  3) varification that it was transfered correctly

1) is done by sshd automatically,
2) either needs manual interaction, or a script which sends confirmation somehow
3) somehow similar to 2)

> .. run in an unattended mode ..
see ssh
oops, just another idea: rsync
soves the problem of verification and confirmation also
see http://rsync.samba.org/
Or at least rsync over SSH...

But, this assumes that both ends are *ix.

Meanwhile, as for FTP servers getting cracked because they send plaintext passwords, yes it is definitely possible for a determined attacker to do this (usually by infiltrating something else that can sniff the packets).

Whether the data is interesting enough for anyone to bother and how much you will lose if this does happen is something you have to answer.

For example, if this is (other people's) healthcare data or financial data, you're breaking the law if you don't encrypt the session.

If it's information about the strategic direction of your company, your competitors may be highly motivated to get a hold of it.

If it's graphics that another company is sending you that you'll use in a brochure you're printing that a human is going to look at (and therefore can see with their own eyes if the graphic looks sane), then I wouldn't worry about it.

Meanwhile.... as for automating HTTP/S transerfers... yes, there are tools to do this.  Commercial tools like Valicert, and non-commercial tools like the wget (http://www.gnu.org/directory/wget.html) and winnie (aka wput - http://jigsaw.w3.org/Winie/)
pacummingAuthor Commented:
Thanks. Lets put it this way. Perhaps you have answered it.
Is there a product that runs on Unix and Windows that will satify ALL of the following:
-file encryption or SSL (the channel)-do not want to VPN
-will allow sending data to another box
-will allow a sender to send data to us. Thus receipt of a file
-password is encrypted as opposed to plain text FTP
-can run in command line mode and be scheduled in a batch or script
-and does not take about 2-3-4 components to get it working.

Also what do you think the majority of people are doing now in terms of sending and receiving data outside of using a VAN solution such as GEIS?

What do you think the trend may be in the future?

Thanks, Peter
Yes, the product is Valicert.

As for what most people ar doing, larger companies tend toward private networks (frame, VAN, or VPN), mid-size companies tend toward FTP with PGP, and small companies tend toward plain old FTP with no encryption.
and again: answer to all last questions: SSH
(assuming that "file encryption" means "secrure encrypted chanel", 'cause this question from me is still unaswered)
Oops, forgot about the SSH servers available for Windows these days.  That would work too.
pacummingAuthor Commented:
Ahoffman, please write me an email at pcumming@yahoo.com

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now