Solved

Are OS provided FTP commands with PGP encrpytion enough?, File transfers, Windows, Unix

Posted on 2002-06-17
13
220 Views
Last Modified: 2010-04-21
FTP command line versus other new methods. Strengths, weaknesses, risks, etc... Keeping costs in mind and using existing hardware without adding additional hardware



Our company performs FTP in several different departments from several different systems. Mostly Unix but a few Windows boxes.
We decided to step back and review all uses and then recommend a strategy.

Currently we are using the standard FTP commands that come with Unix and DOS to FTP.

-First we perform a PGP to encrypt a file.
-We then place the file on our server in the directory to where the external (outside the enterprise) would retrieve the file (they could drop off a file)

-When the person logs in they are to only a directory they have access to/
- They then perform a PUT or GET send/receive a file.
etc...

Instead: I suppose we could use an FTP Server with a certificate that would ensure a secure SSL connection. I think this secures the channel but not the data. We could uss SCP to something like that tht I do not fully understand.

Our goal is to make things simple, cost-effective, and minimize risk. We must be able to push files to other systems or have users retrieve files regardless of platform for the most part.

We have looked at a few products but always come back to -Why should we set up an additional server and ensure a user has a certain client (in the case of SSL and Certificates), if we can accomplish the same thing with locked down directories by userid???


*****While the above I described is not very techie, current, or robust, it does allow
people to perform "puts" and "gets" without running FTP software as a service at either end thus making life a little easier, easier to set up and troubleshoot.

I suppose we could get more complicated and talk about WEBDAV and such but not sure we need all of this.

We are ONLY allowing certain people to come through our firewall via IP address to "Get" items. To "Put" items we do not need any special rules in the firewall.

While this perhaps may be old school thinking-it is cheap, allows 2 way transfers, has PGP security (not the best but probablyy pretty good as the name implies)


We would like people to comment on the the above, shoot holes in it, risks we would incur, and perhaps present other very cost effective solutions-that have ease of installation.

However it is important that we can send AND receive. And we must be able to send and receive in an unattended manner (scheduled, batch type or scripted jobs)

Thanks< Peter
0
Comment
Question by:pacumming
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7083978
what is PGP encryption used for?
to secure the traffic, or to make shure that only authentificated/authorized persons can read the file?

If encryption is just to secure the transport, I suggest ssh/scp.
This requires a shd on your server, and a scp client. ssh/scp is in wide use on almost all platforms (including Windoze).
There are also some Java based clients which can be used via a java-capable web-browser, then you even don't need a ssh/scp client.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 7084081
This is a pretty difficult problem to solve.  PGP is pretty much dead now that NAI has killed the commercial version.  But there's really no replacement out there either.

"Secure" FTP could work, but it requires special client software.

Probably the best answer at this point is HTTP/S file uploads.

One product that supports this is Valicert, though there are also some Perl scripts floating around out there if you want to roll your own.
0
 
LVL 20

Expert Comment

by:tfewster
ID: 7084292
The userid & password will be unencrypted, and so can be "snooped". I presume your external users only have ftp access and are chrooted to a subdirectory, so a hacker should only be able to trash files in that directory or fill the filesystem up.

I also assume that your firewall only allows incoming traffic on FTP ports. If not, consider creating a "DMZ" by placing the system outside your firewall and giving it its own (tighter) firewall between it and the outside world.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7086201
> .. PGP is dead ..
.. and GnuPG does all the work now (and hopefully will be full compatible to ancient PGP soon)
0
 

Author Comment

by:pacumming
ID: 7090746
We have a DMZ. Right now we would have outbound traffic only. I do worry about the password in clear text but is that really true and how much of a risk is it in reality?

Now we know how to do https and such. BUT the thhing we need is to be able to run in an unattended mode even with https---how can that be unattended? What packages allow a send and a receive assuming we had the server on our side?

Also when people mention to load ssh and scp and so on--we need a solution that is basically a package where we do not have to load various components and test them out.
UNLESS we were to stick with FTP and use the commercial version of PGP or some equivlanet encrpytion out there.

We would like some how to ascertain that the file has been picked up from our server or transmitted to the users box--but not sure the best way to do this.

Thanks for options for a newbie when it comes to Unix and such. I mainly deal with Windows and the Internet but have not played with unattended transfers and putting together protocols and things.

Thanks, Peter
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7090810
> we need a solution that is basically a package where we do not have to load various components and test them out.

You still have such packages: PGP and ftp.
So, why do you worry about using another one?
SSH is just *one* package and gives a solution for all your questions.

You still did not give an answer to my question:
    what is PGP encryption used for?

> .. ascertain that the file has been picked up from our server or transmitted ..
WHat exactly do you need?
  1) log entry that it was picked
  2) information that it was transfered
  3) varification that it was transfered correctly

1) is done by sshd automatically,
2) either needs manual interaction, or a script which sends confirmation somehow
3) somehow similar to 2)

> .. run in an unattended mode ..
see ssh
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 7090815
oops, just another idea: rsync
soves the problem of verification and confirmation also
see http://rsync.samba.org/
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 7090881
Or at least rsync over SSH...

But, this assumes that both ends are *ix.

Meanwhile, as for FTP servers getting cracked because they send plaintext passwords, yes it is definitely possible for a determined attacker to do this (usually by infiltrating something else that can sniff the packets).

Whether the data is interesting enough for anyone to bother and how much you will lose if this does happen is something you have to answer.

For example, if this is (other people's) healthcare data or financial data, you're breaking the law if you don't encrypt the session.

If it's information about the strategic direction of your company, your competitors may be highly motivated to get a hold of it.

If it's graphics that another company is sending you that you'll use in a brochure you're printing that a human is going to look at (and therefore can see with their own eyes if the graphic looks sane), then I wouldn't worry about it.

Meanwhile.... as for automating HTTP/S transerfers... yes, there are tools to do this.  Commercial tools like Valicert, and non-commercial tools like the wget (http://www.gnu.org/directory/wget.html) and winnie (aka wput - http://jigsaw.w3.org/Winie/)
0
 

Author Comment

by:pacumming
ID: 7091117
Thanks. Lets put it this way. Perhaps you have answered it.
Is there a product that runs on Unix and Windows that will satify ALL of the following:
-file encryption or SSL (the channel)-do not want to VPN
-will allow sending data to another box
-will allow a sender to send data to us. Thus receipt of a file
-password is encrypted as opposed to plain text FTP
-can run in command line mode and be scheduled in a batch or script
-and does not take about 2-3-4 components to get it working.
??



Also what do you think the majority of people are doing now in terms of sending and receiving data outside of using a VAN solution such as GEIS?


What do you think the trend may be in the future?

Thanks, Peter
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 7093034
Yes, the product is Valicert.

As for what most people ar doing, larger companies tend toward private networks (frame, VAN, or VPN), mid-size companies tend toward FTP with PGP, and small companies tend toward plain old FTP with no encryption.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7093902
and again: answer to all last questions: SSH
(assuming that "file encryption" means "secrure encrypted chanel", 'cause this question from me is still unaswered)
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 7093994
Oops, forgot about the SSH servers available for Windows these days.  That would work too.
0
 

Author Comment

by:pacumming
ID: 7095794
Ahoffman, please write me an email at pcumming@yahoo.com
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now