Solved

FTP - Is is secure

Posted on 2004-07-30
10
278 Views
Last Modified: 2010-03-18
The question title probably says it all - basically I am wanting clients to be able to send large files - if I open up port 21 on my windows 2003 server box (which is my main server - i.e. email server, domain controller, file server etc), am I exposing myself too much?

Thanks for your input,

Stewart (new kid on the block just treading water and currently gasping for air at the moment)
0
Comment
Question by:stewart_fischer
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677113
Traditional FTP is not that secure.. as someone else said around here:

"FTP is an old protocol that have security issues because is not encrypted. If you want a more secure communication, use secure FTP (SFTP protocol) instead. Many software are available to do this, like CuteFTP, or Webdrive."
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677590
In Windows 2003 you can use IIS to install a ftp server without anonymous access. To secure the trafic you can use internal security, if this is what you want. If the uploading computers are members of the domain in which ftp server exists, you can use active directory authentication.

I use a ftp server with anonymous acces in the upload folder, but without posibility to download from there (write only), and with password authentication for the download folders. It's secured enough for my purpose.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677651
Yan west is corect FTP is not secure

After a client sends PASV, an attacker can connect to the server's TCP port before the client does. The severity of this attack depends on what the client does next:
RETR. In this case, the attacker will receive the contents of the file; this is a security violation if the file is not public. Meanwhile, the client will receive an empty file, and will be told by the server that the transfer was successful.
LIST. Similar to RETR.
STOR. In this case, the attacker can replace the legitimate file with data of the attacker's choosing; this is always a security violation. Meanwhile, if the legitimate file fits into the client's TCP buffers, the client will probably not encounter any transmission errors, and will be told by the server that the transfer was successful.
Regards,
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677740
Be very careful with FTP
http://yoda.uvi.edu/jgaa/protocol_ftp.htm
Passwords are sent as clear text trough the net, and files are not encrypted by the servers.
I used FTP in the past but after an attack disabled it.
I am still looking for a good alternative
Regards,
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677756
You could use sftp :)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:crissand
ID: 11677797
I forgot to write that all the traffic in my network is encrypted by hardware vpn devices, but i think ipsec will do it.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677911
Thanks Crissand, I would be careful using VPN with FTP
http://cr.yp.to/ftp/security.html
Did you ever work at computer associates?  we may have worked together.
I looked at sftp and it is good but would be too advanced for some of our ftp users if you know what I mean.
Regards,
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677971
Never worked at CA. But you are preparing the replacement of ftp with CA's dto. I don't think we worked together here, in Eastern Europe.
0
 

Author Comment

by:stewart_fischer
ID: 11681873
A few conflicting views here - I have Exchange server setup. I'm thinking maybe the best thing is to increase the mail limit and go that way - what do you think?
0
 
LVL 3

Accepted Solution

by:
ynaught earned 50 total points
ID: 11682014
Sorry there you are right there are always conflicting views.   I went a full year before my ftp site was attacked, many people go much more than that.  I doubt it will bring your company to a halt, but it does increase the chance of getting hacked in other places too.  Re Exchange you could do that security wise it is much better, you have to bear in mind that people sending files may have limits on size that they can send receive (I am talking not of the people in your company but the others.  It is usually between 5 and 20 mb.  You also have to be considerate for people on slow connections.  Also when you convert binary files to ASCII so that they can be emailed the file size increases (perhaps only 5 to 20%).. If you are OK with these things then good solution.
Regards,
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now