Solved

FTP - Is is secure

Posted on 2004-07-30
10
288 Views
Last Modified: 2010-03-18
The question title probably says it all - basically I am wanting clients to be able to send large files - if I open up port 21 on my windows 2003 server box (which is my main server - i.e. email server, domain controller, file server etc), am I exposing myself too much?

Thanks for your input,

Stewart (new kid on the block just treading water and currently gasping for air at the moment)
0
Comment
Question by:stewart_fischer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677113
Traditional FTP is not that secure.. as someone else said around here:

"FTP is an old protocol that have security issues because is not encrypted. If you want a more secure communication, use secure FTP (SFTP protocol) instead. Many software are available to do this, like CuteFTP, or Webdrive."
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677590
In Windows 2003 you can use IIS to install a ftp server without anonymous access. To secure the trafic you can use internal security, if this is what you want. If the uploading computers are members of the domain in which ftp server exists, you can use active directory authentication.

I use a ftp server with anonymous acces in the upload folder, but without posibility to download from there (write only), and with password authentication for the download folders. It's secured enough for my purpose.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677651
Yan west is corect FTP is not secure

After a client sends PASV, an attacker can connect to the server's TCP port before the client does. The severity of this attack depends on what the client does next:
RETR. In this case, the attacker will receive the contents of the file; this is a security violation if the file is not public. Meanwhile, the client will receive an empty file, and will be told by the server that the transfer was successful.
LIST. Similar to RETR.
STOR. In this case, the attacker can replace the legitimate file with data of the attacker's choosing; this is always a security violation. Meanwhile, if the legitimate file fits into the client's TCP buffers, the client will probably not encounter any transmission errors, and will be told by the server that the transfer was successful.
Regards,
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 3

Expert Comment

by:ynaught
ID: 11677740
Be very careful with FTP
http://yoda.uvi.edu/jgaa/protocol_ftp.htm
Passwords are sent as clear text trough the net, and files are not encrypted by the servers.
I used FTP in the past but after an attack disabled it.
I am still looking for a good alternative
Regards,
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677756
You could use sftp :)
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677797
I forgot to write that all the traffic in my network is encrypted by hardware vpn devices, but i think ipsec will do it.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677911
Thanks Crissand, I would be careful using VPN with FTP
http://cr.yp.to/ftp/security.html
Did you ever work at computer associates?  we may have worked together.
I looked at sftp and it is good but would be too advanced for some of our ftp users if you know what I mean.
Regards,
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677971
Never worked at CA. But you are preparing the replacement of ftp with CA's dto. I don't think we worked together here, in Eastern Europe.
0
 

Author Comment

by:stewart_fischer
ID: 11681873
A few conflicting views here - I have Exchange server setup. I'm thinking maybe the best thing is to increase the mail limit and go that way - what do you think?
0
 
LVL 3

Accepted Solution

by:
ynaught earned 50 total points
ID: 11682014
Sorry there you are right there are always conflicting views.   I went a full year before my ftp site was attacked, many people go much more than that.  I doubt it will bring your company to a halt, but it does increase the chance of getting hacked in other places too.  Re Exchange you could do that security wise it is much better, you have to bear in mind that people sending files may have limits on size that they can send receive (I am talking not of the people in your company but the others.  It is usually between 5 and 20 mb.  You also have to be considerate for people on slow connections.  Also when you convert binary files to ASCII so that they can be emailed the file size increases (perhaps only 5 to 20%).. If you are OK with these things then good solution.
Regards,
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question