Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP - Is is secure

Posted on 2004-07-30
10
Medium Priority
?
292 Views
Last Modified: 2010-03-18
The question title probably says it all - basically I am wanting clients to be able to send large files - if I open up port 21 on my windows 2003 server box (which is my main server - i.e. email server, domain controller, file server etc), am I exposing myself too much?

Thanks for your input,

Stewart (new kid on the block just treading water and currently gasping for air at the moment)
0
Comment
Question by:stewart_fischer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677113
Traditional FTP is not that secure.. as someone else said around here:

"FTP is an old protocol that have security issues because is not encrypted. If you want a more secure communication, use secure FTP (SFTP protocol) instead. Many software are available to do this, like CuteFTP, or Webdrive."
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677590
In Windows 2003 you can use IIS to install a ftp server without anonymous access. To secure the trafic you can use internal security, if this is what you want. If the uploading computers are members of the domain in which ftp server exists, you can use active directory authentication.

I use a ftp server with anonymous acces in the upload folder, but without posibility to download from there (write only), and with password authentication for the download folders. It's secured enough for my purpose.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677651
Yan west is corect FTP is not secure

After a client sends PASV, an attacker can connect to the server's TCP port before the client does. The severity of this attack depends on what the client does next:
RETR. In this case, the attacker will receive the contents of the file; this is a security violation if the file is not public. Meanwhile, the client will receive an empty file, and will be told by the server that the transfer was successful.
LIST. Similar to RETR.
STOR. In this case, the attacker can replace the legitimate file with data of the attacker's choosing; this is always a security violation. Meanwhile, if the legitimate file fits into the client's TCP buffers, the client will probably not encounter any transmission errors, and will be told by the server that the transfer was successful.
Regards,
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 3

Expert Comment

by:ynaught
ID: 11677740
Be very careful with FTP
http://yoda.uvi.edu/jgaa/protocol_ftp.htm
Passwords are sent as clear text trough the net, and files are not encrypted by the servers.
I used FTP in the past but after an attack disabled it.
I am still looking for a good alternative
Regards,
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11677756
You could use sftp :)
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677797
I forgot to write that all the traffic in my network is encrypted by hardware vpn devices, but i think ipsec will do it.
0
 
LVL 3

Expert Comment

by:ynaught
ID: 11677911
Thanks Crissand, I would be careful using VPN with FTP
http://cr.yp.to/ftp/security.html
Did you ever work at computer associates?  we may have worked together.
I looked at sftp and it is good but would be too advanced for some of our ftp users if you know what I mean.
Regards,
0
 
LVL 18

Expert Comment

by:crissand
ID: 11677971
Never worked at CA. But you are preparing the replacement of ftp with CA's dto. I don't think we worked together here, in Eastern Europe.
0
 

Author Comment

by:stewart_fischer
ID: 11681873
A few conflicting views here - I have Exchange server setup. I'm thinking maybe the best thing is to increase the mail limit and go that way - what do you think?
0
 
LVL 3

Accepted Solution

by:
ynaught earned 100 total points
ID: 11682014
Sorry there you are right there are always conflicting views.   I went a full year before my ftp site was attacked, many people go much more than that.  I doubt it will bring your company to a halt, but it does increase the chance of getting hacked in other places too.  Re Exchange you could do that security wise it is much better, you have to bear in mind that people sending files may have limits on size that they can send receive (I am talking not of the people in your company but the others.  It is usually between 5 and 20 mb.  You also have to be considerate for people on slow connections.  Also when you convert binary files to ASCII so that they can be emailed the file size increases (perhaps only 5 to 20%).. If you are OK with these things then good solution.
Regards,
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Resolve DNS query failed errors for Exchange
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question