Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

FTP - Is is secure

The question title probably says it all - basically I am wanting clients to be able to send large files - if I open up port 21 on my windows 2003 server box (which is my main server - i.e. email server, domain controller, file server etc), am I exposing myself too much?

Thanks for your input,

Stewart (new kid on the block just treading water and currently gasping for air at the moment)
0
stewart_fischer
Asked:
stewart_fischer
  • 4
  • 3
  • 2
  • +1
1 Solution
 
Yan_westCommented:
Traditional FTP is not that secure.. as someone else said around here:

"FTP is an old protocol that have security issues because is not encrypted. If you want a more secure communication, use secure FTP (SFTP protocol) instead. Many software are available to do this, like CuteFTP, or Webdrive."
0
 
crissandCommented:
In Windows 2003 you can use IIS to install a ftp server without anonymous access. To secure the trafic you can use internal security, if this is what you want. If the uploading computers are members of the domain in which ftp server exists, you can use active directory authentication.

I use a ftp server with anonymous acces in the upload folder, but without posibility to download from there (write only), and with password authentication for the download folders. It's secured enough for my purpose.
0
 
ynaughtCommented:
Yan west is corect FTP is not secure

After a client sends PASV, an attacker can connect to the server's TCP port before the client does. The severity of this attack depends on what the client does next:
RETR. In this case, the attacker will receive the contents of the file; this is a security violation if the file is not public. Meanwhile, the client will receive an empty file, and will be told by the server that the transfer was successful.
LIST. Similar to RETR.
STOR. In this case, the attacker can replace the legitimate file with data of the attacker's choosing; this is always a security violation. Meanwhile, if the legitimate file fits into the client's TCP buffers, the client will probably not encounter any transmission errors, and will be told by the server that the transfer was successful.
Regards,
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ynaughtCommented:
Be very careful with FTP
http://yoda.uvi.edu/jgaa/protocol_ftp.htm
Passwords are sent as clear text trough the net, and files are not encrypted by the servers.
I used FTP in the past but after an attack disabled it.
I am still looking for a good alternative
Regards,
0
 
Yan_westCommented:
You could use sftp :)
0
 
crissandCommented:
I forgot to write that all the traffic in my network is encrypted by hardware vpn devices, but i think ipsec will do it.
0
 
ynaughtCommented:
Thanks Crissand, I would be careful using VPN with FTP
http://cr.yp.to/ftp/security.html
Did you ever work at computer associates?  we may have worked together.
I looked at sftp and it is good but would be too advanced for some of our ftp users if you know what I mean.
Regards,
0
 
crissandCommented:
Never worked at CA. But you are preparing the replacement of ftp with CA's dto. I don't think we worked together here, in Eastern Europe.
0
 
stewart_fischerAuthor Commented:
A few conflicting views here - I have Exchange server setup. I'm thinking maybe the best thing is to increase the mail limit and go that way - what do you think?
0
 
ynaughtCommented:
Sorry there you are right there are always conflicting views.   I went a full year before my ftp site was attacked, many people go much more than that.  I doubt it will bring your company to a halt, but it does increase the chance of getting hacked in other places too.  Re Exchange you could do that security wise it is much better, you have to bear in mind that people sending files may have limits on size that they can send receive (I am talking not of the people in your company but the others.  It is usually between 5 and 20 mb.  You also have to be considerate for people on slow connections.  Also when you convert binary files to ASCII so that they can be emailed the file size increases (perhaps only 5 to 20%).. If you are OK with these things then good solution.
Regards,
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now