Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


SFTP & VPN for my clients

Posted on 2006-06-23
Medium Priority
Last Modified: 2013-11-16
I have a question on VPN and FTP.  

I have to propose a new way of supplying some business critical files to my client base other than e-mail.

What I need to do:
Currently I prepare the encrypted files and mail them through to the customer.  This has worked fine in the past but increasingly the larger the files become the more problems I encounter from the recipients mailbox.  Some files are getting bounced for being too large and this leads to all sorts of complaints and security issues for me.  I would like to be able to drop the files in a folder on a linux server here which I already have installed and have the client come and get them?

Can I setup a VPN connection from the customers site to a Secure FTP server onsite here?
what type of VPN should I create?
How secure can I make this?
Once the VPN is established can they access the Folder using a URL perhaps?
Also, is it possible to have some type of log running so I can see when they actually download the files?
Can I do IP adress tracking?
What should I be looking to track in this file?

If you have any ideas of how to make this better then I would really appreciate your help. I'm losing business on  a daily basis because I cannot do this currently,

I know it's a long shot also.....but is there any way of getting a diagram of this mailed to me? colum_cusack@ireland.com

Really do appreciate your help hence the points?


Question by:columcusack

Expert Comment

ID: 16969078

There are number of possibilities with this solution. We have implemented secured site-to-site vpn solution with perimeter network, which allows only that client to access dedicated secured FTP server with access to only one directory. In addition to this, all files are PGP signed.

Biggest concerned we had was the bandwidth and speed from client.

What we have used is given below:

1) Juniper router edge
2) Cisco Pix 550 - allows only specific client ip
3) SSL Accelerators – Authenticates client’s certificate
4) IDS – Checks venerability
5) Juniper router internal edge – routes to specific cleint’s server farm
6) WS_FTP secured server – login requires at least 12 char complex password
7) PGP signed files

There are few other things we can add to make it more secure but still 7 layers security is quite industry standard. Unfortunately, I cannot provide exact diagram but you can get good picture from this explanation.

Good luck,


Accepted Solution

kevinf40 earned 1500 total points
ID: 16970074
Hi Colum

Depending on your network set-up and the sensitivity of the data you may be able to simply allow them access to the sftp server as sftp is an encrypted protocol.

Harden the sftp server
place in DMZ
allow access through the firewall to the sftp server (if they always come from specific IP(s) you could lock the rule down so that the sftp server wasn't actually publicly accessible from any IP).

If you need to use a vpn there are various options depending on you set-up

Firewall to firewall - if all connections are from businesses with compatible firewalls
Firewall to client - most major firewalls offer vpn clients to allow remote users to make vpn connections to the network.

As to tracking - any connections (vpn or not) will be through the firewall so you will have a log of connections and traffic on the firewall.  Your sftp server should be able to log any access and what is done in each session, and your actual server will have file access auditing capabilities.

If you can provide a little more detail about your requirements and environment I'll try to expand on which ever method seems most appropriate.


LVL 57

Expert Comment

ID: 16971840
I agree with Kevnf40, sftp (or even ftps) is encrypted why use a VPN on top of that?  My personal opinion, either use sftp or VPN, but not both.

If you only have a few sites static sites to work with, or these sites may need access to servers/resources that should be more secure, then try VPN.

However if you have a lot of site, or the sites change and this is the only thing that needs encrypted/secured access, then use sftp.  It is much easier to setup and maintain.

Do you have to push/send the file to the users?  Could you just setup a web sever that only allows SSL connections, setup user based security, and allow them to come and get the files using their Web Browser.

Expert Comment

ID: 16976734

I would use the "secure copy" - short "scp". scp uses an ssh connection authenticated by public keys and password, if you want to. This ssh connection is for the ftp process and terminates after that.

The benefits are:
- easy setup (on windows, linux and unix)
- secure (uses private/public keys for setup and random symmetric key for each connection)
- trackable (ssh server can write logs)
- secure for a firewall over one single tcp port (default port 22 but you can also use any port like 12345)
- not expensive

If you want to use a vpn software, there are two kinds of good layer 3 (ip) tunneling software: openvpn and ipsec. ipsec (in tunnelmode and ESP - encapsulated security payload) is a kernelbesed vpn (->fast) which is included into most serversystems. OpenVPN is a userspace vpn tunneling software which is very scalable and configurable (and its free). OpenVPN uses preshared keys or certificates for authentification.

But to summarize - I would not build up a tunnel for making a ftp connection. SCP is doing exactly that.

If you need help for one of my proposals please send me more information about your setup (OSes, Network).



Expert Comment

ID: 16976923
Hi mario

sftp (SSH file Transfer Protocol or secure file transfer program/protocol) is actually newer and considered by many to be a better protocol than scp - indeed it was designed by the same working groupp who designed SSH-2, and is typically used with SSH-2 (where the SSH protocol provide the security around sftp's file transfer and manipulation functionality.

A comparison of the two protocols can be found here:

As long as your SCP implementation uses SSH-2 there is however little in security terms to separate the two so it's becomes a matter of preference.  Many SCP implementations still use SSH-1 (I think) which has serious published weaknesses, so this should be checked before choosing an implementation.



Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question