Solved

SFTP & VPN for my clients

Posted on 2006-06-23
5
2,439 Views
Last Modified: 2013-11-16
Hi,
I have a question on VPN and FTP.  

I have to propose a new way of supplying some business critical files to my client base other than e-mail.

What I need to do:
Currently I prepare the encrypted files and mail them through to the customer.  This has worked fine in the past but increasingly the larger the files become the more problems I encounter from the recipients mailbox.  Some files are getting bounced for being too large and this leads to all sorts of complaints and security issues for me.  I would like to be able to drop the files in a folder on a linux server here which I already have installed and have the client come and get them?

Can I setup a VPN connection from the customers site to a Secure FTP server onsite here?
what type of VPN should I create?
How secure can I make this?
Once the VPN is established can they access the Folder using a URL perhaps?
Also, is it possible to have some type of log running so I can see when they actually download the files?
Can I do IP adress tracking?
What should I be looking to track in this file?

If you have any ideas of how to make this better then I would really appreciate your help. I'm losing business on  a daily basis because I cannot do this currently,

I know it's a long shot also.....but is there any way of getting a diagram of this mailed to me? colum_cusack@ireland.com

Really do appreciate your help hence the points?

Regards

Colum
0
Comment
Question by:columcusack
5 Comments
 
LVL 1

Expert Comment

by:rushpatel
ID: 16969078
Colum,

There are number of possibilities with this solution. We have implemented secured site-to-site vpn solution with perimeter network, which allows only that client to access dedicated secured FTP server with access to only one directory. In addition to this, all files are PGP signed.

Biggest concerned we had was the bandwidth and speed from client.

What we have used is given below:

1) Juniper router edge
2) Cisco Pix 550 - allows only specific client ip
3) SSL Accelerators – Authenticates client’s certificate
4) IDS – Checks venerability
5) Juniper router internal edge – routes to specific cleint’s server farm
6) WS_FTP secured server – login requires at least 12 char complex password
7) PGP signed files

There are few other things we can add to make it more secure but still 7 layers security is quite industry standard. Unfortunately, I cannot provide exact diagram but you can get good picture from this explanation.

Good luck,

Rushil
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 500 total points
ID: 16970074
Hi Colum

Depending on your network set-up and the sensitivity of the data you may be able to simply allow them access to the sftp server as sftp is an encrypted protocol.

Harden the sftp server
place in DMZ
allow access through the firewall to the sftp server (if they always come from specific IP(s) you could lock the rule down so that the sftp server wasn't actually publicly accessible from any IP).

If you need to use a vpn there are various options depending on you set-up

Firewall to firewall - if all connections are from businesses with compatible firewalls
Firewall to client - most major firewalls offer vpn clients to allow remote users to make vpn connections to the network.

As to tracking - any connections (vpn or not) will be through the firewall so you will have a log of connections and traffic on the firewall.  Your sftp server should be able to log any access and what is done in each session, and your actual server will have file access auditing capabilities.

If you can provide a little more detail about your requirements and environment I'll try to expand on which ever method seems most appropriate.

cheers

Kevin
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16971840
I agree with Kevnf40, sftp (or even ftps) is encrypted why use a VPN on top of that?  My personal opinion, either use sftp or VPN, but not both.

If you only have a few sites static sites to work with, or these sites may need access to servers/resources that should be more secure, then try VPN.

However if you have a lot of site, or the sites change and this is the only thing that needs encrypted/secured access, then use sftp.  It is much easier to setup and maintain.

Do you have to push/send the file to the users?  Could you just setup a web sever that only allows SSL connections, setup user based security, and allow them to come and get the files using their Web Browser.
0
 
LVL 1

Expert Comment

by:dlmario
ID: 16976734
Colum,

I would use the "secure copy" - short "scp". scp uses an ssh connection authenticated by public keys and password, if you want to. This ssh connection is for the ftp process and terminates after that.

The benefits are:
- easy setup (on windows, linux and unix)
- secure (uses private/public keys for setup and random symmetric key for each connection)
- trackable (ssh server can write logs)
- secure for a firewall over one single tcp port (default port 22 but you can also use any port like 12345)
- not expensive

If you want to use a vpn software, there are two kinds of good layer 3 (ip) tunneling software: openvpn and ipsec. ipsec (in tunnelmode and ESP - encapsulated security payload) is a kernelbesed vpn (->fast) which is included into most serversystems. OpenVPN is a userspace vpn tunneling software which is very scalable and configurable (and its free). OpenVPN uses preshared keys or certificates for authentification.

But to summarize - I would not build up a tunnel for making a ftp connection. SCP is doing exactly that.

If you need help for one of my proposals please send me more information about your setup (OSes, Network).

Regards,

Mario
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16976923
Hi mario

sftp (SSH file Transfer Protocol or secure file transfer program/protocol) is actually newer and considered by many to be a better protocol than scp - indeed it was designed by the same working groupp who designed SSH-2, and is typically used with SSH-2 (where the SSH protocol provide the security around sftp's file transfer and manipulation functionality.

A comparison of the two protocols can be found here:
http://winscp.net/eng/docs/protocols

As long as your SCP implementation uses SSH-2 there is however little in security terms to separate the two so it's becomes a matter of preference.  Many SCP implementations still use SSH-1 (I think) which has serious published weaknesses, so this should be checked before choosing an implementation.

cheers

Kevin
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now