[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Secure Ftp via MS CryptoAPI

Posted on 2007-10-03
Medium Priority
Last Modified: 2013-11-29
Securing Ftp using Microsoft enhanced Provider CryptoAPI
Just wondering if anyone has used this encryption to secure Ftp transmissions. Ths algorithms
to be use are RSA AND RC4
My company outsources payroll and the vendor wants to implement this method of transmission.
My concern is that they also want unrestricted inbound traffic to transmit back using all ports
greater than 1024. I am currently behind a Pix 515 firewall.
Any Thoughts will be greatly appreciated.
Thanks in advace
Question by:proj2005
  • 6
  • 5
LVL 57

Expert Comment

ID: 20011112
--> My concern is that they also want unrestricted inbound traffic to transmit back using all ports
greater than 1024.

Not sure what you mean by this.  Normally when a client initates a connection the source port is a port 1024 or above.  This is perfectly normal.

What do you mean by "unrestricted" traffic?  Do you mean non-ftp?

Author Comment

ID: 20011841
Giljtr, Thanks for your response.
They will be compressing a file and sending back to us via ftp.
I'm not sure what they mean either. I have a conference call with them tomorrow @2pm along
with my other sister companies. The call is to bascially express any concerns. I feel more
comfortable you saying that these ports are perfectly normal.
 Would I have to configure an access-list in pix to allow them to use any of these ports?
 Assuming they can provide me a static ip address.

LVL 57

Expert Comment

ID: 20013165
If you are doing standard non-encrypted FTP the PIX will see what ports the data connection is using and automatically allow the data connections through.  However, if the control/command connection is encrypted, then the PIX can't see what port is being used for the data connection and can't do this.

If they are sending the file back to you, this means you are the FTP server.  If you are the FTP server then you can control which ports are used for the data connection.  

Typically how this works is that the SSL FTP server is configured to use a finite range of ports for the data connections, say 9000-9010.  Also SSL FTP is typically doing passive data connections, that is the client initiates the data connection to the server.  So if you are the server and you are using passive data connections, you would code an ACL in your PIX that would allow their specific client IP address to use any high port to connect to your FTP servers IP address with a port range of 9000-9010.  


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 20015006
You seem very well versed, I'm impressed.
I will be in at work at noon today, I'm getting ready to take 70-290 tomorrow. I need to reference
their memo and provide you more info...
All top of all this my pix has reached its end-of-live and no support from cisco.
Your time and efforts is greatly appreciated.
Thanx Much!

Author Comment

ID: 20017327
Hello giltjr, here is the overview info from our vendor:
1) On the clients transmission PC data is gathered, compressed into one file, and encrypted via the Microsoft Enhanced Provider CryptoAPI.  Upon connection, the Myvendor NSC FTP server validates the user based on name and password.  When the file is transmitted it is authenticated by its unique naming convention (versus contents), thereby, ensuring that the active session has access to the clients own directories on the FTP server.  The FTP transmission process uses an active mode session between the clients transmission PC and the MyVendor NSC FTP server.  Active FTP mode is a Pleasanton NSC requirement
2)MyVendor's NSC digitally signs the data before starting the FTP session. Once the client receives the data, the public key is employed to verify the digital signature and decrypt the file.

3)The clients firewall must allow the following:
     1. Unrestricted outbound traffic from the transmission payroll workstation to Q.MYVENDOR.COM
         on TCP port 21.
     2. Unrestricted inbound traffic from Q.MYVENDOR.COM to the transmission payroll workstation on all
         TCP ports greater than 1024.
Thanks again, hope to hear from you soon.
LVL 57

Expert Comment

ID: 20019094
Umm, O.K. to make sure, this sounds like the FTP session is "clear text", but the file is encrypted.  This means you are not using SSL FTP.  

O.K. for active FTP the FTP server actually initiates the connect to the FTP client.  The server always uses a source port of 20.  So what you want to setup your PIX for is to allow active FTP.  Which is actually quite safe using PIX.

Which version of PIX are you using?

Author Comment

ID: 20019172
Cisco PIX Firewall Version 6.3(5)125
Hardware:   PIX-515, 32 MB RAM, CPU Pentium 200 MHz
LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 20019237
O.K.  If there is a single IP address for the ftp server then what you need to allow the pc that will be used as the client to connect to the ftp server on port 21 (ftp)

   access-list allow_out permit tcp host a.a.a.a host b.b.b.b eq ftp

Where a.a.a.a is the IP address if the PC that you will be using as the ftp client and b.b.b.b is the IP address of the remote ftp server.   You will also want to have:

   fixup protocol ftp 21

This should be it.


Author Comment

ID: 20019347
I enter comments and accepted at the same time and comments didnt save.
That seems pretty straight forward for me. I do have the ftp protocols fixed up with
ports, 20, 21... You seem pretty knowledgeable with pix configs. I am hosting an ftp
web site via win2003/IIS, I need to transition over to at least Webdav or read more into
other means of encryption...but thats another big project... You've been a great help to me
and I really appreciate.
Thanks a Mil !
LVL 57

Expert Comment

ID: 20019375
You do not need the fixup for port 20.  In fact doing fixup for port 20 could cause problems.

Ref:  http://www.experts-exchange.com/Security/Software_Firewalls/Q_22127706.html

That that knowledgelable about PIX, I done some configuration on PIX 7.0.  But I do know about FTP.

For hosting an FTP server is basically the same thing, but you want to "reverse" it.  That is apply the ACL to your outside interface, something like:

   access-list allow_in permit tcp and  host c.c.c.c  eq ftp

Where c.c.c.c is the IP address of your FTP server.  As this is on the outside interface c.c.c.c should be the public IP address of your FTP server.

Author Comment

ID: 20019614
Has far as my ftp, it is being accessed from the outside w/the external ip.
I meant that there is no encrpytion whatsoever out of the box of win2003 and IIS 6.0.
Have you worked with WebDav?
Thanks again

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question