Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
FTP transfer security 'data in transit'
We have an internal FTP server that is used to transfer files to an external company for processing. I want to provide some assurances that the transfer is secure. the client software is filezilla. What kinds of checks should be performed to ensure the security of the data in transit, and can this all be reviewed from the FTP server itself?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Well, you should be checking how the server is configured. You'd want to be sure that you can only connect using SFTP (FTP over SSH) or FTPS (FTP over SSL). Which FTP server are you using?
I've used FileZilla, and I'm glad to be over it. I find WinSCP to be much friendlier!
https://winscp.net/eng/index.php
In any message transfer you want to verify that the data sent and received is exactly the same. This is called message authentication, and it involves sending both the message and a hash. At the receiving end, the recipient takes the message, hashes it, and compares the hash. If the hashes match, you can be certain that the message arrived intact. But that only covers the fact that a message was received intact. A more important question may be "where did the message come from?" For this, we use origin verification. The recipient sends the message authentication hash back to the expected point of origin. The origin compares the hash to the hash in the message it just sent. If the hashes do not match, the expected point of origin did not send the message, and it must be discarded.
For details, see Encryption with OpenSSL, Message Authentication, and Origin Verification in this article
https://www.experts-exchange.com/articles/28835/Keeping-Secrets-with-PHP.html
https://winscp.net/eng/index.php
In any message transfer you want to verify that the data sent and received is exactly the same. This is called message authentication, and it involves sending both the message and a hash. At the receiving end, the recipient takes the message, hashes it, and compares the hash. If the hashes match, you can be certain that the message arrived intact. But that only covers the fact that a message was received intact. A more important question may be "where did the message come from?" For this, we use origin verification. The recipient sends the message authentication hash back to the expected point of origin. The origin compares the hash to the hash in the message it just sent. If the hashes do not match, the expected point of origin did not send the message, and it must be discarded.
For details, see Encryption with OpenSSL, Message Authentication, and Origin Verification in this article
https://www.experts-exchange.com/articles/28835/Keeping-Secrets-with-PHP.html
@mansrock - it is windows server running IIS.
Can you give some specific pointers :
Can you give some specific pointers :
"Well, you should be checking how the server is configured. "
Well, IIS itself only supports FTPS. If you wanted SFTP, you'd literally have to install a FTP server that supports it. Here's a guide that can assist you with getting FTPS set up and block insecure connections: https://winscp.net/eng/doc
It's really more a matter of preference than anything. Here is an article that discusses 3 options (SCP being the other): http://searchsecurity.tech
FileZilla will work with FTPS and SFTP, but not SCP. From a firewall standpoint, SFTP is simpler. From an existing server standpoint, FTPS would be simpler in your case. Had you not already had FTP in place, then it wouldn't matter. Think of SFTP and FTPS as different approaches to the same goal, but your choice of which path to take. In your case, I would go FTPS since you already have IIS in use.
FileZilla will work with FTPS and SFTP, but not SCP. From a firewall standpoint, SFTP is simpler. From an existing server standpoint, FTPS would be simpler in your case. Had you not already had FTP in place, then it wouldn't matter. Think of SFTP and FTPS as different approaches to the same goal, but your choice of which path to take. In your case, I would go FTPS since you already have IIS in use.
scp and sftp are not provided by IIS not any other ms tool afaik. they are much safer than ftps but ftps is probably good enough. how sensitive is that data ?
A site to site vpn will ensure the integrity of your file upload other than you just have to trust the server is properly configured and secured.
given the fact you work with a third-party, manually encrypting and decrypting looks complex to setup and additionally not really useful.
given the fact you already have an existing working FTP server that only does FTPS, pick this. If you're using a IIS server open on the internet and the remote side performs the transfers manually using filezilla, the least secure element is clearly not the file transfer. so don't bother too much.
but replacing that IIS server or using a relay server with ssh could be an idea one of these days if you feel there are people who will be able to keep it in working order.
btw a simple https server with a simple password and possibly limited access ( only by ips the third party owns ) is quite equivalent in terms of security if not better.
given the fact you already have an existing working FTP server that only does FTPS, pick this. If you're using a IIS server open on the internet and the remote side performs the transfers manually using filezilla, the least secure element is clearly not the file transfer. so don't bother too much.
but replacing that IIS server or using a relay server with ssh could be an idea one of these days if you feel there are people who will be able to keep it in working order.
btw a simple https server with a simple password and possibly limited access ( only by ips the third party owns ) is quite equivalent in terms of security if not better.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial