FTP transfer security 'data in transit'

pma111
pma111 used Ask the Experts™
on
We have an internal FTP server that is used to transfer files to an external company for processing. I want to provide some assurances that the transfer is secure. the client software is filezilla. What kinds of checks should be performed to ensure the security of the data in transit, and can this all be reviewed from the FTP server itself?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Well, you should be checking how the server is configured. You'd want to be sure that you can only connect using SFTP (FTP over SSH) or FTPS (FTP over SSL). Which FTP server are you using?
Most Valuable Expert 2011
Top Expert 2016
Commented:
I've used FileZilla, and I'm glad to be over it.  I find WinSCP to be much friendlier!
https://winscp.net/eng/index.php

In any message transfer you want to verify that the data sent and received is exactly the same.  This is called message authentication, and it involves sending both the message and a hash.  At the receiving end, the recipient takes the message, hashes it, and compares the hash.  If the hashes match, you can be certain that the message arrived intact.  But that only covers the fact that a message was received intact.  A more important question may be "where did the message come from?"  For this, we use origin verification.  The recipient sends the message authentication hash back to the expected point of origin.  The origin compares the hash to the hash in the message it just sent.  If the hashes do not match, the expected point of origin did not send the message, and it must be discarded.

For details, see Encryption with OpenSSL, Message Authentication, and Origin Verification in this article
https://www.experts-exchange.com/articles/28835/Keeping-Secrets-with-PHP.html

Author

Commented:
@mansrock - it is windows server running IIS.

Can you give some specific pointers :
"Well, you should be checking how the server is configured. "
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
Well, IIS itself only supports FTPS. If you wanted SFTP, you'd literally have to install a FTP server that supports it. Here's a guide that can assist you with getting FTPS set up and block insecure connections: https://winscp.net/eng/docs/guide_windows_ftps_server

Author

Commented:
Is SFTP more secure than FTPS? Or what are the benefits of one over the other, if any?
Distinguished Expert 2018
Commented:
It's really more a matter of preference than anything. Here is an article that discusses 3 options (SCP being the other): http://searchsecurity.techtarget.com/answer/Which-Internet-protocol-is-more-secure-FTPS-or-SCP

FileZilla will work with FTPS and SFTP, but not SCP. From a firewall standpoint, SFTP is simpler. From an existing server standpoint, FTPS would be simpler in your case. Had you not already had FTP in place, then it wouldn't matter. Think of SFTP and FTPS as different approaches to the same goal, but your choice of which path to take. In your case, I would go FTPS since you already have IIS in use.
scp and sftp are not provided by IIS not any other ms tool afaik. they are much safer than ftps but ftps is probably good enough. how sensitive is that data ?
Natty GregIn Theory (IT)
Commented:
A site to site vpn will ensure the integrity of your file upload other than you just have to trust the server is properly configured and secured.

Author

Commented:
its more transaction data rather than personal or financially sensitive.
Distinguished Expert 2018

Commented:
Got it, but you need it secure in transit over FTP. I would still say FTPS is your best bet.
given the fact you work with a third-party, manually encrypting and decrypting looks complex to setup and additionally not really useful.

given the fact you already have an existing working FTP server that only does FTPS, pick this. If you're using a IIS server open on the internet and the remote side performs the transfers manually using filezilla, the least secure element is clearly not the file transfer. so don't bother too much.

but replacing that IIS server or using a relay server with ssh could be an idea one of these days if you feel there are people who will be able to keep it in working order.

btw a simple https server with a simple password and possibly limited access ( only by ips the third party owns ) is quite equivalent in terms of security if not better.
Distinguished Expert 2018

Commented:
Answered sufficiently

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial