FTP transfer security 'data in transit'

We have an internal FTP server that is used to transfer files to an external company for processing. I want to provide some assurances that the transfer is secure. the client software is filezilla. What kinds of checks should be performed to ensure the security of the data in transit, and can this all be reviewed from the FTP server itself?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
Well, you should be checking how the server is configured. You'd want to be sure that you can only connect using SFTP (FTP over SSH) or FTPS (FTP over SSL). Which FTP server are you using?
1
Ray PaseurCommented:
I've used FileZilla, and I'm glad to be over it.  I find WinSCP to be much friendlier!
https://winscp.net/eng/index.php

In any message transfer you want to verify that the data sent and received is exactly the same.  This is called message authentication, and it involves sending both the message and a hash.  At the receiving end, the recipient takes the message, hashes it, and compares the hash.  If the hashes match, you can be certain that the message arrived intact.  But that only covers the fact that a message was received intact.  A more important question may be "where did the message come from?"  For this, we use origin verification.  The recipient sends the message authentication hash back to the expected point of origin.  The origin compares the hash to the hash in the message it just sent.  If the hashes do not match, the expected point of origin did not send the message, and it must be discarded.

For details, see Encryption with OpenSSL, Message Authentication, and Origin Verification in this article
https://www.experts-exchange.com/articles/28835/Keeping-Secrets-with-PHP.html
0
pma111Author Commented:
@mansrock - it is windows server running IIS.

Can you give some specific pointers :
"Well, you should be checking how the server is configured. "
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

masnrockCommented:
Well, IIS itself only supports FTPS. If you wanted SFTP, you'd literally have to install a FTP server that supports it. Here's a guide that can assist you with getting FTPS set up and block insecure connections: https://winscp.net/eng/docs/guide_windows_ftps_server
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Is SFTP more secure than FTPS? Or what are the benefits of one over the other, if any?
0
masnrockCommented:
It's really more a matter of preference than anything. Here is an article that discusses 3 options (SCP being the other): http://searchsecurity.techtarget.com/answer/Which-Internet-protocol-is-more-secure-FTPS-or-SCP

FileZilla will work with FTPS and SFTP, but not SCP. From a firewall standpoint, SFTP is simpler. From an existing server standpoint, FTPS would be simpler in your case. Had you not already had FTP in place, then it wouldn't matter. Think of SFTP and FTPS as different approaches to the same goal, but your choice of which path to take. In your case, I would go FTPS since you already have IIS in use.
0
skullnobrainsCommented:
scp and sftp are not provided by IIS not any other ms tool afaik. they are much safer than ftps but ftps is probably good enough. how sensitive is that data ?
0
Natty GregIn Theory (IT)Commented:
A site to site vpn will ensure the integrity of your file upload other than you just have to trust the server is properly configured and secured.
0
pma111Author Commented:
its more transaction data rather than personal or financially sensitive.
0
masnrockCommented:
Got it, but you need it secure in transit over FTP. I would still say FTPS is your best bet.
0
skullnobrainsCommented:
given the fact you work with a third-party, manually encrypting and decrypting looks complex to setup and additionally not really useful.

given the fact you already have an existing working FTP server that only does FTPS, pick this. If you're using a IIS server open on the internet and the remote side performs the transfers manually using filezilla, the least secure element is clearly not the file transfer. so don't bother too much.

but replacing that IIS server or using a relay server with ssh could be an idea one of these days if you feel there are people who will be able to keep it in working order.

btw a simple https server with a simple password and possibly limited access ( only by ips the third party owns ) is quite equivalent in terms of security if not better.
0
masnrockCommented:
Answered sufficiently
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
FTP

From novice to tech pro — start learning today.