RSS 1.0« August 2008 | Main | October 2008 »
September 29, 2008
New version of WS_FTP Server is about to be released!
Details of the upcoming release of WS_FTP Server 7 are now posted on the Ipswitch website..... How exciting!!!
Looks like a very security-focused release with some great new capabilities. Personally, I'm looking forward to the new anti-hammering capability that will automatically blacklist IPs that are attempting to hack into the server. And the new FIPS verified cryptography is very impressive.... And the ability to use LDAP for external user authentication is something that will come in handy for many organizations!
Posted by Hugh Garber at 08:57 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
September 22, 2008
Securing an FTP Server
Today's blog posting if for you server admins out there.... Here's a good list of tips to secure your file transfer server courtesy of The Real Ping blog.
I believe the first recommendation is critical: "Assigning access control rules for the files and directories on the FTP server will ensure greater safety for your files. This way, only privileged user accounts can access sensitive data on the FTP server, while non-privileged user accounts can access only general files."
And the other suggestions he lists out are also very smart and easy to implement administrative safeguards for protecting files and data. Here are a few of the suggestions:
• Run the FTP servers on a separate bastion host on the DMZ.
• Use a proxy system to forward requests to the FTP server.
• Discourage the use of anonymous FTP access.
• Log all access to files so it is easy to trace users.
• Use secureFTP or other similar protocols to secure the data and the command channels (ie: SSL or SSH)
Two other suggestions I have: Rather than "discourage" anonymous FTP access, administrators should simply forbid it. And rather than simply allowing encrypted protocols like SSL and SSH, administrators should simply require connecting clients to use either encrypted SSL or SSH protocols.... And better yet, specify that it must be at 256-bit AES encryption strength.
Posted by Hugh Garber at 07:31 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
September 18, 2008
FTPS versus SFTP...... Which to choose?
Sometimes lost is the confusing alphabet soup of FTP, SSL/FTPS and SSH/SFTP is a clear understanding of the differences between the various protocols.
A key takeaway is that basic FTP is not encrypted and that more and more folks are turning to encrypted protocols such as SSL and SSH for file transfers.
Generally speaking, I recommend setting up your server to support both flavors on encrypted communication protocols.... That will enable your end users with more options to securely connect to your server.
But there are some differences between the way FTPS and SFTP were implemented and each has some strengths and weaknesses. Here's a great post by IT Tutorial Solutions that goes into detail on the pros and cons of each.
FTPS Pros:
• Widely known and used
• The communication can be read and understood by the human
• Provides services for server-to-server file transfer
• SSL/TLS has good authentication mechanisms (X.509 certificate features)
• FTP and SSL/TLS support is built into many internet communication frameworks
FTPS Cons:
• Doesn't have a uniform directory listing format
• Requires a secondary DATA channel, which makes it hard to use behind the firewalls
• Doesn't define a standard for file name character sets (encodings)
• Not all FTP servers support SSL/TLS
• Doesn't have a standard way to get and change file and directory attributes
SFTP Pros:
• Has good standards background which strictly defines most (if not all) aspects of operations
• Has only one connection (no need for DATA connection)
• The connection is always secured
• The directory listing is uniform and machine-readable
• The protocol includes operations for permission and attribute manipulation, file locking and more functionality
SFTP Cons:
• The communication is binary and can't be logged "as is" for human reading
• SSH keys are harder to manage and validate
• The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
• No server-to-server copy and recursive directory removal operations
• No built-in SSH/SFTP support in VCL and .NET frameworks
At the end of the day, both FTPS/SSL and SFTP/SSH deliver strong encryption and are both worthy of securing files that are being moved to and from your servers.
Posted by Hugh Garber at 08:42 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
FTP in 2 minutes
The Ipswitch File Transfer website has a quick movie on WS_FTP Professional.
Check it out!
http://www.ipswitchft.com/products/ws_ftp_professional/demo.asp
Posted by Erik Small at 08:19 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
September 12, 2008
Using Secure FTP
Quick reminder for folks to switch over from unencrypted FTP client-server connections to secure connections over FTPS or SFTP protocols. FTPS is an SSL based alternative to FTP, it's basically a flavor of FTP that has built-in encryption. And SFTP is another fantastic alternate that's based on the secure-shell (SSH) protocol. Both SFTP and FTPS provide secure and encrypted communications and will serve to protect any file transfer over client-server connections.
Here's some good advice from e-Consultancy.com: "FTP isn't perfect; one of its biggest flaws is that usernames and passwords are sent in clear text. That means that every time you use your website's FTP server, there is the possibility that a hacker could intercept your username and password and gain access to your website."
And of course, their recommended solution: "Secure FTP (SFTP) is a file transfer protocol based on the Secure Shell protocol, and as its name suggests, it is designed to provide a more secure means to transfer files between computers. Because of this, I personally advise all my clients to ditch FTP and set up SFTP."
Posted by Hugh Garber at 06:25 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
September 05, 2008
Are you Chromed?
If you haven't seen it already, Google released it's new browser called Chrome this week. I downloaded it and have been lightly using it for a couple days. It's definitely a 'clean & simple' approach for an internet browser.
Now that I'm running IE, Firefox, and Chrome all at the same time, I need to start thinking which browser to use exclusively to de-clutter my desktop.
Check out Google Chrome and download it Free here:
Posted by Erik Small at 08:50 AM | Comments (0) | TrackBack digg this add to del.icio.us add to My Web Furl this page
Quick Links
Featured Item