FTP and it's security

Gurus,

Everyone knows that FTP is inherently insecure. What with it's passwords
sent in clear text and the un-encrypted data stream. But what about using a
program like WinZip to encrypt the data that is being FTP'd? Wouldn't that
meet today's security standards, especially in a situation where an FTP
hosts only accepts data from a certain IP address?

We have a government manager who says FTP is insecure and wants to implement
an SSH solution. I say we have no time to do that an that WinZip encrypting
the documents being FTP'd out are good enough. I don't need more work I am
already busy enough.

--
Spin

Scott
Mon Jul 10 19:03:58 CDT 2006

Why not upload/download via https?

http://eprint.iacr.org/2004/078.pdf




"Spin" <Spin@spin.com> wrote in message
news:4hg7d0F1qsc90U1@individual.net...
> Gurus,
>
> Everyone knows that FTP is inherently insecure. What with it's passwords
> sent in clear text and the un-encrypted data stream. But what about using
> a program like WinZip to encrypt the data that is being FTP'd? Wouldn't
> that meet today's security standards, especially in a situation where an
> FTP hosts only accepts data from a certain IP address?
>
> We have a government manager who says FTP is insecure and wants to
> implement an SSH solution. I say we have no time to do that an that
> WinZip encrypting the documents being FTP'd out are good enough. I don't
> need more work I am already busy enough.
>
> --
> Spin
>
>

Steven
Mon Jul 10 19:12:22 CDT 2006

I would agree that SSH or something along those lines that encrypts the
networking traffic is a better solution that may also be able to insure
integrity. Ipsec can be used on the internal network. WinZip will do nothing
to protect against password sniffing if that is a possibility and also I
believe that cracking WinZip files may not be all that difficult in some if
not most cases. However if it is your call then it is up to as you what you
want to as we don't know how sensitive your data and password are and what
the consequences would be if they are compromised. --- Steve


"Spin" <Spin@spin.com> wrote in message
news:4hg7d0F1qsc90U1@individual.net...
> Gurus,
>
> Everyone knows that FTP is inherently insecure. What with it's passwords
> sent in clear text and the un-encrypted data stream. But what about using
> a program like WinZip to encrypt the data that is being FTP'd? Wouldn't
> that meet today's security standards, especially in a situation where an
> FTP hosts only accepts data from a certain IP address?
>
> We have a government manager who says FTP is insecure and wants to
> implement an SSH solution. I say we have no time to do that an that
> WinZip encrypting the documents being FTP'd out are good enough. I don't
> need more work I am already busy enough.
>
> --
> Spin
>
>

Roger
Tue Jul 11 01:04:43 CDT 2006

The manager is correct in wanting this changed.

Sending pwd protected zip is not addressing the clear text AuthN of FTP.
As someone could sniff the traffic (yes, you did say IP to defined IP set),
and assume that you do not have in place a process to regularly change
the pwd used on the zip, etc. they feasibly could collect sufficiently large
sample of you zips to defeat what you have put in place.

Use Secure FTP, or your existing FTP solution where IPsec policy
forces all traffic to be within ESP encapsulation, or an HTTPS based
up/download.

"Spin" <Spin@spin.com> wrote in message
news:4hg7d0F1qsc90U1@individual.net...
> Gurus,
>
> Everyone knows that FTP is inherently insecure. What with it's passwords
> sent in clear text and the un-encrypted data stream. But what about using
> a program like WinZip to encrypt the data that is being FTP'd? Wouldn't
> that meet today's security standards, especially in a situation where an
> FTP hosts only accepts data from a certain IP address?
>
> We have a government manager who says FTP is insecure and wants to
> implement an SSH solution. I say we have no time to do that an that
> WinZip encrypting the documents being FTP'd out are good enough. I don't
> need more work I am already busy enough.
>
> --
> Spin
>
>

Ian
Tue Jul 11 05:44:01 CDT 2006

Filezilla Server in TLS mode is pretty secure. For a long time we used this
as our 'intranet' as it worked considerably better than VPN for users on slow
or dodgy connections in the Middle East.

The main point with any FTP server is to ONLY allow uploads to specified
areas. That way, if a password is leaked the damage that can be done is
limited. We handled this by putting an '!Upload' folder in each disk area and
making this writeable. (The ! puts it at the top of the folder-list for
convenience) The rest of the disk-area was readonly to FTP.

We had several determined attempts to compromise our standard FTP server
(none succeeded but the frequency of them became worrying, causing us to look
for another solution) -But very few attempts on the TLS server.

http://filezilla.sourceforge.net

The other main option is to use a standard FTP server, and tunnel the
connection through SSH or Zebedee. In this case, the encryption-key can be
predefined which adds another layer of security, since even if a password is
leaked, that password will only be of use on a company computer which has the
key.

-------------------------------

An alternative approach to XP network logon - http://mylogon.net

Neteng
Tue Jul 11 08:15:25 CDT 2006

The lower down the OSI model you can encrypt, the more secure it is
(generally). Implement HTTPS or S/FTP, easy to setup and meets your security
requirements.

"Spin" <Spin@spin.com> wrote in message
news:4hg7d0F1qsc90U1@individual.net...
> Gurus,
>
> Everyone knows that FTP is inherently insecure. What with it's passwords
> sent in clear text and the un-encrypted data stream. But what about using
a
> program like WinZip to encrypt the data that is being FTP'd? Wouldn't
that
> meet today's security standards, especially in a situation where an FTP
> hosts only accepts data from a certain IP address?
>
> We have a government manager who says FTP is insecure and wants to
implement
> an SSH solution. I say we have no time to do that an that WinZip
encrypting
> the documents being FTP'd out are good enough. I don't need more work I
am
> already busy enough.
>
> --
> Spin
>
>

levinson_k
Tue Jul 11 09:59:02 CDT 2006


"Roger Abell [MVP]" wrote:

> The manager is correct in wanting this changed.

Well, I would say it depends on what your security requirements are and the
sensitivity of the data being protected. It is not true that FTP is
insecure, it depends on how you use it. FTP is fine for example if you
permit anonymous FTP with no password for downloading files, such as
antivirus updates. You might also be able to restrict which IP addresses can
access the files. IP address spoofing is non-trivial to do with TCP
applications like FTP.

If more security is needed, you have several choices: SSH, FTPS, SFTP, and
WebDAV over HTTPS. The last option is the only option that you can do with
an ordinary browser, without needing to obtain and install new client
software on all interested clients. See www.webdav.org for some example
solutions. This might reduce your overhead, if you have a lot of clients
that are outside your control.

With all of these solutions, you have the possibility of additional
administrative overhead of generating and maintaining user accounts... and
then forcing those passwords to expire and change, and making sure good ones
are chosen, can be problematic.

Note that there are some vulnerabilities with SSH, SSL, etc.... a man in the
middle can sniff your password very easily, and most users would not notice.
The user may get a warning, which is often ignored. Use of client
certificates might reduce the chance of this happening, but then you have to
generate and distribute the client certificates.

-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info

Robert
Tue Jul 11 15:47:28 CDT 2006

Spin wrote:
> Gurus,
>
> Everyone knows that FTP is inherently insecure. What with it's
> passwords sent in clear text and the un-encrypted data stream. But
> what about using a program like WinZip to encrypt the data that is
> being FTP'd? Wouldn't that meet today's security standards,
> especially in a situation where an FTP hosts only accepts data from a
> certain IP address?
> We have a government manager who says FTP is insecure and wants to
> implement an SSH solution. I say we have no time to do that an that
> WinZip encrypting the documents being FTP'd out are good enough. I
> don't need more work I am already busy enough.

"good enough" depends on how secure you need it to be. The impact of the
risk of an item being compromised actually happening, in other words. For
anything beyond the trivial, I'd be unhappy with encrypting files with
winzip for a number of reasons.

1) You're relying on the users remembering to always "encrypt" files.

2) You're relying on users always picking good passwords when they
"encrypt" files and not using the same password for files that go to
different organisations (or even different people with different access in
the same organisation).

3) You're relying on the Winzip password mechanism being secure.

4) You're relying on there being a secure method of exchanging passwords
with just the people that are meant to have them. And no, emailing them
the password isn't secure.

It's up to you, but I wouldn't be overly happy with that as a solution.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".

Karl
Tue Jul 11 21:39:48 CDT 2006


"Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message
news:OUAO5sSpGHA.4188@TK2MSFTNGP03.phx.gbl...

> It's up to you, but I wouldn't be overly happy with that as a solution.

On the other hand, for protecting antivirus updates, it's too much
security...

It's true that Winzip encryption ranges from trivial to crack to fairly
secure for now, depending on what version and settings you're using.
There's also PGP and other file encryption methods, all with some risk and
administrative overhead. As mentioned before, IPSec may be an easy option
for encrypting FTP without installing new file transfer client software,
just remember that TCP port 21 is only one of the two channels used, and the
ports used for the second data transfer session varies depending on whether
Active or Passive FTP is used.

Roger
Tue Jul 11 22:39:25 CDT 2006


"Karl Levinson [x y], mvp" <levinson_k@despammed.com> wrote in message
news:CEED64DC-460B-42C2-84A2-4FC782E1495A@microsoft.com...
>
> "Roger Abell [MVP]" wrote:
>
>> The manager is correct in wanting this changed.
>
> Well, I would say it depends on what your security requirements are and
> the
> sensitivity of the data being protected. It is not true that FTP is
> insecure, it depends on how you use it. FTP is fine for example if you
> permit anonymous FTP with no password for downloading files, such as
> antivirus updates. You might also be able to restrict which IP addresses
> can
> access the files. IP address spoofing is non-trivial to do with TCP
> applications like FTP.
>

Agreed, unauthenticated FTP for download of non-sensitive data is
not inherently problematic. Any other use of FTP however, is if naked
on the network. I took the implications of the poster to indicate that
they were not using unauthenticated download, and hence had some
degree of concern that they protect to whom that data is made visible.


> If more security is needed, you have several choices: SSH, FTPS, SFTP, and
> WebDAV over HTTPS. The last option is the only option that you can do
> with
> an ordinary browser, without needing to obtain and install new client
> software on all interested clients. See www.webdav.org for some example
> solutions. This might reduce your overhead, if you have a lot of clients
> that are outside your control.
>
> With all of these solutions, you have the possibility of additional
> administrative overhead of generating and maintaining user accounts... and
> then forcing those passwords to expire and change, and making sure good
> ones
> are chosen, can be problematic.
>
> Note that there are some vulnerabilities with SSH, SSL, etc.... a man in
> the
> middle can sniff your password very easily, and most users would not
> notice.
> The user may get a warning, which is often ignored. Use of client
> certificates might reduce the chance of this happening, but then you have
> to
> generate and distribute the client certificates.
>
> -------------------------
> Microsoft Security FAQ:
> http://www.securityadmin.info
>
>

Robert
Wed Jul 12 16:23:39 CDT 2006

Karl Levinson wrote:
> "Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message
> news:OUAO5sSpGHA.4188@TK2MSFTNGP03.phx.gbl...
>
>> It's up to you, but I wouldn't be overly happy with that as a
>> solution.
>
> On the other hand, for protecting antivirus updates, it's too much
> security...

Yep, $10,000,000 question is: what is the impact of the security risk
actually happening?

> It's true that Winzip encryption ranges from trivial to crack to
> fairly secure for now, depending on what version and settings you're
> using. There's also PGP and other file encryption methods, all with
> some risk and administrative overhead.

I'd always assume the worse. Not that I don't trust people, but we all
make mistakes, so I assume that mistakes will happen where its possible
for them to happen, so I look for ways to remove that possibility. That's
why I like securing the channel rather than the files, so that the user
doesn't have to remember to do anything other than just dump them in some
kind of "outbox".

S
Thu Jul 13 05:09:33 CDT 2006

G'day:

"Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message
news:OZ2KxlfpGHA.4032@TK2MSFTNGP03.phx.gbl...
> Karl Levinson wrote:

>> On the other hand, for protecting antivirus updates, it's too much
>> security...
>
> Yep, $10,000,000 question is: what is the impact of the security risk
> actually happening?

Transmission security is of no help here. It's more important to make sure
the origin and integrity by signing the updates, or even more crucial - the
OS updates.

Actual financial impact analysis can be performed, but that's hard and
dependent on the business risk framework.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-