Security Basics mailing list archives

Re: securing communication channel (FTP) - Need Suggestions

From: kurt () noaddress org
Date: 28 Jun 2005 15:40:31 -0000

Firstly, base your choice on the need, not on what standard.  

What HW platforms do you have, what products do they support, do you have communication within or outside of the 
organisation and if so, what standard do the external partner have or is willing to use/accept. 

When you know that, you know what to use as 1:st choice.

(1) Secure FTP (SSL:FTPS)

- Any pitfalls I need to be aware of from a 
setup/implementation standpoint?


Haven't used FTP/S so I can't really say, but on AS/400 and some other IBM mainframe env. it is standard. SSH/sftp do 
not exist. Tumbleweed and Ipswitch have Unix/PC versions.

- How would the authentication to MySQL user 
database work?


? Wasn't it ftp the question was about? Do not run MySQL or any ftp-pluggin.

(2) Secure HTTP (https)

- Any pitfalls I need to be aware of from a 
setup/implementation standpoint?


Isn't real ftp, need the backend "CGI" to check transport. Usage more depending on if only web-access or not. Probably 
more unsecure, due to more security failings in web servers.

(3) 
a. Scp:
b. Sftp: Is it an interactive program? Does it 
provide non-interactive authentication?


Well, if using sftp (scp) you have ssh and therefore can let all terminal users run ssh, increasing security. On the 
other side, do you have ssh, you already have sftp, same coin. 

Have only worked with sftp, not scp, but with certificates generated, it is easy to make batch processes for it. Basis 
is the following (can be made more "unreadable" = efficient) Solaris Unix script:

---
SFILE="$HOME/cache/acme.dat"

/usr/5bin/echo "put $SFILE \n quit \n" |\ 
  sftp acme.batch () ac1 acme com
---

Did a sftp batch control shellscript some months ago, that now runs regular for a data transfer.
Server exist for PC and different Unixes as well as OpenVMS (HP own version recommended by users). ws_ftp client/server 
works both ftp/s as sftp (and PGP to top up ;-) SSH.com and F-Secure/WRQ have the most known commercial versions, while 
OpenSSH.org is the freeware. 

Only thing to remember, if you run OpenSSH Win-server, the server needs to be run as a ordinary process, not server, 
and to own it's resources and disk areas. We had problems with that.

regards/kurt

Current thread:

securing communication channel (FTP) - Need Suggestions Vicky Rode (Jun 27)
- Re: securing communication channel (FTP) - Need Suggestions Gustavo Paredes (Jun 28)
- Re: securing communication channel (FTP) - Need Suggestions Joel Merrick (Jun 28)
- Re: securing communication channel (FTP) - Need Suggestions Ansgar -59cobalt- Wiechers (Jun 28)
- Re: securing communication channel (FTP) - Need Suggestions Staff Netelion (Jun 28)
- <Possible follow-ups>
- Re: securing communication channel (FTP) - Need Suggestions kurt (Jun 28)