Re: Secure FTP

[MaddHatter <maddhatt+securitybasics () cat pdx edu>]

> We have a public facing FTP server that we would like to secure.
>           ... What is the best way to secure this FTP server?  I've =
> tried SFTP, but was just curious as to what else is out there.

There's nothing you can do to "fix" FTP. _If_ you really want FTP, SFTP
(a separate draft standard based on ssh) is the way to go. You could
direct customers to a popular and user-friendly client such an WinSCP
(http://winscp.net). For the server, you could use OpenSSH through Cygwin
or something similar (the price is right -- free). My favorite is WinSSHD
(http://www.bitvise.com/), which is reasonably priced. Or there's lots
of less-reasonably-priced commercial solutions.

For other ideas, there's also SSL-FTP (traditional FTP wrapped in SSL),
which seems to have fallen out of favor. You could use normal FTP but
require clients connect to an encrypted VPN before initiating the FTP
session (*ick*).

For your application, you probably don't need FTP at all. Here's what I'd
suggest. Make an SSL-protected web page to authenticate your clients and
allow them to upload files via a web form. You have complete control over
the interface, what happens to the files, who can put what where, and
all the security concerns. It's all your company's code, so nobody else
can decide to change/remove the one essential feature you need(ed). Your
customers certainly already have a web browser, so they don't need to
download and learn to use another foreign program. If you're a Windows
shop -- and it sounds like you are -- you can just add onto the IIS setup
you're already using, no need to install, configure, maintain, and secure
another service. I think the cheapest SSL certificate provider right now 
is GoDaddy.