WebApp Sec mailing list archives

Re: Secure FTP

From: "DaemonLabs.com Support (MLM)" <Lists () DaemonLabs com>
Date: Tue, 13 Jan 2004 16:19:24 +0100

            You might want to have a look at the following URL:

            http://www.dart.com/dotnet/secureftp.asp

      PS: I'm not related to or biased by their products, just know they
build these tools. There are ways to incorporate certs into your app - see
below.
            Overview


            Using PowerTCP Secure FTP for .NET, easily transfer files using
wildcards or streams, or exercise greater control by directly accessing the
data connection. Secure the data using SSL encryption with certificate
authentication. Full support for most major servers in both secure and
un-secure modes, including Globalscape, WS_FTP, and Serv_U.
              a.. Written in C#.
              b.. Over 2 dozen tutorials and a comprehensive reference guide
with full support for dynamic help are included with the integrated Help 2.0
documentation.
              c.. Can be used in traditional client applications and
services as well as scalable ASP.NET applications.
              d.. Copy files between client and any FTP server - a single
method call will do. Simple properties provide fine-grain control, and file
data will spool to/from memory. Listings are captured as objects, so parsing
is eliminated - a superior performer for your most demanding applications.
              e.. For efficiency and ease-of-use, file transfer options are
set using simple properties and are automatically used as needed.
              f.. Automatically authenticates and encrypts/decrypts data
sent and received with FTP using SSL2, SSL3, PCT or TLS
              g.. All major proxies are supported and SOCKS4/5 also
supported in secure mode.
              h.. Contains support for all major SSL over FTP standards and
configurable to other non-standard implementations!
              i.. Supports client-side AND server-side authentication
              j.. CertificateStore class provides extensive certificate
management support.
              k.. Certificate class enables certificate verification and
query.
              l.. Properties and events for certificate authentication give
complete control over what is accepted or rejected.
              m.. Delete() method can recursively remove directory trees,
and remove files using wild-cards. Careful with this one!
              n.. Upload/download multiple files using wild-cards , even
directory trees, with only a single line of code.
              o.. Comprehensive Stream-based design provides awesome
flexibility - overloaded methods provide direct stream access to the data
connection, so you can process file transfers in memory (without ANY local
disk access)
              p.. Can be used in BOTH event driven (asynchronous) and
scripted (synchronous) application designs
              q.. Includes a royalty-free license.
              r.. 3-Level Customer Support
              s.. Debugging has been extended beyond run-time testing to a
design-time Editor in every component to allow connectivity to be tested
without compiling. Properties set in the Editor are recorded directly in the
code, and a real-time feedback window gives detailed information about
results.



Kind regards,

Marnix

DaemonLabs.com - NL

----- Original Message ----- 
From: "Fletcher, Stephen J" <stephen.fletcher () eds com>
To: "Scott, Richard" <Richard.Scott () BestBuy com>;
<webappsec () securityfocus com>
Sent: Tuesday, January 13, 2004 01:22
Subject: RE: Secure FTP

FTP through ssh is only able to secure the control channel and does not
protect the data channel.
Better methods of file transfer over ssh are sftp, scp or rsync. If you

want

to use the FTP protocol and need it secure look at TLS FTP

-----Original Message-----
From: Scott, Richard [mailto:Richard.Scott () BestBuy com]
Sent: Tuesday, 13 January 2004 9:11 AM
To: webappsec () securityfocus com
Subject: Secure FTP

Forum,

Does anyone have any experience with any frameworks for Java and .Net
for implementing secure FTP.  I would like to review some products that
have good interoperability with licensed versions of SSH.

The scenario that I am envisioning is such:

Application A uses a framework to built a secure FTP to a licensed
secure FTP server.
Application A uses a framework to built a secure FTP to a licensed
secure SSH Server.

I've seen some messy implementations of code calling SSH clients through
shells, and I want to avoid that.  Ideally the framework supports X509.
I want a clean method of using secure FTP programmatically such that I
can cleanly cpature exceptions etc.

Any recommendations?

Richard Scott
Global Information Protection
BestBuy Corporate Campus
7601 Penn Ave, South.
Richfield,  55423.  USA.

The views expressed in this email do not represent Best Buy
or any of its subsidiaries



---
Outgoing DaemonLabs.com E-Mail is AVG 2004 Certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.560 / Virus Database: 352 - Release Date: 08-Jan-04

Current thread:

Secure FTP Scott, Richard (Jan 12)
- <Possible follow-ups>
- RE: Secure FTP Fletcher, Stephen J (Jan 12)
  - Re: Secure FTP DaemonLabs.com Support (MLM) (Jan 13)
- RE: Secure FTP Scott, Richard (Jan 14)
  - java auditing tool urgoez (Jan 14)