< Back to Article List
Secure FTP 101
By: Laura Taylor
August 14, 2002
Network engineers and systems administrators have been using FTP to send files back and forth to and from remote systems since the early days of the Internet. FTP stands for file transfer protocol, and the FTP program is part of every reputable TCP/IP stack. Though we've all grown used to using FTP for the bulk of our file transfer needs, using it securely is becoming more important today than ever before. Here's a primer on secure FTP that will help you understand it's practical application.
FTP has been defined and redefined numerous times by the Internet Engineering Task Force (IETF) in a series of standards documents known as RFCs. (RFC stands for Request for Comments). Today, RFC 959 by Postel and Reynolds, 1985, is the official standard for FTP. You can read this RFC in its entirety on the IETF website at http://www.ietf.org.
Problems with Ye Ol' Standard FTP
Files being transferred by FTP are also vulnerable to man-in-the-middle attacks where data is intercepted and then altered before sending it back on its way. Another scenario where using secure FTP is critical is during web site updates. Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information. Using the login information, hackers can then download the site's web pages onto their own computer. After downloading the website, hackers then can use any number of HTML editors to edit the website with graffiti, fraudulent news, or anything else, and then FTP it back to its real home on the Web using the login and password they sniffed earlier. The main reason that web sites get hacked is because they are being updated with insecure FTP transfers. There are other ways that web sites can get hacked (due to improper OS and incorrect server configurations) but using secure FTP certainly reduces the probability of hacks due to insecure file transfers and logins.
Secure FTP Product Landcape
Most secure FTP products use encryption and X.509 certificates. X.509 certificates are composed of multiple attributes including public keys used for asymmetric public key cryptography. For performance reasons asymmetric encryption is not used for bulk encryption, but instead used to encrypt the keys used to encrypt/decrypt the data using symmetric encryption. Using public key cryptography enables a secure key exchange to be made so that the symmetric keys used to encrypt and decrypt the data are not compromised. The symmetric keys are used to unlock the encrypted session so that the data can be decrypted for reading. There are numerous encryption algorithms used in secure FTP products including: DES, 3DES, CAST-128, Blowfish, AES-128, and others.
Some secure FTP products use SSL to perform the encryption. However, this should not be confused with the fact that SSL can be used by itself with a browser to perform file transfer encryptions. SSL by itself is limited in its capabilities. With FTP, including secure FTP, you can change directories, list directories, and grab entire batches and directories of files in one fell swoop. Also, SSL is generally used for getting files, and is rather limited when used for putting batches of raw files in remote locations. While SSL is ideal for online web based financial transactions, since it requires no client side software except a browser, it's not what you want to use to execute large-scale batch file transfers. SSL coupled with FTP gives you the encryption capabilities of SSL with the advanced features of FTP.
The Secure FTP Market
One of the biggest challenges for IT decision makers is that they are not properly educated on why they need to use secure FTP products, and under what circumstance they should use them. In some cases using ordinary FTP is may not pose much for a risk. For example, using ordinary FTP while on the inside of a VPN is not that risky, but using it across the unsecured Internet creates increased risk.
To avoid liabilities, vendors who build standard FTP into their products should advise and educate customers if no security measures have been implemented. By qualifying whether or not products have built-in security, vendors will limit their liabilities since customers will be forewarned of the risks involved. If these same vendors license or build in a secure FTP product for integration into their product, they will be able to achieve notable marketing leverage in advertising embedded file transfer security features.
Vendors who sell secure FTP products need to educate prospective customers on why they need to use these products. Many system and network administrators may not understand the risks they are taking when using FTP products that do not offer advanced security features.
As Secure FTP products become more prevalent, you can expect the number of products available to grow along with the standardization of features.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: email@example.com | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759