Network engineers and systems administrators have been using FTP to send files back and forth to and from remote systems since the early days of the Internet. FTP stands for file transfer protocol, and the FTP program is part of every reputable TCP/IP stack. Though we've all grown used to using FTP for the bulk of our file transfer needs, using it securely is becoming more important today than ever before. Here's a primer on secure FTP that will help you understand it's practical application.

Technology Background
Keeping the files on your intranet in top working order and keeping your e-business alive seems to require moving files around endlessly to keep things organized. System and network administrators use FTP to update DNS zone maps, update web sites, transfer user data, move around database files, and endless other chores to keep filesystems and hard drives tidy. Moving files from here to there is the heartbeat of the Internet. The nice thing about FTP is that it allows you to move files easily between systems that use similar or different operating systems, file structures, and character sets.

FTP has been defined and redefined numerous times by the Internet Engineering Task Force (IETF) in a series of standards documents known as RFCs. (RFC stands for Request for Comments). Today, RFC 959 by Postel and Reynolds, 1985, is the official standard for FTP. You can read this RFC in its entirety on the IETF website at http://www.ietf.org.

Problems with Ye Ol' Standard FTP
FTP was originally defined in the early 1970s to transfer files to and from various ARPANET nodes. However, there are a few problems with ye ol' standard FTP that we all grew up with in the early days of the Internet. First of all, it doesn't use strong authentication. It is based on password logins which can be guessed, or discovered by cybercriminals using a sniffer. Even if the password is not guessed or sniffed, with standard FTP none of the files being transferred to and from their destinations are encrypted. FTP sends files in clear plain-text exposing them to the plethora of bad guys out there who have nothing better to do than violate the privacy of others, pilfer confidential information such as credit card information, and attempt to obtain classified information that could compromise national security.

Files being transferred by FTP are also vulnerable to man-in-the-middle attacks where data is intercepted and then altered before sending it back on its way. Another scenario where using secure FTP is critical is during web site updates. Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information. Using the login information, hackers can then download the site's web pages onto their own computer. After downloading the website, hackers then can use any number of HTML editors to edit the website with graffiti, fraudulent news, or anything else, and then FTP it back to its real home on the Web using the login and password they sniffed earlier. The main reason that web sites get hacked is because they are being updated with insecure FTP transfers. There are other ways that web sites can get hacked (due to improper OS and incorrect server configurations) but using secure FTP certainly reduces the probability of hacks due to insecure file transfers and logins.

Secure FTP Product Landcape
Various products have been developed to resolve the security problems with FTP. These products vary in their solution to FTP security. Vendors who make these products have taken FTP and secured it by building in strong authentication and encryption. One of the challenges with implementing encryption is that some of the encryption solutions are expensive and complex to implement requiring both sending and receiving parties to have the same encryption software implemented on both ends of the file transfer. For example, if you use a VPN to secure your FTP file transfers it requires implementing VPN software, or a VPN appliance, at each end point. If digital certificates are used for implementing a VPN or secure FTP, proper key exchanges must be made, and private keys need to be secured.

Most secure FTP products use encryption and X.509 certificates. X.509 certificates are composed of multiple attributes including public keys used for asymmetric public key cryptography. For performance reasons asymmetric encryption is not used for bulk encryption, but instead used to encrypt the keys used to encrypt/decrypt the data using symmetric encryption. Using public key cryptography enables a secure key exchange to be made so that the symmetric keys used to encrypt and decrypt the data are not compromised. The symmetric keys are used to unlock the encrypted session so that the data can be decrypted for reading. There are numerous encryption algorithms used in secure FTP products including: DES, 3DES, CAST-128, Blowfish, AES-128, and others.

Some secure FTP products use SSL to perform the encryption. However, this should not be confused with the fact that SSL can be used by itself with a browser to perform file transfer encryptions. SSL by itself is limited in its capabilities. With FTP, including secure FTP, you can change directories, list directories, and grab entire batches and directories of files in one fell swoop. Also, SSL is generally used for getting files, and is rather limited when used for putting batches of raw files in remote locations. While SSL is ideal for online web based financial transactions, since it requires no client side software except a browser, it's not what you want to use to execute large-scale batch file transfers. SSL coupled with FTP gives you the encryption capabilities of SSL with the advanced features of FTP.

The Secure FTP Market
The size of the secure FTP market is hard to quantify since there are no clear market leaders, and industry analysts will likely disagree on whether or not certain products (such as certain PKI based products) qualify as secure FTP products. Clearly though, it is a market segment that will grow steadily as global security concerns increase.

Table 1. Secure FTP Vendors and Products

Leading Security Scanning Products
Vendor Name	Product Name	Vendor Web Site
F-Secure	SSH	http://f-secure.com
IPSwitch	WS_FTP Pro	http://www.ipswitch.com
GlobalSCAPE	Secure FTP Server	http://www.cuteftp.com
GlubTech	Secure FTP	http://www.glub.com
Lexias	DigiVault	http://www.lexias.com
Rhino Software	FTP Voyager	http://www.ftpvoyager.com
VanDyke Software	SecureFX	http://www.vandyke.com
Standard Networks	MOVEit DMZ	http://www.stdnet.com

One of the biggest challenges for IT decision makers is that they are not properly educated on why they need to use secure FTP products, and under what circumstance they should use them. In some cases using ordinary FTP is may not pose much for a risk. For example, using ordinary FTP while on the inside of a VPN is not that risky, but using it across the unsecured Internet creates increased risk.

To avoid liabilities, vendors who build standard FTP into their products should advise and educate customers if no security measures have been implemented. By qualifying whether or not products have built-in security, vendors will limit their liabilities since customers will be forewarned of the risks involved. If these same vendors license or build in a secure FTP product for integration into their product, they will be able to achieve notable marketing leverage in advertising embedded file transfer security features.

Vendors who sell secure FTP products need to educate prospective customers on why they need to use these products. Many system and network administrators may not understand the risks they are taking when using FTP products that do not offer advanced security features.

User Recommendations
The following are some of my recommendations for anyone considering a secure FTP implementation

• If you're a U.S. Federal Agency, you'll probably want to pick a secure FTP product that is FIPS-140 Certified. If a vendor tells you their product is FIPS-140 Certified, ask to see the FIPS-140 Validation Certificate.
• If you don't want to manage and administer client side software, you'll want to find an application service provider (ASP) model that offers secure FTP functions.
• If you want to use secure FTP for collaboration and file sharing, you may want to consider using a digital vault with an address book that has built-in FTP security. (A digital vault is a secure online storage receptacle typically set up as an ASP service.)
• If you are a web master updating a web site using a secure FTP product will ensure that your website login and password information does not get compromised.
• If you are transferring any sort of financial information or credit card numbers across public networks you should use a secure FTP product if you are not protected by a VPN.

As Secure FTP products become more prevalent, you can expect the number of products available to grow along with the standardization of features.