|
|
|
|
|
|
Secure FTP 101
Laura Taylor 08/14/02 Go to page: 1 2 Network engineers and systems administrators have been using FTP to send files back and forth to and from remote systems since the early days of the Internet. FTP stands for file transfer protocol, and the FTP program is part of every reputable TCP/IP stack. Though we've all grown used to using FTP for the bulk of our file transfer needs, using it securely is becoming more important today than ever before. Here's a primer on secure FTP that will help you understand it's practical application. Technology Background FTP has been defined and redefined numerous times by the Internet Engineering Task Force (IETF) in a series of standards documents known as RFCs. (RFC stands for Request for Comments). Today, RFC 959 by Postel and Reynolds, 1985, is the official standard for FTP. You can read this RFC in its entirety on the IETF website at http://www.ietf.org. Problems with Ye Ol' Standard FTP Files being transferred by FTP are also vulnerable to man-in-the-middle attacks where data is intercepted and then altered before sending it back on its way. Another scenario where using secure FTP is critical is during web site updates. Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information. Using the login information, hackers can then download the site's web pages onto their own computer. After downloading the website, hackers then can use any number of HTML editors to edit the website with graffiti, fraudulent news, or anything else, and then FTP it back to its real home on the Web using the login and password they sniffed earlier. The main reason that web sites get hacked is because they are being updated with insecure FTP transfers. There are other ways that web sites can get hacked (due to improper OS and incorrect server configurations) but using secure FTP certainly reduces the probability of hacks due to insecure file transfers and logins. Secure FTP Product Landcape Most secure FTP products use encryption and X.509 certificates.
X.509 certificates are composed of multiple attributes including
public keys used for asymmetric public key cryptography. For
performance reasons asymmetric encryption is not used for bulk
encryption, but instead used to encrypt the keys used to
encrypt/decrypt the data using symmetric encryption. Using
public key cryptography enables a secure key exchange to be
made so that the symmetric keys used to encrypt and decrypt
the data are not compromised. The symmetric keys are used to
unlock the encrypted session so that the data can be decrypted
for reading. There are numerous encryption algorithms used in
secure FTP products including: DES, 3DES, CAST-128, Blowfish,
AES-128, and others.
|
| |
|
· Intranet eXchange Discussion Board |
Intranet Journal's Tutorials |
|
Managing Editor |