Secure FTP 101

Printer Friendly Version

Network engineers and systems administrators have been using FTP to send files back and forth to and from remote systems since the early days of the Internet. FTP stands for file transfer protocol, and the FTP program is part of every reputable TCP/IP stack. Though we've all grown used to using FTP for the bulk of our file transfer needs, using it securely is becoming more important today than ever before. Here's a primer on secure FTP that will help you understand it's practical application.

Technology Background
Keeping the files on your intranet in top working order and keeping your e-business alive seems to require moving files around endlessly to keep things organized. System and network administrators use FTP to update DNS zone maps, update web sites, transfer user data, move around database files, and endless other chores to keep filesystems and hard drives tidy. Moving files from here to there is the heartbeat of the Internet. The nice thing about FTP is that it allows you to move files easily between systems that use similar or different operating systems, file structures, and character sets.

FTP has been defined and redefined numerous times by the Internet Engineering Task Force (IETF) in a series of standards documents known as RFCs. (RFC stands for Request for Comments). Today, RFC 959 by Postel and Reynolds, 1985, is the official standard for FTP. You can read this RFC in its entirety on the IETF website at http://www.ietf.org.

Problems with Ye Ol' Standard FTP
FTP was originally defined in the early 1970s to transfer files to and from various ARPANET nodes. However, there are a few problems with ye ol' standard FTP that we all grew up with in the early days of the Internet. First of all, it doesn't use strong authentication. It is based on password logins which can be guessed, or discovered by cybercriminals using a sniffer. Even if the password is not guessed or sniffed, with standard FTP none of the files being transferred to and from their destinations are encrypted. FTP sends files in clear plain-text exposing them to the plethora of bad guys out there who have nothing better to do than violate the privacy of others, pilfer confidential information such as credit card information, and attempt to obtain classified information that could compromise national security.

Files being transferred by FTP are also vulnerable to man-in-the-middle attacks where data is intercepted and then altered before sending it back on its way. Another scenario where using secure FTP is critical is during web site updates. Without secure FTP, it is very easy to hack a web site and edit it with digital graffiti. All a hacker has to do is find out the IP address of the web site using a reverse ping on the domain name, and then set up a sniffer to run 24 hours a day on the IP address to sniff and log the login connection. As soon as the web master logs in to update the site, the hacker's sniffer can grab and record the password and login information. Using the login information, hackers can then download the site's web pages onto their own computer. After downloading the website, hackers then can use any number of HTML editors to edit the website with graffiti, fraudulent news, or anything else, and then FTP it back to its real home on the Web using the login and password they sniffed earlier. The main reason that web sites get hacked is because they are being updated with insecure FTP transfers. There are other ways that web sites can get hacked (due to improper OS and incorrect server configurations) but using secure FTP certainly reduces the probability of hacks due to insecure file transfers and logins.

Secure FTP Product Landcape
Various products have been developed to resolve the security problems with FTP. These products vary in their solution to FTP security. Vendors who make these products have taken FTP and secured it by building in strong authentication and encryption. One of the challenges with implementing encryption is that some of the encryption solutions are expensive and complex to implement requiring both sending and receiving parties to have the same encryption software implemented on both ends of the file transfer. For example, if you use a VPN to secure your FTP file transfers it requires implementing VPN software, or a VPN appliance, at each end point. If digital certificates are used for implementing a VPN or secure FTP, proper key exchanges must be made, and private keys need to be secured.

Most secure FTP products use encryption and X.509 certificates. X.509 certificates are composed of multiple attributes including public keys used for asymmetric public key cryptography. For performance reasons asymmetric encryption is not used for bulk encryption, but instead used to encrypt the keys used to encrypt/decrypt the data using symmetric encryption. Using public key cryptography enables a secure key exchange to be made so that the symmetric keys used to encrypt and decrypt the data are not compromised. The symmetric keys are used to unlock the encrypted session so that the data can be decrypted for reading. There are numerous encryption algorithms used in secure FTP products including: DES, 3DES, CAST-128, Blowfish, AES-128, and others.

Go to page: 1  2