AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Hardware > Mobile Devices and Networking


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 27th October, 2010, 10:42 PM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

FTP & Security?

My work has added a second office on the other side of the valley. They need to access files on our server inside of the firewall. The main problem is that we use a VPN with a Watchguard Firebox X Edge and it doesn't always work consistently. So they will have a CAD file open through the VPN and save periodically, but if the VPN connection is lost, that CAD file can become corrupted.

My solution was to create a small server/workstation at the new office with Windows XP Professional and allow FTP access to it.
I did some research and found that using IIS (Internet Information Service) will setup an FTP protocol and configuring their router to allow that computer via ports. This works perfectly and I can access their server/workstation easily and copy paste files on to it.

I'm curious about what kind of risks are inherited due to the open ports on the router (new office) and the firewall (main office)?
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 28th October, 2010, 06:00 AM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

AFAIK, the biggest risk with current implementations of FTP surrounds the issue of usernames and passwords. If you are running IIS with FTP, a hacker can potentially use the FTP login to determine valid usernames for the system using a 'brute-force' attack. This information could then be potentially used in other attack scenarios. In addition, with regular FTP all information is transferred in the clear, including username and password. This can make the protocol vulnerable to 'man in the middle' attacks.

The biggest risk with FTP is, IMO, that users will use stupid, easy to guess passwords, thus enabling someone to gain unauthorized access to the system. That's the main reason that, for those environments where FTP must be used, I recommend the use of SFTP (FTP over SSH) with client certificates. While the encryption of the connection that comes with SSH is nice, the real benefit is the ability to use encrypted certificates for authentication.

WinSCP is a nice Windows utility for doing file transfers this way. I'm unsure of a good program to run on a Windows server to implement the server side, though, as I've only ever done SFTP with a linux machine. While FTPS (FTP encrypted with SSL, similar to HTTPS) will encrypt the connection, it doesn't (AFAIK) support the use of client certificates for authentication, or at least none of the implementations I'm aware of do.

Last edited by Gizmo; 28th October, 2010 at 06:03 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 28th October, 2010, 03:34 PM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

Hey Gizmo, how did I know you would reply to this?

I'm sure you are well aware that when working with regular Users, ease-of-use is the most important thing with computers. So I'm reliving the typical battle of security vs usability.

So the "server" is actually a plain Dell workstation that we upgraded the power supply and added a 300 Gig hard drive.

I have enabled file permissions and have set all the shared folder accordingly.

I have also created a user account for each person using the FTP and a generic password.

I would love to create 10 digit complex passwords, but you know they won't remember it. Since they need the simplest drag-n-drop interface that can be accessed from the local network, the main office and home... FTP was the only thing I could think of.

Will SSH work as a GUI in windows xp? I have used it as a text only interface for Linux but not in windows.
What about filezilla? Can I use that with FTPS to upload/download files in a GUI?
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 28th October, 2010, 04:32 PM
dsio's Avatar
Steve Jobs
 
Join Date: October 2002
Location: Brisbane, QLD, Australia
Posts: 8,037

winscp has a GUI and looks basically like any FTP client. Gizmo's right on the money with authentication being the key here, it might be worth slapping a simple Linux distro on the box if its for a single purpose (I'm not pimping, its just that this is the OS's forte) and then OpenSSH takes care of the other end for you (The major benefit being that OpenSSH's security record is going to be considerably better than anything related to IIS, and chrooting specific users is easier as well).
__________________
Notebook: Apple Macbook Pro 13" i7 2.7Ghz (3.4Ghz max) 8GB DDR3 1333Mhz (Mac OSX 10.6.7)
Desktop: ASUS Rampage Formula X48
Intel Core 2 Quad Q9450 (Yorkfield) @ 3.60Ghz (Folding SMP Linux)
Running Fedora 15 Linux (GNOME 3)
Dual Dell 2407WFP
AOA Team fah

Drivers, Games, Demos, Mods and Overclocking Tools At AOAFiles
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 28th October, 2010, 05:19 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

To be honest, the underlying solution is to fix whatever's causing your VPN to drop. I know that's not the question you've asked, but it is a better long term solution. It also keeps domain authentication easier (AD does make centralised authentication and authorisation easier), as you don't have to have different accounts in different places.

Lastly, if you do want to set up an alternative SSH/FTPS session, please consider firewalling it so that only your IP addresses can access it.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 29th October, 2010, 01:17 PM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

Quote:
Originally Posted by Áedán View Post
To be honest, the underlying solution is to fix whatever's causing your VPN to drop. I know that's not the question you've asked, but it is a better long term solution. It also keeps domain authentication easier (AD does make centralised authentication and authorisation easier), as you don't have to have different accounts in different places.

Lastly, if you do want to set up an alternative SSH/FTPS session, please consider firewalling it so that only your IP addresses can access it.
Unfortunately I'm not a firewall expert. So it would take way too long for me to troubleshoot it, meanwhile our employees can't work. That also makes me wonder if my FTP settings screwed up our firewall. All I did was allow 3 machines to pass through the firewall on ports 20 & 21. One machine is actually plugged into the "optional" port on the firebox.

I thought about configuring only certain computers to access the FTP by IP address. Should I do this at both locations?
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 29th October, 2010, 03:36 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

You'd want to restrict access to the FTP server by IP address if you can.

In terms of the VPN stuff, it should be a standard IPSec VPN - unfortunately IPSec isn't the easiest to work with. You definitely need some level of logging to work out what's going on. I don't know the Watchguard boxes very well, so I don't know what kind of diagnostics you can get out of it.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 29th October, 2010, 05:54 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

It's been my experience that IPSec VPNs tend to use UDP port 500 for some basic communications stuff (ISAKMP, Internet Security Association Key Management Protocol; and IKE, Internet Key Exchange, which uses ISAKMP) and then Protocol 50 (ESP, Encapsulating Security Payload) and Protocol 51 (AH, Authentication Header) for the actual tunnel communication. You'll likely have to allow all of those through the firewall in order for things to work properly.

Quite frankly, I've found IPSEC VPNs to be very persnickety to setup, and to keep working reliably. SSL VPNs seem to be a better solution, IMO. Not mention the various interoperability issues that seem to plague IPSEC VPNs (this client won't work with that server, clients for those two servers won't coexist on the same box, etc.).

Last edited by Gizmo; 29th October, 2010 at 05:55 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 1st November, 2010, 01:29 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

That's what NAT-T is for Basically it just wraps IPSEC in UDP on port 4500. Generally that's pretty easy to allow in or out. Then you don't have to worry about the various IPSEC protocols.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Tags
firewall , ftp



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Box Necorum General Hardware Discussion 5 21st December, 2006 09:30 PM
Security professionals Vs. Hackers vs, job security Daniel ~ Data Security 7 19th August, 2006 09:59 PM
Security aghastpumpkin Mobile Devices and Networking 1 15th December, 2005 02:16 PM
Win XP Security Toro Data Security 2 18th April, 2005 08:06 AM
win XP 64 - security dod 64 Bit computing 7 20th February, 2004 02:57 AM


All times are GMT +1. The time now is 04:18 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0