Q

Can secure FTP services protect sensitive data from hackers?

Does secure FTP services protect against hackers and attacks? In this expert response, Michael Cobb explains why using a secure FTP service is vital for handling sensitive data transfers.

Does using secure FTP or EFT help to protect against attackers? We're working on a sensitive domain, so we're looking for some countermeasures to use against hackers.

If your sensitive domain needs to provide FTP services, then secure FTP (File Transfer Protocol) or EFT (Enhanced File Transfer) will certainly help to protect data when it's being transferred from the server to a client or vice versa. FTP, like many other common Internet protocols such as HTTP and SMTP, was created before the introduction of SSL (Secure Sockets Layer) and so it's inherently insecure as data isn't encrypted during transit....

In the case of FTP, this means that user names, passwords, FTP commands and transmitted files can be captured using a packet sniffer. Therefore it's essential to use a secure FTP service when handling sensitive data.

There are various secure FTP protocols. (FTP over SSH [Secure Shell] is often referred to as secure FTP but this is misleading as there are other methods of securing FTP, such as FTP over SSL [FTPS], Secure Copy [SCP], and SSH File Transfer Protocol [SFTP].) The two preferred options are FTPS or SFTP. FTPS is just an extension of FTP using an SSL layer below the standard FTP protocol to encrypt the control and data channels. This means that it's supported by most servers and, because it uses the same ports as FTP, there is no need to open additional firewall ports. Another benefit is that as FTPS uses certificates, which verify digital identities, a trust relationship can be established without having to directly exchange security information.

SFTP is a more recent protocol that uses SSH to provide a secure service where the server both encrypts the data and handles the file transfer. SSH uses keys, in a similar fashion to PGP, so SFTP clients must install their keys on the SFTP server. SFTP includes many file-management capabilities such as delete, rename, interrupted transfer resumption and directory listings.

It's important to set the correct permissions on an SFTP server to ensure least privilege access is maintained. Don't set up an FTP service on an unfamiliar OS because it will be difficult to get the access control correct. Also make the FTP server a single-function server. The more functions there are to configure, the greater the likelihood that a configuration error or combination of software components will introduce a security vulnerability. The most secure configuration is a single-purpose server.

FTP is a tricky service to secure correctly, which is why you may want to look at an EFT (Enhanced File Transfer) server. It supports a range of security protocols for easy integration with other systems and also handles the security of files once they've been uploaded, a security control many administrators overlook. EFT also provides monitoring, auditing, and reporting services, which are especially useful when complying with any statutory or industry regulations.

For more information:

This was first published in February 2010

Dig deeper on Network Protocols and Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close