The lack of security in FTP can be traced back to the environment for which it was originally designed. Back in...
the seventies, when the File Transfer Protocol first appeared, clients and servers interacted with a minimum of restrictions, and packets travelled directly to their destination. FTP was created before the introduction of SSL, like HTTP, SMTP and many other common Internet protocols. Therefore, it is inherently insecure, as data is not encrypted during transit. Usernames, passwords, FTP commands and transmitted files are all sent in plaintext and can be intercepted using a packet sniffer.
If you are looking to provide a convenient way for clients or staff to access non-confidential material, you can use anonymous FTP. Anonymous FTP doesn't require a password for each user, and as the information isn't sensitive, there is no need for encryption. However, there are still some security issues to consider.
To limit access just to the FTP home directory and its subdirectories, create a new, separate account for anonymous FTP users. Also, when users access the FTP site, display a welcome message that explains the terms and conditions they must agree to before using the site. Also log any FTP activity in order to comply with your security audit policies.
If you're running the FTP service solely for staff or a few select clients, set the limit on live connections to an appropriate level. There is no point allowing unlimited simultaneous connections to your server, since this only makes denial-of-service attacks easier. Also, in this scenario, I would recommend restricting access to users from a specific IP range or address, such as a trusted client or subnet of your Intranet. This is easily done by denying access to all computers and then configuring your trusted user's IP address as an exception. If you need to grant write permission to a directory so that users can upload files to your server, grant it on a separate directory that doesn't have read permission.
If any uploaded files or files available for downloading contain sensitive information, then you need to use a secure FTP protocol to keep network sniffers from reading them and your users' passwords upon connection. Read my tip on setting up a secure FTP server for more details on your two main choices, FTPS and SFTP.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.