What is the best operating system for an FTP server implementation?

BROWSE BY TAG Platform Security,   Network Protocols and Security,   Enterprise Network Security,   Alternative OS security: Mac, Linux, Unix, etc.,   Application and Platform Security,   Operating System Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com) digest authentication  (SearchSecurity.com) IGP  (SearchSecurity.com) IP spoofing  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) smurfing  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

When it comes to recommending an operating system for a task such as hosting an FTP server, I think the answer much depends on what in-house expertise you have. It is no good setting up a Unix system to run your FTP server, for example, if nobody in your organization has in-depth knowledge of running a secure Unix system. File Transfer Protocol (FTP) is a tricky service to secure correctly, and the last thing you want to do is try to set up an FTP service on an OS with which you are not familiar.

The lack of security in FTP can be traced back to the environment for which it was originally designed. Back in the seventies, when the File Transfer Protocol first appeared, clients and servers interacted with a minimum of restrictions, and packets travelled directly to their destination. FTP was created before the introduction of SSL, like HTTP, SMTP and many other common Internet protocols. Therefore, it is inherently insecure, as data is not encrypted during transit. Usernames, passwords, FTP commands and transmitted files are all sent in plaintext and can be intercepted using a packet sniffer.

If you are looking to provide a convenient way for clients or staff to access non-confidential material, you can use anonymous FTP. Anonymous FTP doesn't require a password for each user, and as the information isn't sensitive, there is no need for encryption. However, there are still some security issues to consider.

To limit access just to the FTP home directory and its subdirectories, create a new, separate account for anonymous FTP users. Also, when users access the FTP site, display a welcome message that explains the terms and conditions they must agree to before using the site. Also log any FTP activity in order to comply with your security audit policies.

If you're running the FTP service solely for staff or a few select clients, set the limit on live connections to an appropriate level. There is no point allowing unlimited simultaneous connections to your server, since this only makes denial-of-service attacks easier. Also, in this scenario, I would recommend restricting access to users from a specific IP range or address, such as a trusted client or subnet of your Intranet. This is easily done by denying access to all computers and then configuring your trusted user's IP address as an exception. If you need to grant write permission to a directory so that users can upload files to your server, grant it on a separate directory that doesn't have read permission.

If any uploaded files or files available for downloading contain sensitive information, then you need to use a secure FTP protocol to keep network sniffers from reading them and your users' passwords upon connection. Read my tip on setting up a secure FTP server for more details on your two main choices, FTPS and SFTP.

More information: