7 Replies - 2218 Views - Last Post: 20 February 2006 - 04:55 PM

#1 error411413404  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 15-September 05

Secure FTP transfer

Posted 20 February 2006 - 02:58 PM

Hi,

Our website recently went through a security audit. One of the things they want to see is SFTP in place. It's not making sense to me because I am behind a firewall and go through a secure server to get to my webhost server. They are crying packet sniffing, but that threat would need to come from the inside, within our own network, not the public internet? I'm no network security person, but I downloaded a packet sniffer and sniffed myself, the only thing I was able to see was my user ID, never my password. I don't have any sensitive or confidential info on this website. Is it just me or does this seem a little wacky? Someone, please enlighten me.

Is This A Good Question/Topic? 0
  • +

Replies To: Secure FTP transfer

#2 Nova Dragoon  Icon User is offline

  • The Innocent Shall Suffer, Big Time
  • member icon

Reputation: 36
  • View blog
  • Posts: 6,169
  • Joined: 16-August 01

Re: Secure FTP transfer

Posted 20 February 2006 - 03:05 PM

What do you mean by "go through a secure server to get to my webhost server" exactly
Was This Post Helpful? 0
  • +
  • -

#3 error411413404  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 15-September 05

Re: Secure FTP transfer

Posted 20 February 2006 - 03:09 PM

I have to go through a secure gateway FTP server set up at corporate in order to be granted access out using the ftp port.
Was This Post Helpful? 0
  • +
  • -

#4 Nova Dragoon  Icon User is offline

  • The Innocent Shall Suffer, Big Time
  • member icon

Reputation: 36
  • View blog
  • Posts: 6,169
  • Joined: 16-August 01

Re: Secure FTP transfer

Posted 20 February 2006 - 03:43 PM

I'm not familiar with this sort of setup. Is the secure mechanisms to the gateway implemented in a client program or what?

And also SFTP isn't that big of deal, unless you are using some dreamweaver type app, that doesnt have SFTP support.

Also, I'm not too up on the FTP rfc, but passwords my not have to be in plain plain text for them to be vunerable. Take the SMTP AUTH Plain mechanism, which simply encodes your login info in MIME64, which is not obviously showing the password in a packet sniff, but if readily obtainable by un-encoding the mime64.
Was This Post Helpful? 0
  • +
  • -

#5 error411413404  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 15-September 05

Re: Secure FTP transfer

Posted 20 February 2006 - 03:55 PM

Only certain users within my company are granted FTP access, so I have to go through the secure corporate ftp server in order to gain access to the outside of LAN server my website is hosted on. We all reside and gain internet access throught our LAN, From what I've read about SFTP, it's not foolproof anyway. It can fail between hops, etc. It is also not supported by many companies without moving your site to a dedicated server, which costs much more money. As for the packet sniffing, am I correct or not that no one outside of our LAN can sniff without implanting a sniffer on our LAN via a trojan or whatever, that the biggest threat of my password being sniffed comes internally, possibly from some whack-job who wants to go postal on the companies' websites?
Was This Post Helpful? 0
  • +
  • -

#6 Nova Dragoon  Icon User is offline

  • The Innocent Shall Suffer, Big Time
  • member icon

Reputation: 36
  • View blog
  • Posts: 6,169
  • Joined: 16-August 01

Re: Secure FTP transfer

Posted 20 February 2006 - 04:21 PM

Well not knowing how the "secure ftp server" is implented, I can't really say much more this issue.

It would still stand (secure server or not) that the biggest place for sniffing would be on the internal network. Since, once routed out, that ftp traffic would be passing through infrastrute routers on this way to the webserver, and not randomly on networks.

Most Most sniffing occurs in the internal networks, so if your ftp traffic is comming to the webserver only through one network, it would be best to look at the security on that network, instead of doing a big messy shift to SFTP.

However, if your webserver can be moved to SFTP without much trouble, then go for that.
Was This Post Helpful? 0
  • +
  • -

#7 error411413404  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 28
  • Joined: 15-September 05

Re: Secure FTP transfer

Posted 20 February 2006 - 04:41 PM

So, what you are saying is that it's routed through so many servers on it's way to final destination that SFTP isn't going to help anyway? I don't have any secrets on the webserver. Just images and files. What does SFTP encrypt? The login and password? The files it's transferring? Both? Neither? I've looked at so damn many websites regarding this topic today and they are all different! Do you or anyone have any recommendations for SFTP clients? Is it even worth bothering with? Is SFTP SSH just a bunch of bullshit?
Was This Post Helpful? 0
  • +
  • -

#8 Nova Dragoon  Icon User is offline

  • The Innocent Shall Suffer, Big Time
  • member icon

Reputation: 36
  • View blog
  • Posts: 6,169
  • Joined: 16-August 01

Re: Secure FTP transfer

Posted 20 February 2006 - 04:55 PM

The thing is outside of your network, it is still possible to sniff, just very very impractical.


SFTP encrypts the whole TCP transmission, from username to password, to your cd, ls, pwd and exit commands, and file transfers, in ascii and binary modes.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1