Security /

Securing FTP

By Mark Gibbs
Network World, 09/03/01

We finished our discussion of FTP services last week by picking on everyone's favorite technology whipping boy, Microsoft. And this abuse was not gratuitous: The Microsoft FTP service in Internet Information Server (IIS) certainly isn't slick. It is also, as we discussed, not exactly security minded.

Where security is an issue, there are a few better systems to choose from. One interesting one is from Glub Tech.

The client side, which is free, is called Secure FTP. It supports secure connections to FTP servers that support Secure Sockets Layer (SSL). The company plans to add support for Kerberos and one-time passwords in future releases.

The client, written in Java, requires Java 2 Runtime Environment Version 1.3+, and runs on Windows, Mac OS X and Unix. The client can run as an application or an applet (except with Mac OS X) when used in conjunction with Sun's Java Plug-In. This FTP client implementation only encrypts the command channel, so the data channel is not secured. If you want to be certain about the privacy of files, you'll have to encrypt them some other way. May we suggest Cryptext?

This freeware application integrates with the shell under Windows 95, 98, NT4, 2000 and Millennium Edition, so you can encrypt and decrypt files using the context menu (right mouse click). Cryptext uses a combination of SHA-1 and RC4 encryption algorithms with a 160-bit key.

How good is a 160-bit key? From the author's Web site: "We can make a small calculation on what is needed to break a 160-bit key. . . . With 160 bits in the key there are 2 to the power of 160 possible keys. It takes on the average, half that many attempts to find the correct key. [If] there are 1 billion computers in the world, [and] every computer is devoted full time to breaking your key, each computer can test 1 billion keys per second [and] . . . it will take about [100,000,000,000,000] years to find the key. "

Neat stuff. Anyway, back to FTP.

The FTP server has to understand SSL connection so Glub offers, for $30, its Secure FTP Wrapper, a Java front end for most FTP servers that intercepts requests on port 21. It unwraps SSL connections and passes on the commands to the FTP server and vice versa. The current version only supports Glub's Secure FTP client, but the company plans to support others.

A more developed SSL-enabled FTP server for Win 2000 and NT is WS_FTP from Ipswitch. It costs $400. WS_FTP Server has an extensive feature list, including many security attributes, and unlike the Microsoft IIS FTP service, the site command and stat command don't give anything away. One feature is the ability to have a program or batch file invoked whenever a specific event, such as a logon, occurs.

Ipswitch also has an FTP client called WS_FTP. The Pro version ($40) is SSL-enabled, has a slick user interface, scripting for automating routine tasks, sophisticated firewall support, multiple session support and browser integration.

Next week . . . well, we'll keep that secure.

Send your secrets to gearhead@ gibbs.com.