» 

Blog

Posts Tagged with "FTP SERVER"

SFTP vs. FTPS: The Key Differences

SFTP vs FTPSFTP, SFTP, FTPS, HTTPS, AS2… the many options for transferring files can make it confusing to answer the question that matters—what is the best way to secure your company’s data during transfer? This blog post is an introduction to the differences between the two mainstream secure FTP protocols, SFTP and FTPS, and which is the best choice to protect your file transfers.

Can’t I Just Use FTP?

FTP is a popular file transfer method that has been around longer than the world wide web—and it hasn’t changed much since it’s invention. Back then, it was usually assumed that internet activity was not malicious, so FTP wasn’t created with features to deal with the kind of cybersecurity threats we now see in the news every day.

FTP exchanges data using two separate channels known as the command channel and data channel.  With FTP, both channels are unencrypted, leaving any data sent over these channels vulnerable to being intercepted and read.

Even if a man-in-the-middle attack is a risk that you are personally willing to take, industry regulations such as PCI DSS, HIPAA, and others, require data transfers to be encrypted. Unfortunately, despite escalating security risks and the high cost of non-compliance, FTP is actually growing in popularity.

We highly recommend you avoid the basic FTP protocol and choose a secure option.

What is FTPS?

In the 1990s concern about internet security was growing, and in response Netscape created the Secure Sockets Layer (SSL, now known as TLS) protocol to protect communications over a network. SSL was applied to FTP to create FTPS. Like FTP, FTPS uses two connections, a command channel and a data channel. You can choose to encrypt both connections or only the data channel.

FTPS authenticates your connection using either a user ID and password, a certificate, or both. When connecting to a trading partner's FTPS server, your FTPS client will first check if the server's certificate is trusted. The certificate is considered trusted if either the certificate was signed by a known certificate authority (CA), or if the certificate was self-signed by your partner and you have a copy of their public certificate in your trusted key store. Your partner may also require that you supply a certificate when you connect to them. If your certificate isn’t signed by a third-party CA, your partner may allow you to self-sign your certificate, sending them the public portion beforehand to load into their trusted key store.

User ID authentication can be used with any combination of certificate and/or password authentication.

What is SFTP?

While FTPS adds a layer to the FTP protocol, SFTP is an entirely different protocol based on the network protocol SSH (Secure Shell) rather than FTP. Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred.

SFTP provides two methods for authenticating connections. Like FTP, you can simply use a user ID and password. However, with SFTP these credentials are encrypted, which gives it a major security advantage over FTP. The other authentication method you can use with SFTP is SSH keys. This involves first generating a SSH private key and public key. You then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any user or password supplied, then the authentication will succeed.

User ID authentication can be used with any combination of key and/or password authentication.

What is the difference between FTPS and SFTP?

We’ve established that both FTPS and SFTP offer strong protection through authentication options that FTP can’t provide. So why should you choose one over the other?

One major difference between FTPS and SFTP is that FTPS uses multiple port numbers. The first port, for the command channel, is used for authentication and passing commands. However, every time a file transfer request or directory listing request is made, another port number needs to be opened for the data channel. You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network. SFTP needs only a single port number for all SFTP communications, making it easy to secure.

While both protocols have their benefits, we recommend SFTP thanks to its better usability with firewalls. For an enterprise, it is ideal to have a managed file transfer (MFT) solution that can manage, monitor, and automate file transfers using a variety of protocols, including FTPS and SFTP. MFT is extremely valuable if you have trading partners with different requirements, and it has additional features like detailed audit logs to help you comply with industry regulations.

GoAnywhere is a managed file transfer solution that supports both SFTP and FTPS. Learn more about GoAnywhere MFT.  


GoAnywhere customers rewarded for sharing

We hear a lot from our customers about how much they love the GoAnywhere suite of managed file transfer products. From how much time and money they save by automating processes to becoming more efficient and able to attend other tasks, customer feedback is what inspires us to continue innovating and making our products even better.

From the GoAnywhere Mailbag:

"If I ever go to work for another company, I'm not going to accept unless they agree to purchase GoAnywhere Director."

"GoAnywhere works. We have had ZERO problems with it, which is not something you can say about very many products.

It's gratifying to know that our customers enjoy GoAnywhere as much as we do. The amount of new customers referred from current GoAnywhere customers is a testament to how much they believe in our managed file transfer software and how it's often a game changer for businesses. As our way of saying Thank You, Linoma Software has created a referral program to reward our great customers for sharing their recommendations and GoAnywhere experience with others.

"How do they [GoAnywhere] make any money with the low cost and incredible support they provide?"

"Definitely buy GoAnywhere. It will be the easiest implementation...the best value of software that you've ever had"

To participate, GoAnywhere customers can simply fill out an easy online form when they refer our products to others. They will be rewarded with $500 if the person or company they referred purchases GoAnywhere! It's that simple and there is no limit to the number of people or companies they can refer.

It's our way of saying Thank You to all the people and companies we love working with. If you are a GoAnywhere customer, be sure to enjoy the rewards of our referral program starting today! For additional information or to fill out our referral form, please visit our GoAnywhere Referral Program page. You can learn more about GoAnywhere and our customer experiences in their own words by visiting our Testimonials page or viewing our Customer Review Videos.


SFTP Server in the DMZ or Private Network

Many organizations have an SFTP server installed where their trading partners can connect to securely upload and download sensitive files.

SFTP Server in the DMZ

Traditionally SFTP Servers have been installed in the DMZ (or public facing) segment of the network since organizations were fearful of opening inbound ports into the Private (internal) network.

sftp server - DMZ

Keeping the SFTP Server in the DMZ, however, has posed several problems. The primary issue is that files have to be stored in the DMZ when they are dropped off by partners, or otherwise staged temporarily for pickup. Those staged files have a higher risk of being accessed by hackers since the DMZ is more exposed to the Internet. You could require those staged files to be encrypted with something like Open PGP, but many auditors don't like to see any sensitive files in the DMZ, encrypted or not. Another issue is that you often have to write scripts to copy the files back and forth between the DMZ and private network, which takes programmer effort and can lead to errors.

SFTP Server in the Private Network

To keep sensitive files out of the DMZ, some organizations have moved their SFTP server into the private network.

sftp server - private network

This approach eliminates the need to write scripts for moving files back and forth. The big downfall of this approach is that ports were traditionally opened into the private network for trading partners to gain access to the SFTP server. These open ports could create a potential risk for attackers to gain access to the private network. In today's security-conscious environment, most IT auditors do not like to see any inbound ports opened into the private network... especially if you are storing sensitive PCI DSS or HIPAA data on those servers.

Gateway in the DMZ while keeping the SFTP Server in the Private Network

An approach that is quickly gaining in popularity is to implement a gateway component in the DMZ. The gateway will serve as an enhanced reverse proxy which does not require inbound ports into the private network.

sftp server - gateway

At startup time, the SFTP server will establish a special control channel with the gateway, which is kept alive continuously. When partners connect to the gateway, it will make requests over the existing control channel to the SFTP server. The SFTP server will then open any data channels needed back through the gateway to service the trading partners. The whole process is transparent to the trading partners. No data is ever stored in the DMZ since it is simply streamed through the gateway.

A gateway in the DMZ therefore solves two major security issues:

  1. No files need to be stored in the DMZ, including user credentials
  2. No inbound ports need to be opened into the Private network

Since a proprietary control channel is used to communicate between the gateway and the SFTP server, you will need to purchase both components from a single vendor. When looking for the right gateway for your organization, make sure it is easy to set up and manage. It is critical that it does not require inbound ports into the private network or require any data to be stored in the DMZ.

 

DMZ gateway securityWant to learn more about DMZ Gateways? View this informative whitepaper: DMZ Gateways: Secret Weapons for Data Security.

 

 

 

 

 

 

 


Updates for GoAnywhere Include Clustering, Disk Quotas, and More

In response to customer requests, especially from larger organizations, Linoma Software has released new enhancements such as clustering and disk quotas for GoAnywhere Director and GoAnywhere Services.  These updates to the GoAnywhere Managed File Transfer suite provide even more robust administrative control, and add automatic failover protection in the event of a server failure.

GoAnywhere Director 4.5.0 adds clustering

The new release of GoAnywhere Director 4.5.0 got a big boost when developers added clustering, a feature they added to GoAnywhere Services earlier this year.  Clustering, also know as "active-active" high availability, means that multiple installations of GoAnywhere Director can be in operation simultaneously, communicating with each other at all times.

GoAnywhere Director Clustering for High Availability

There are several advantages to clustering.  It provides assurance for users and trading partners that if something were to go wrong with one of the servers, the additional installations would automatically take over so availability would not be affected.  It also allows for load balancing, which is especially helpful for organizations with high volumes of file transfers.  Finally, it makes it easy for organizations to manage growth because they can easily incorporate additional servers to their managed file transfer environment.

GoAnywhere Services 3.3.0 adds disk quotas, bandwidth throttling

GoAnywhere Services 3.3.0 offers administrators even greater control over how users interact with their secure FTP servers.

One key enhancement is the addition of disk quotas, which allows admins to determine how much storage space to give to each trading partner and user to better manage storage device resources.

Bandwidth throttling, also new to GoAnywhere Services 3.3.0, lets administrators put limits on the amount of network resources a user can consume when transferring files.  With this feature, controls can be enforced on file uploads, downloads and even on which days or times of day are available to specific users.

With more than 50 updates in this round of enhancements, GoAnywhere continues to respond to the needs of its ever-growing consumer base.  GoAnywhere customers will be notified within their product screens that an update is available, and those who are not yet customers can contact us to get a free demo, or can download a fully-functional free trial.

For more information about the features included in the new releases, check out our news page.  


Could your FTP server pass a compliance audit?

data security compliance auditIf an auditor showed up in your office tomorrow and wanted to examine your file transfer security policies and procedures, how confident are you that your organization would earn high marks?

Take this short quiz and find out.

  1. Are you still hosting an outdated SFTP or FTP server in the public area of your network (or DMZ)?
  2. Do trading partners have access to inbound ports within your internal network to drop off or retrieve files?
  3. Are your administrative security controls granular enough to manage user access to specific files, folders and areas of the network?
  4. Can you monitor all file transfer activity and maintain detailed audit logs?
  5. Do employees have easy access to an ad hoc file transfer tool that lets them transfer files of any size, all while generating audit trails?

To find out how auditors expect you answer these questions, don't miss our next webinar:

Get Your FTP Server Into Compliance
Thursday, July 18 at Noon Central

Linoma Software's Chief Architect Bob Luebbe will show you how the GoAnywhere Services secure FTP server can work with GoAnywhere Gateway to keep sensitive data and credentials safely in your internal network and out of the DMZ.  He'll also demonstrate how the two work together to allow you to exchange files with trading partners without opening inbound ports.

Do your homework so you can prepare for a visit from the auditor.  Sign up today!  


GoAnywhere Services Clustering Is Featured in IT Jungle

Linoma Software is getting lots of attention these days thanks to the recent addition of clustering and load balancing to its GoAnywhere Services secure FTP server.   Companies who need maximum up-time can now depend on GoAnywhere as a high availability solution, especially when it comes to overcoming hardware failure. secure ftp server high availability clustering According to a story published in IT Jungle today, "The one-two punch of GoAnywhere Services 3.1 and GoAnywhere Gateway 2.0 will put Linoma in the game when clustering and load balancing are part of the RFP."


What Is Your High Availability Plan for Your SFTP Server?

As your organization and its trading partners become more and more integrated, it is becoming critical that file transfers are performed without delays or disruptions. For instance, a document containing a batch of transactions could traditionally be delivered within a window of several hours without causing any issues. But today, in the effort to make business processes as efficient as possible, that same document must now be delivered within seconds.

Organizations are therefore taking a closer look at how they can provide the best high availability for their systems to minimize any potential disruptions to their file transfers.

Comparing High Availability Strategies

Many of the secure file transfers from your trading partners are probably going through an SFTP server in your organization's network.  If that SFTP server were to go down (for example, due to a CPU or drive failure), then you would need to fail over to a redundant backup system to continue to service your trading partners, thus maintaining high availability.

Two common approaches for providing high availability for SFTP servers and most other applications are Active-Passive or Active-Active.

Active-Passive

With an Active-Passive approach, only one SFTP server will be active at a time to service your trading partners. A backup copy of the SFTP server would exist on your network as a "passive" system, meaning that it is installed and configured, but it is not actively running.

To prepare in the event of a failure of the active SFTP server, it is important that you frequently replicate all settings and configuration files from the active SFTP server to the passive system. If the active SFTP server fails, then the passive SFTP server could be launched and your network configured to point to this new system.

In an Active-Passive configuration, the downtime for your trading partners (when a failure occurs) can be a few seconds or several hours depending on how the passive system is started.

The least efficient and often slowest implementation of an Active-Passive approach is to rely on human intervention to detect the failure and then manually start up the passive system.  This could take several hours depending on when the outage is reported, the process to start the passive system, and the complexities of configuring the network to route traffic to the new system.

A much better approach would be to have a third-party system monitoring tool that would immediately detect when the SFTP server fails, and then would automatically start up the passive system.  The result should be a a much shorter disruption for trading partners of only a few seconds.

Active-Active, or Clustering

The next level in high availability is to use an Active-Active approach, also referred to as "clustering."

With Active-Active, two or more installations of the SFTP server can be running concurrently, sharing the same set of configurations and trading partner accounts. The SFTP servers in the cluster are in constant communication with each other, so if one of the SFTP servers were to fail, the remaining systems in the cluster will continue to service the trading partners. This configuration will provide the maximum high availability since it is not dependent on human interaction or third-party tools to start up other systems.

If you need maximum up-time for your SFTP server, GoAnywhere Services now offers clustering.

Another advantage of an active-active configuration is that you can load balance the traffic over multiple systems, which is important when you need to service a large number of trading partners.  This will require that you install a load balancer like GoAnywhere Gateway in front of the cluster.  Typically this load balancer will be in your DMZ and will be your trading partners' initial point of contact.

The Bottom Line

Both Active-Passive and Active-Active methods provide high availability for your SFTP server environment if configured properly.  However, Active-Active will provide the maximum up-time because it keeps multiple SFTP servers running concurrently in a cluster, along with the added benefit of load-balancing.

How critical up-time is to your bottom line will be the best guide to determining which high availability approach best fits your organization.

For the banking software firm FPS GOLD, high-availability was critical to business. As such, they needed an MFT solution with consistant high-availability, that is highly-customizable, stable, user-friendly and scalable. Read their experience choosing an MFT solution with high availability here.

 


FTP Server Security Flaw Discovered

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. "Globbing" is a pervasive function that permits the use of wildcard patterns to identify file names. It's one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001.  That feature - called GLOB_LIMIT - was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place - not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client's data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it's important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.