RE: [plug] securing ftp

Fritz Mesedilla Wed, 26 Sep 2001 01:16:07 -0700
You know what? That is a very good idea!

Hmmm... I'm gonna look for the tunnel thing... Thanks.

Cheers,

Fritz Mesedilla
www.mesedilla.com
---
+Basta Ikaw Lord

-----Original Message-----
From: Rafael 'Dido' Sevilla [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001 10:37 AM
To: [EMAIL PROTECTED]
Subject: Re: [plug] securing ftp


On Tue, Sep 25, 2001 at 05:48:51PM +0800, Fritz Mesedilla wrote:
> i know you all adviced me to turn off ftp.
> but the thing is, our marketing team wants to use webtrends with clusters.
> webtrends only use ftp.
>
Oh boy... :(
> here is what we hope to achieve:
> open ftp
> only one internal ip address is allowed ftp
> ftp is NOT seen outside the network
> firewall is installed.
>
> is this possible? is securing ftp possible?
>
Yes, but what you've proposed is not enough.  Your username/password
can still be sniffed by any promiscuous interfaces sitting on either
the internal end or any networks where your packets get routed.  The
only way to avoid this is to either use FTP point-to-point.  One way
to do this is to add a network card to each of your machines, and use
a cross cable to link them together.  Get the FTP server to listen
only on that extra interface.
Another way is to set up a virtual private network between the two.
You can tunnel PPP over SSH; other VPN solutions like Free S/WAN are
probably overkill for your application, and then do your FTP over the
virtual private network only.  You can set up a "vpn router" if the
either machine is not Linux; just be sure that all machines in between
the VPN router and any machine from which the FTP can originate can be
trusted (e.g. live inside your private network).
This is a lot of work just to support a single application.  I think
it would be better to get another system for supporting your web stats
generation that is capable of getting the stats from a HTTP/SSL
server.  Publish the logs via https and get the web server to request
a client-side certificate before showing them.  That's far, far easier
than setting up a VPN, and will probably be more secure.
--
Rafael R. Sevilla <[EMAIL PROTECTED]>   +63(2)   8177746 ext. 8311
Programmer, InterdotNet Philippines              +63(917) 4458925
http://dido.engr.internet.org.ph/                OpenPGP Key ID: 0x5CDA17D8
_
Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]
RE: [plug] securing ftp

Reply via email to
