Re: securing an FTP service

[Raphaël Rigo ML <ml () twilight-hall net>]

Davide wrote:
> Hi everybody. would you please give me some hints for the followin situation?
> In a win-based network, a folder contains some documents
> that have to be made available to company employees when
> they are not in the HQ but they are in a local branch office
> this is currently implemented by a FTP server (win 2kserver); the ftproot is the root dir of the documents.
> the server is connected to internet:
>
> (internet)---(router)---(firewall)---(LAN)---(server)
>
> employees access from a remote location office using their win logon credentials (no anonym access is provided). The 
> local branch office acceses internet with a dinamic IP provided by ISP. What security concerns are rised in this 
> setting? Should I use a DMZ, using the server to provide FTP services and moving the ftproot folder to another server 
> INSIDE the DMZ (linked to a shared folder)?
> How can I overcome the problem that FTP passwords are transmitted not enchrypted? Should a VPN between HQ provide the 
> panacea for these problems?
>
> thanks in advance
> davide
Hello,
The problem is that (if I understand your network correctly), everybody 
in the lan is able to sniff the passwords as they are transmitted in 
plaintext. One of the easiest ways to get more security without changing 
 your network would be to use a TLS/SSL enabled FTP servers, along with 
clients supporting this.
I am not aware of any TLS enabled FTP server for windows licensed under 
a free license but a good commercial one is Blackmoon Ftp Server.
For the clients, still on Windows, I can only recommend FileZilla 
(http://filezilla.sf.net) which is a really good FTP/SFTP Client 
licensed under the GPL.

I hope this helps.
Raphaël