Brice Gibson wrote:
>
> We are opening an FTP server to the Internet. The FTP server potentially
> will handle multiple simultaneous connections.
>
> The FTP server is a private server requiring a username and password.
> Yes we are running M$ and SQL Server, but will migrate to UNIX and probably
> Oracle before the year is out.
Username/password authentication is only as stron as the users want it to
be. And, since FTP does clear text authentication, it is trivial to sniff
the username/password off the wire.
> Questions:
> 1. Generally speaking is there a limit on simultaneous FTP connections?
> 2. Are usernames and passwords sent via clear text?
YES! This is why SSH or OpenSSH are a better choice. There are actually
several reasons that scp is better than ftp:
1) Choice of encrypted passwords or public/private key exchange.
2) Easier (IMHO) to script a reoccuring file transfer.
3) Multi-layer security: passphrase for key, key for login, encrypted data.
> 3. If so, what do you suggest to encrypt them? (VPN?)
A VPN is totally different from a file transfer service. If you want to set
up a VPN, then there is absolutly no need for an FTP server on the `net,
since the users will be on the same LAN as the server they want to get to.
> 4. Are there any other security risks (besides the security hole called
> Win2000) that I should be aware of?
At presant, there is no possable way to secure Win2K. Especially if it is
running IIS. IIS requires 3 "Application" Accounts in order to run, and
those accounts have to have administrator priveledges (this is all done
during the IIS install). The kicker here is that the system creates the
passwords for the application accounts and you can't change them or IIS
will stop working. It's a feature.
Kenny
--
******************************
If at first you don't succeed,
Blame it on management.
******************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
