how to validate a secure ftp site
36 views
Skip to first unread message
KGB
Apr 1, 2008, 2:27:47 PM4/1/08
to IT Audit Forum
Does anyone have suggestions on how to validate that a ftp site is
secure? Are there a couple of standard tests that you have found
effective/useful?
secure? Are there a couple of standard tests that you have found
effective/useful?
Steve
Apr 1, 2008, 2:46:23 PM4/1/08
to IT Audit Forum
FTP is not a preferred option for most corporate needs. It (and
telnet) communicate in clear text. This is especially risky if a
powerful account (such as "root") were to log into the FTP server. If
anyone were sniffing the network, they would now have the root
password and therefore have full access to the box. There are other
options that allow file transfers securely. Just Google 'secure ftp'
and I'm sure there's a whole list of them.
If I were to audit an 'ftp site' (and by site, I'm going to assume a
'server' belonging to your organization), I would assume standard
webserver or general-server security controls and processes would be
in place and woudl audit with a similar audit program/approach
(haven't ever audited an 'ftp site', but that would be my initial
approach).
If you are trying to test the security of an external FTP server,
there are some 'website validation tools' that are available. Here
are a couple of links:
- McAfee: www.siteadvisor.com/download/ie.html
- NetCraft: http://toolbar.netcraft.com/
Hope that helps.
Steve
telnet) communicate in clear text. This is especially risky if a
powerful account (such as "root") were to log into the FTP server. If
anyone were sniffing the network, they would now have the root
password and therefore have full access to the box. There are other
options that allow file transfers securely. Just Google 'secure ftp'
and I'm sure there's a whole list of them.
If I were to audit an 'ftp site' (and by site, I'm going to assume a
'server' belonging to your organization), I would assume standard
webserver or general-server security controls and processes would be
in place and woudl audit with a similar audit program/approach
(haven't ever audited an 'ftp site', but that would be my initial
approach).
If you are trying to test the security of an external FTP server,
there are some 'website validation tools' that are available. Here
are a couple of links:
- McAfee: www.siteadvisor.com/download/ie.html
- NetCraft: http://toolbar.netcraft.com/
Hope that helps.
Steve
KGB
Apr 1, 2008, 3:17:14 PM4/1/08
to IT Audit Forum
Sorry about the open ended question, to clarify we have procedures
that say transmission of files need to be secure. If an application
requires us to send a file via ftp and the vendor tells me it is
secure, how do I know? I have an ftp address and the only test I
could come up with was to check for anonymous access. Is there a way
to check for SFTP? Will the McAfee and NetCraft help me review a
third party FTP server?
that say transmission of files need to be secure. If an application
requires us to send a file via ftp and the vendor tells me it is
secure, how do I know? I have an ftp address and the only test I
could come up with was to check for anonymous access. Is there a way
to check for SFTP? Will the McAfee and NetCraft help me review a
third party FTP server?
Reply all
Reply to author
Forward
0 new messages