We are using FTP server which is on Unix Machine to download files to our application,making use of Apache Commons NET package. Howerver we are getting some concern from Network security team that we are putting the FTP user name and password in clear text in config files , one approach to this problem was to encrypt username and password and put it in database. However Network security team doesnt feel safe as the user name and password goes over network. They want us to use Oracle Bfile feature instead. but we have some advantage creating folders and stuff using Apache commons package which we lose with BFile Can some one comment on this i felt FTP using Net package was safe as its server to server communication. [ August 25, 2008: Message edited by: Raghunandan Mamidala ]
I could understand it if this was between desktop machines and servers (desktops are generally less trusted). But by that logic everything that goes on in the server subnetwork is in danger and needs to be encrypted. There's probably unencrypted access to file servers going on which have more valuable material than an FTP password.
Between servers it shouldn't be hard to set up SSH, and thus SFTP. That provides security for file transfers.
Its external application and goes through the fire wall, i read some where that fire wall would not be able to recognize the port as it is encrypted
Joined: Mar 22, 2005
Its external application and goes through the fire wall
So the traffic goes through the public internet?
i read some where that fire wall would not be able to recognize the port as it is encrypted
I don't understand what this means. A port is either open or not; it doesn't get "recognized". Either way, the firewall doesn't care too much about whether it's letting through (or blocking) encrypted or unencrypted traffic. [ August 25, 2008: Message edited by: Ulf Dittmer ]
Joined: Mar 06, 2005
Yes, its a public website(Internet application), Trafic goes over Internet. And our Web sever sends FTP username and PWD over network to Business OBject server invoking a job, which creates a PDF and places it in FTP location
[ August 25, 2008: Message edited by: Raghunandan Mamidala ] [ August 25, 2008: Message edited by: Raghunandan Mamidala ]
You can't talk about standard FTP and security in the same sentence. Passwords are sent in the clear.
You really should use SFTP (which is really FTP over SSH).
Joined: Mar 06, 2005
I found a solution to this. We have Business Object server (BO)which is a SAP product.We can run the crystal reports in BO server and shedule them and BO gives a Java API to shedule the reports.This BO server is usually inside fire wall hence FTP and Emails jobs can be triggered from WEB app with out passing the user name and passord or SMPT details thus avoiding the transmission of Sensitive data over the network We can import a Crystal report to Business Object server and set FTP details like location and name and password through Business Object Server console ( the FTP details can be set at report level so it can be different for each report)and through SDK(Java API for Business Object Server) run the report and trigger the FTP process [ September 23, 2008: Message edited by: Raghunandan Mamidala ]