aspose file tools*
The moose likes Security and the fly likes FTP Server Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "FTP Server Security" Watch "FTP Server Security" New topic
Author

FTP Server Security

Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
We are using FTP server which is on Unix Machine to download files to our application,making use of Apache Commons NET package. Howerver we are getting some concern from Network security team that we are putting the FTP user name and password in clear text in config files , one approach to this problem was to encrypt username and password and put it in database.
However Network security team doesnt feel safe as the user name and password goes over network. They want us to use Oracle Bfile feature instead. but we have some advantage creating folders and stuff using Apache commons package which we lose with BFile
Can some one comment on this i felt FTP using Net package was safe as its server to server communication.
[ August 25, 2008: Message edited by: Raghunandan Mamidala ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42913
    
  68
I could understand it if this was between desktop machines and servers (desktops are generally less trusted). But by that logic everything that goes on in the server subnetwork is in danger and needs to be encrypted. There's probably unencrypted access to file servers going on which have more valuable material than an FTP password.

Between servers it shouldn't be hard to set up SSH, and thus SFTP. That provides security for file transfers.
Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
Its external application and goes through the fire wall, i read some where that fire wall would not be able to recognize the port as it is encrypted
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42913
    
  68
Its external application and goes through the fire wall

So the traffic goes through the public internet?

i read some where that fire wall would not be able to recognize the port as it is encrypted

I don't understand what this means. A port is either open or not; it doesn't get "recognized". Either way, the firewall doesn't care too much about whether it's letting through (or blocking) encrypted or unencrypted traffic.
[ August 25, 2008: Message edited by: Ulf Dittmer ]
Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
Yes, its a public website(Internet application), Trafic goes over Internet.
And our Web sever sends FTP username and PWD over network to Business OBject server invoking a job, which creates a PDF and places it in FTP location

[ August 25, 2008: Message edited by: Raghunandan Mamidala ]
[ August 25, 2008: Message edited by: Raghunandan Mamidala ]
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

You can't talk about standard FTP and security in the same sentence. Passwords are sent in the clear.

You really should use SFTP (which is really FTP over SSH).
Sri Anand
Ranch Hand

Joined: Mar 06, 2005
Posts: 392
I found a solution to this. We have Business Object server (BO)which is a SAP product.We can run the crystal reports in BO server and shedule them and BO gives a Java API to shedule the reports.This BO server is usually inside fire wall hence FTP and Emails jobs can be triggered from WEB app with out passing the user name and passord or SMPT details thus avoiding the transmission of Sensitive data over the network
We can import a Crystal report to Business Object server and set FTP details like location and name and password through Business Object Server console ( the FTP details can be set at report level so it can be different for each report)and through SDK(Java API for Business Object Server) run the report and trigger the FTP process
[ September 23, 2008: Message edited by: Raghunandan Mamidala ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: FTP Server Security