[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Implementing SFTP with FTPAPI

Thank you. 

On 9/13/05, Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:
Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>


> What kind of security risks am I exposed to using ftpapi? I recently started
> using ftpapi and now am fielding questions from the nay sayers on security
> and that Im opening the iseries to great risks. Thanks for your insight.

That depends on what your organization considers to be a security risk?

A few things to consider:

a) FTPAPI is a client software, not a server.

A server program is a much bigger risk because it sits on the computer in
the background all the time waiting for people to connect to it.  An
attacker could connect, exploit a bug in the software, and do something
bad to your system.

But FTPAPI isn't a server.  It's a client.  It doesn't listen for other
things to connect to it, instead, it makes connections of it's own.
Consequently, it's much less vulnerable to attacks.

b) FTPAPI is unencrypted, as per the FTP standard.  That means that anyone
who has access to any of the communication lines that your data is
transmitted over would be able to "sniff" the packets and see what's being
sent.  Consequently, I wouldn't use it for sending very sensitive
information, such as social security numbers, bank account information,
etc.  Unless, of course, another means was in place of securing that
information, such as a secure proxy or VPN that you trust.

c) Since it's unencrypted and people with access to the comm lines can
observe the traffic, there's a risk that the userid/password that you send
over the FTP session can be seen (and subsequently used) by a 3rd party.
That's not normally a risk to the iSeries where FTPAPI is running.
Instead, it's a risk to the FTP server that you're making a connection to,
since THAT is what the userid/password is for.

d) FTPAPI is no more or less secure than any other unencrypted internet
tool.  When you use a web browser to connect to a web site, for example,
and don't use SSL -- you're running the same level of risk.   Similarly,
if you use Telnet or TN5250 without using SSL or some other form of
encryption, you run the same level of risk (or much greater, since TELNET
usually gives the user command-line access!).  When you use IBM's FTP
command without SSL, it sends the exact same data over the line that
FTPAPI does and has the exact same level of security exposure.


Just running a computer has it's risks.  Absolutely no computer technology
is 100% safe and secure.  You have to decide for yourself what level of
risk is acceptable in your environment.

It's my guess and my opinion that FTPAPI is very unlikely to be the
biggest security risk on your system.  Most of the time, the users are the
biggest security risk. It's easy to convince them that you have a need to
know their passwords and/or what they do at their jobs.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------