Re: FTP protocol security Vulnerabilty

mrbzumrbzu · ‎06-07-2010

Hi All,

My company only allows few protocol outbound to internet like http and https. we are not currently allowing the FTP outbound. My question is that is the FTP protocol outbound access has some flaws or any security vulnerabilities inside it? Is there any reason, i should not allow FTP outbound for people in my company. Currently we are allowing only few FTP sites on firewall and blocking the rest.

Thanks

Federico Coto Fajardo · ‎06-07-2010

Hi,

FTP is sent in clear text.

So, it is vulnerable to any man-in-the-middle attacks for example.

Have you considered using SFTP?

Federico.

mrbzumrbzu · ‎06-07-2010

Hi,

This is only general oubound connections not inbound. My company staff members would like to have Full ftp access on port 21 outbound. is there any reason i should reject this request due to security vulnerability. I know the FTP is unsecure and passing the passwords clear text. Now a days you can use the http for the same aim as FTP like downloading and uploading files so blocking FTP seems not reasonable... what you think?

Federico Coto Fajardo · ‎06-07-2010

Hi,

There's no much difference from a security perspective of allowing outbound FTP or outbound HTTP or some other non-secure protocol.

What you can do is allow the outbound access but make sure that this outbound access is permitted only to those that are allowed to access the service.

Create ACLs to permit only the IP addresses in question and require some sort of authentication of the valid users.

If possible keep an accounting of the FTP transactions also.

In short, you can allow FTP (if needed for business purposes), but make sure you restricted to be used by only intended users and to the intended site(s).

Federico.