mconfer |
Thanks for the reply. If we go with option one, implementing the standard FTP site with unique userid login/passwords with each user having their own folder for files, how would the PGP work? Would each client have to download PGP to purchase it or is that provided on a server level purchase? Would the client then have to learn PGP to encrypt files to send to us?
Do you know of other options besides ipswitch and if we use ipswitch or other third party software, do we need to use PGP on top of that?
Thanks
Turman |
One option is to set up a webdav site on your IIS server, instead of <a href="http://FTP." rel="nofollow">FTP.</a> Then protect it with SSL. Here are some sites that i read before chooing that route:
<a href="http://groups.google.com/group/microsoft.public.inetserver.iis.security/browse_frm/thread/c2e7f34b19558ac3/dcff166eaa262eae?lnk=st&q=webdav+iis+ssl+6.0&rnum=3&hl=en#dcff166eaa262eae" rel="nofollow">http://groups.google.com/group/microsoft.public.inetserver.iis.security/browse_frm/thread/c2e7f34b19558ac3/dcff166eaa262eae?lnk=st&q=webdav+iis+ssl+6.0&rnum=3&hl=en#dcff166eaa262eae</a>
and
<a href="http://www.windowsitpro.com/Article/ArticleID/49847/49847.html" rel="nofollow">http://www.windowsitpro.com/Article/ArticleID/49847/49847.html</a>
mconfer |
By using WEBDAV can you setup unique folder for each login ID and password. The users will not be our staff, but all our clients and reps. They will be downloading files or uploading files to and from the site. Is Webdav as secure and easy to use as a secure FTP site?
Lastly, what about the PGP option. Do we need this for both the Webdave and the secure FTP or only as a method if we go with the standard FTP site. PGP is no longer free and how is this worked out for client use. Do we pay for that before hand in a server license agreement and they setup from us and then they need trained to use PGP?
Thanks
Turman |
When using WEBDAV, you can create unique folders and then secure them to users or groups by granting them create, read, delete rights.
It would be the same as users browsing a shared drive. Users can see everyones folder, but can’t access them unless they have read rights.
PDMeat |
If you choose Ipswitch WS FTP, it has licenses patented PGP algoritms so you don’t need to purchase or use another pgp program for it to work. Other users can download using standard ftp and use a third party pgp program to decrpyt if they like, but I ran into the issue of older free versions of pgp that used only unpatented algorithms and had issues with the files (these versions were years old).
In my case I was writing the simple automated scripts that downloaded the files and auto-decrypted them from the client side.
In your case, you will host the server and have to handle clients. If the clients may be using various browsers and or linux/unix OS, I don’t know how webdav would behave because I’ve not used it.
You can also run SSH server which the WSFTP client works with and all linux/unix hosts work with as well. I beleive Ipswitch may have an SSH server product, but if not there are tons of them out there.
mconfer |
Thanks for the feedback on the options, but which one do you think is the best method to implement: The ipswitch, FTP with PGP or the VPN method. On top of that do you know which one is the most cost effective method yet is secure.
Thanks
YosiNYC |
Hi,
regarding the cost; if this is going to be a very busy ftp server that is an integral part of your day to day business than going with WS_FTP w/pgp will justify the cost. However, if you’re going to use it lightly, and cost is an issue, you can give a standard ftp server a try, you can probably find tons of freeware that will take care of your file security needs.
hope this helps,
Yosi
OS, Servers, Security, Desktops, Management, Access, Microsoft Office, Microsoft Windows, Patch management, SQL Server, DataCenter, Networking, Availability, Bandwidth, Hardware, Routers, Switches, Hubs, Cabling, 3Com, Cisco, Performance management, Ping, Application security, Exchange, Instant Messaging, Encryption, Database, secure coding, Current threats, Viruses, worms, Hacking, Spyware, Trojans, backdoors, human factors, Identity & Access Management, Digital certificates, Single Signon, provisioning, Security tokens, Biometrics, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, Platform Security, vulnerability management, patching, configuration, PEN testing, Security Program Management, Compliance, Risk management, CRM, Policies, Disaster Recovery, Web security, access control, Browsers, SSL/TLS, filtering, Development, WebServices, Web Services Standards, Web site design & management, Corporate portal applications, BEA, Broadvision, Citrix Systems, Epicentric, IBM, Oracle, PeopleSoft, Plumtree, SAP, Sybase, Tibco
We have a Windows 2003 IIS server setup behind our firewarll which is a PIX firewall. What is the best method to establish a secure FTP site on this IIS server? I have reviewed this topic on the internet and actually talked with somebody from IPSWITCH and the best method available is to purchase a third party client setup, such as IPSWITCH. This would mean end users would have to install this client when the first try to hit our FTP site and secondly they could not simply use Internet Explorer. What we want, if it exists, is to establish a secure FTP site where the end user can use their Internet Explorer browser. They can transmit files to us once they are connected and the user knows it is a secure site connnection. I also talke to Verisign and they told me their certificates do not work in establishing a secure FTP site. Will the end user then be able to come directly through the internet to our FTP site, then have to login with a userid and password and be able to upload or download files from our site? 
0
