Securing FTP on an Enterprise wide basis

Application security
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network protocols
Network security
Secure Coding
One of the recent questions here in the ITKnowledge Exchange was stated the poster had blocked email services with a Proxy server so that internal employees could not obtain yahoo, AOL, and other external sources of security threats and the poster wanted further support in blocking FTP websites or locations. I know that in many enterprises FTP might be used internally so I suggested the implementation of IPSec to protect the enterprise from such a vulnrability. Having just completed a University course on the deployment of IPSec using Windows Server 2003 and implementing such a deployment using AD and GPOs and group policy much of my information is biased on that platform. Are there similar implementations and deployment strategies using other platforms such as Apple's Mac OSX, Linux and Unix to name a few? Please comment. I provided the following documentation to support my claim of using IPSec with Group Policy in AD. This article covers many platform independant issues in IPSec enterprise deployment as well as Microsoft specific guidelines and best practices. This article discusses general troubleshooting techniques to determine the appropriate segments and issues in IPSec policy development with a strong background in Microsoft Technical support Tier 1, 2 and 3 involvement and specific fallibilities of the Microsoft NOS implementations with error messages on IPSec implementation and deployment. Again, what would help a person who wanted to block external FTP usage in the enterprise without blocking out the remaining protocols and system isolation of the internet. Comments and feedback graciously accepted.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Perhaps I misread the question, but I think you’re talking about a couple of different things as if they were the same.

You want to block all FTP access from inside your enterprise network, simply block TCP ports 20 and 21 outbound on your Internet-facing firewall. As always, your default policy on Internet firewalls should be to deny any from any, with exceptions coming higher in the ruleset.

Now…. If you want users from outside your corporate network to access internal FTP sites but have the sessions secured, then you want to set up either an SSH server in order to use SFTP (FTP-like functionality over SSH) or FTPS, which is FTP over TLS (or SSL, if necessary). The former can be done for free with readily-available software – or for cost, if you want more features or support – while the latter can be coded, but is most often purchased. Sterling Software is a noted vendor for FTPS.

Yes, you can secure communications with IPsec, but why go through that hassle? Especially when pushed with GPOs fromm a Windows box, then you’ve locked out all other platforms.

Like I said, maybe I missed the point up above….


Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: