Re: Another Secure FTP thread -- Protection Levels

Ed Gage wrote:
Your response suggests that there might be other products out there
that would have this capability. If so, what are they? Alternatively,
if we select a router that has a firewall which allows external
addresses to map to an internal NAT-protected IP, would that also solve
the problem?

Ed:

Didn't this thread start because you had another product that did have
this functionality and you wanted to know if you could replace it with
C-Kermit?

Here is your problem. Your company wants to have secure communications
between a client that you control and a remote server that you do not
control. In order to do this, you must create a mutually authenticated,
encrypted, and integrity protected channel between your client and the
remote server. At no point during the communication session can you
allow the encryption or integrity protection to drop without becoming
susceptible to an active attack whereby the attacker waits until the
authentication has been performed and then steals the tcp session.

At the same time your company doesn't want to allow an communication
through your firewall that is not authorized. You are enforcing that
policy by requiring the firewall to snoop each session and if it is
FTP either restrict what commands can be sent or logging each command
that is sent so that there would be evidence of the transfer of a trade
secret. This is incompatible with the concept of a secure private
session between your client and the remote server.

You can't have it both ways. I don't write insecure applications.
If you want to hire someone to make your communications insecure you
can by all means do so. But if you are going to use software I wrote
to perform a secure communication then that communication is going to
be secure.

The whole notion of firewalls acting as the man in the middle is flawed.
You can't be the man in the middle when using http over ssl/tls to
communicate with your bank. Why should you be able to do so when the
protocol is ftp?

Jeffrey Altman
.

Relevant Pages

  • Re: outbound filtering
    ... Nonetheless, it IS a hardware firewall, and since you felt inclined to mention that it wasn't, someone needed to provide correct information before whoever reads this thread becomes as confused about firewalls and Internet Security in general as you. ... Maybe Packet Sniffing, or Monitoring not just when a connection is made, but when an application changes (Kerio Personal Firewall provides this PROTECTION, if a process is changed, the user is alerted to it). ... I do know that when one process tries to access another (which is interprocess communication, not what you were trying to demonstrate just now), that Kerio does protect against that by alerting the user and asking if he/she wants to allow or deny. ...
    (comp.security.firewalls)
  • Re: Windows xp security
    ... I have made mistakes in configuration files in Linux that made the system wide open but I was not exposed because of the firewall configuration. ... Computer security is not relying on any single layer to keep you secure but multiple layers that must be crossed before communication occurs. ... I too have been running Firefox since the .8 days and am aware of several vulnerabilities where the flaw was related to Java or Windows where simply viewing an image could compromise the system. ...
    (alt.computer.security)
  • RE: Windows Update v5 and XPSP2RC2
    ... Windows Update v5 and XPSP2RC2 ... You don't even need Group Policy (not that I'm not a huge proponent of GP ... > SP2 firewall settings. ... >> communication is a confidential and proprietary business ...
    (Focus-Microsoft)
  • [fw-wiz] PIX 515 Pci Network Cards
    ... I happen to have an older PIX firewall, and after opening it and having a squiz ... inside I notice it just uses PCI network cards, so what I was wondering is ... responsible for delivering the communication, ...
    (Firewall-Wizards)
  • Re: Crontab -e error
    ... The putty session is locked and a "kill" command needs to be issued from ... Courageous convictions will drag the dream into existence ... of this message is not the intended recipient, ... If this communication was received in error, ...
    (SunManagers)