Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] FTP: Passwort in cleartext!

To: Thomas Borger <[email protected]>
Subject: Re: [FW1] FTP: Passwort in cleartext!
From: Jason Witty <[email protected]>
Date: Fri, 02 Mar 2001 08:12:21 -0600
Cc: [email protected]
References: <[email protected]>
Sender: [email protected]

Thomas,

If that surprises you, the fact that these are all clear-text protocols
probably will too:

HTTP, Telnet (including tn3270 and tn5250), FTP, SMTP, POP2, POP3, IMAP,
SNMP, AOL Instant Messager (and older versions of AOL Network Client),
NNTP, X11, CVS, IRC, ICQ, Napster...I could keep going for days
here....  This is why it's so important to understand every protocol you
allow through your firewall, and the security ramafications associated
with it. (you should really check of Dsniff as well....ouch....)

That said, there are several alternatives for secure file transfer. 
Many people will say, "use PGP to encrypt the data and keep on using
FTP".  That particualr solution does, indeed, protect the data in
transit, but does not protect the username or password.  So here's some
other ways:

- HTTPS Java Upload - Have one of your developers write a simple
application that allows people to upload files to a web site over HTTPS.
- Use SCP (part of the SSH suite)
- Use SFTP (do a search for it on google and you'll find loads of info)
- Use FTP in conjunction with SecuRemote to tunnel all FTP traffic over
a VPN tunnel
- Use FTP in conjunction with an SSL wrapper program like SSLWrap
- Use CA's XCOM product

These are just a few of the possibilities - I'm sure others on the list
will have more....

Jason

Thomas Borger wrote:
> 
> Hi,
> 
> I have traced a connection from a client which would establish a
> ftp-connection to an intern FTP-Server over Firewall 1 with Ethercap and
> have been terrified.
> The accountname and corresponding passwords was transmitted in cleartext!
> Is there a alternative to transmitt this data not in cleartext?
> 
> regards
> Thomas
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] FTP: Passwort in cleartext!
  - From: Thomas Borger <[email protected]>

Prev by Date: RE: [FW1] FW1 & Sun Hardware Recommendations please
Next by Date: Re: [FW1] Firewall-1 Upgrade
Previous by thread: Re: [FW1] FTP: Passwort in cleartext!
Next by thread: RE: [FW1] FTP: Passwort in cleartext!
Index(es):
- Date
- Thread