Ahmed said:
It is what the application is supposed to perform, sending files to the
business partners.
Ah, so you're *writing* an FTP server, not using one. Alright then.
There are two security concerns that come to mind regarding account
information:
1. Protecting usernames and passwords from interception as someone is
logging in to the site. There isn't really any way to accomplish this
while still using the FTP protocol.
2. Protecting login info in case the server is compromised. This is
probably a job for something like the one-way encryption used for UNIX
passwords. In fact, most FTP application use local OS login accounts,
so they effectively do this.
It's worth noting that case 2 is pretty much a lost scenario anyway, so
I consider it much less important than case 1.
That is my question i.e. do I have to keep the accounts behind the
firewall? Or can I keep them e.g. encrypted on my server outside the
firewall?
You could store them behind the firewall and run some kind of an
authentication server, I suppose. It would be a real pain, and would
only provide a little additional protection in case of #2 above. It
still doesn't help with your big gaping security hole; that can't be
helped while still using the FTP protocol.
The host of the application is a server outside the firewall and itself
is FTP server, so people connect to put and get files and I am
interested in securing the accounts from those people.
Well, obviously you wouldn't put account information in a directory
that's made available by your FTP server... Aside from that, I think
I've summarized the two main security concerns in my first response
above.
--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.
Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation