Talk With an Expert

Securing FTP Authentication

Securing FTP Authentication (PDF, 2.06MB)Published: 12 Feb, 2002
Created by
Mike Gromek

The File Transfer Protocol, or FTP, is an industry standard method of data exchange between computers. Widely used because of its flexibility and ubiquity, FTP has also become a frequent point of attack. Though certainly not the only issue, one frequently cited area of concern is the use of a clear-text data stream for passing authentication and control information. Intended for a novice to intermediate level administrator, this paper briefly examines how a nonsecure FTP implementation functions and demonstrates how the clear-text control connection can be exploited. A common misconception is that switched network architectures adequately protect an organization from network eavesdropping. Several ways of bypassing switch security are outlined, illustrating the continuing need for protecting the FTP data streams. Having recognized this as an ongoing problem, the Internet community has drafted a series of FTP security extensions, providing a mechanism to establish a secure connection. These extensions are discussed and several more secure FTP implementations are briefly examined, illustrating different approaches to this problem.