An open door?
Servers providing external access (eg to the internet) may provide an opening to your corporate networks.
File Transfer Protocol (FTP), a service which allows the transfer of files over routed networks, is commonly provided by organisations over the Internet or corporate networks. FTP servers are often set up to allow people to upload or download files from or to the server. Because they are often ‘password’ protected there is an illusion of security. However they are inherently insecure and are a significant area of vulnerability if not configured properly, as they can give users backdoor access to a network.
FTP servers may contain sensitive information deposited by, or for, legitimate users. Compromise of the server would compromise this information.
FTP servers are designed to make information available. Care must be taken to ensure that appropriate levels of accountability, integrity and confidentiality are maintained. For instance:
- Levels of access must be carefully controlled to prevent FTP users from accessing your corporate data;
- The level of security on the FTP server should be consistent with the sensitivity of the data available on it;
- The FTP server software should located on a server that does not contain any sensitive applications or data. Ideally a dedicated server should be used;
- Anonymous access should not be allowed unless absolutely necessary.
Before setting up an FTP server, look closely at the business need for this service. Then ensure that the level of service provided is appropriate, and that the system is set up so as to enhance business without exposing your organisation to unnecessary risk.