Encrypted File Transfers
The
following screenshots demonstrate network traffic with
a standard FTP connection versus an UnlimitedFTP Servlet
SSL connection. In the second image UnlimitedFTP Servlet
makes it impossible for information to be intercepted.
Standard FTP Network traffic
Secure FTP connection utilizing UnlimitedFTP Servlet and SSL
All command and data streams are sent through an HTTPS wrapper, this means that everything is encrypted while being transferred over the internet.
The screen shots were taken using Ethereal
sniffing software. Permission of Gerald
Combs was obtained before the images were posted
here.
Additional Security as
Gatekeeper
UnlimitedFTP Servlet adds a layer of security to your
FTP server, acting as a gate keeper to prevent unauthorized
access. It not only controls access to your FTP servers
functionality, but also mitigates the risk of exploits
such as buffer overflows, FTP bounce, and a number of
other potential attacks. There are two key features
of UnlimitedFTP Servlet that will help secure an FTP
server. The first is that it is built using the Java
platform, so it's not susceptible to the same types
of attacks as programs written in C/C++. This is explained
in further detail below. The second is that the socket
connections, and the commands used to communicate with
the FTP server are between UnlimitedFTP Servlet and
the FTP server, instead of from the FTP client to the
FTP server. UnlimitedFTP Servlet ensures that only proper
FTP commands actually make it to the FTP server.
To translate from HTTP requests
to FTP commands, UnlimitedFTP Servlet uses a parameter
scheme described in the document ServletURLGuide.html.
That actual commands sent to the FTP server are not
a 1 - 1 mapping from the request parameters. Each command
and its arguments are sent to UnlimitedFTP Servlet via
a HTTP GET or HTTP POST. The parameters are parsed and
using a set of predetermined rules, are used to construct
the corresponding FTP commands which are in turn sent
to the FTP server. Because of this design, UnlimitedFTP
servlet can not be sent arbitrary commands as they will
not be understood, and will not be sent to the FTP server.
These commands are discarded, and the client making
the request will simply receive an empty reply. UnlimitedFTP
also controls the instantiation of data connections
to and from the FTP server. Thus a user can not execute
an arbitrary PASV or PORT command against the FTP server.
In addition, because of the nature
of the Java platform, parameters can not be formulated
in a way to cause buffer overflows. C and C++ programmers
often use pointer arithmetic to manipulate strings and
arrays. However Java programmers need not resort to
this low-level manipulation, because the Java programming
language provides high-level abstractions for both strings
and arrays. Arrays are bounds-checked at compile-time
and at run-time. Strings are immutable: when memory
is allocated for a string, and its contents are initialized,
from that point on, the string cannot be altered. When
a string variable is assigned a new value, the system
creates a new string object, and assigns it to the variable.
The string itself is not changed. This feature inherent
to all Java applications protects UnlimitedFTP Servlet
for the types of attacks that exploit buffer overflows.
In order to further protect your
FTP server, it is recommended that the FTP server be
configured to only allow FTP connections from addresses
within a trusted internal network that includes UnlimitedFTP
Servlet. In addition, it is recommended that the application
server only permit access to UnlimitedFTP Servlet using
the HTTPS protocol. This ensures all communication from
the end user to the servlet is encrypted with 128-bit
SSL encryption.
|
