by Kay Ewbank
Need to manage the secure transfer of data? Kay Ewbank looks at your options beyond the operating system.
HardCopy Issue: 65 | Published: February 27, 2015
Data is important, and often very sensitive. Transferring it to others, particularly outside the company firewall, is a risky business, but something most of us need to do if not on a daily basis, then at least on a weekly basis. So how do you ensure those files get delivered securely to the person who should be receiving them? Get it wrong and the result can be expensive – the average cost of a security breach runs into millions.
File transfer software provides the means for you to handle the process of sending files to other machines or users in a secure and automatic fashion. Most operating systems do come with some sort of FTP (File Transfer Protocol) utility. For example, you can configure FTP Server in Windows Server 2012 by installing an FTP Server role. However such utilities are generally intended to provide the basics, limiting the maximum size of file you can send, or the encryption methods you can use. They are fine for sending the occasional file to a colleague, but less attractive if you need to manage the process for many users without compromising security. Add in the need for audit trails and some way of automating the process, and the products described below start to look a lot more attractive.
GlobalSCAPE EFT Server
GlobalSCAPE says its software goes beyond managed file transfer (MFT) to Enhanced File Transfer, which is why it’s called EFT Server. This software is regarded as one of the two front-runners, alongside Ipswitch’s MOVEit. One attraction of GlobalSCAPE’s solution is that you can license only the modules you need from a good range of individual components. There are various versions of the product that include different components with the aims of meeting the needs of small, medium, and enterprise businesses, or you can choose your own mix to satisfy your specific needs.
The ideal setup for EFT Server is to go through a DMZ Gateway that is running on a separate server so that your actual EFT Server can sit safely within your company firewall. The software then isolates the FTP accounts from the domain users, authenticating access using its own authentication manager, or you can have users be authenticated using another mechanism such as Active Directory.
EFT Server supports secure file transfer using FTPS (SSL/TLS), and you can add other protocols such as SFTP (SSH2), HTTPS (SSL) or AS2, by choosing the appropriate add-on. You administer EFT Server from a Windows app, and although you can carry out remote admin and configuration, there’s no browser-based admin option. You manage users and groups from the admin console, and you can also manage the FTP folder structure, which is based on EFT Server’s Virtual File System (VFS). This lets you create both actual physical folders and virtual folders that refer to existing real folders on your system. Here you can specify upload and download permissions, and FTP site restrictions such as the setting of password rules. You can also stop specific file types being sent over FTP, ban connections from specific IP addresses, and set limits on a per user basis for a number of parameters.
The management of files in transit is excellent in EFT, with options for restarting failed transfers and mid-file recovery. If your users want to send large files, EFT Server supports multi-part transfers. For authentication you can use conventional password, public-key or one-time password.
The software has an excellent range of rules that you can configure to manage events related to users, files or connections, with choices for actions including the execution of system commands and the generation of notifications. You can also automate actions such as offloading files, scheduling transfers, and onward processing and verification. For more general reporting the basic EFT Server supports some logging, but if you want the full range of options you need the Reporting and Auditing module. This gives you a really good range of some 40 reports, and you can log detailed information to SQL Server or Oracle. You can set up audit trails, send email notifications of completed transactions, and digital certificates for proof of identity.
Ipswitch has two file transfer products, namely WS_FTP Server and MOVEit. MOVEit is one of the most highly regarded on the market, with strong features for handling large and sensitive data files. It is usually installed within the network DMZ to maximise security, and uses SQL Server or MySQL as its database backend. You can also run it as a VMware instance supporting ESX and Hyper-V.
The software supports SAML 2.0 integration, so you can authenticate users from within MOVEit using identity providers such as Microsoft ADFS, Shibboleth or Onelogin. Users can choose between person-to-person and system-to-system file transfer, and all file transfer activity is logged into a database with a tamper proof audit trail. The audit trail stores notification of server events and completed transfers, and is integrated with Syslog.
The software lets administrators map file directories to virtual directories so users are isolated from the file system, and you can create the virtual directories within MOVEit. Multiple domains can be isolated by defining each as an ‘organisation’. Organisations can be set up and managed by users, with the administrator able to set specific rules and settings for each one.
MOVEit makes it easy to define an automated workflow, and there are some nice touches on what you can specify. You can, for example, set up post transfer file automation actions such as deleting, moving, or renaming the source file after it has been transferred. A set of macros are provided for dynamically changing file names, with options such as adding the time or date to the file name.
Transfers can be scheduled to happen automatically on a recurring basis, and you can set files to be synchronised to specific locations, devices or drives. There’s also a scripting utility that helps with automating recurring tasks.
MOVEit is good on security. Files are encrypted (with support for FIPS 140-2 cryptography) both while on the server and while being sent, and there’s a security wizard that helps administrators keep things locked down. The software supports McAfee, Symantec and Sophos anti-virus software, and also guards against OWASP (Open Web Application Security Project) Top 10 2013 application security vulnerabilities.
Access from the desktop is either through a web browser or a Microsoft Outlook plugin, and the end users can encrypt their email messages as well as the attachments. There is also support for iOS and Android mobile phones and tablets.
Ipswitch WS_FTP Server
The second product from Ipswitch is WS_FTP Server. This is extremely well known, having started life as the shareware FTP client, WinSock FTP, which gained popularity for working well, even if it looked rather sparse. More recent versions of the software show more information, but essentially you still see what’s happening on the local machine in the left-hand window, and what’s happening on the remote machine in the right-hand window.
You can use WS_FTP Server to transfer files between systems, and also between groups of users, specific people, and applications. You can work directly with the software, or through a web browser.
The software has an Ad Hoc Transfer module that allows users to send files securely to one or more recipients as an email attachment from Microsoft Outlook, using the WS_FTP plugin. Users can also do the same thing from their web browser using a secure HTTPS session. The module lets you set up the encryption standard you want to use, along with access control and authentication and content management.
There’s a separate Web Transfer module that can be used to transfer files and other data securely from a computer to the WS_FTP Server over HTTPS using a web browser. The software also supports an option to have a second WS_FTP Server available on failover in case the first server is down, so ensuring an FTP server is available at all times.
WS_FTP Server comes in three versions, starting with the basic Server version. The next version up includes support for SSH for additional encryption, and also supports protocol rules. The top-end corporate version adds support for LDAP and Secure Copy (SCP 2), along with the ability to carry out transfers from web browsers. The administration options are good, and you can enforce strong security over file transfers.
Solarwinds acquired its managed file transfer software when it bought Rhino Software in 2012. The resulting product aims to provide a cost effective and secure alternative to products that are licensed by the seat. The software lets users work from a web interface, or from a secure mobile interface that supports iOS, Android and Blackberry devices. Users can drag and drop files onto the transfer window, and can transfer files larger than 2GB if necessary.
Alongside the built-in web clients, the software has additional FTP client support. There are optional web plug-ins to support the transfer of large files, more than one file at a time, or entire folders in one go. The plug-ins also allow users to work from local file managers such as Windows Explorer, through a folder synchronization utility, and there are facilities for administering the transfers from either web browsers or iPads.
The software supports a good range of protocols, with support for FTP, FTP over SSL/TLS, FTP over SSH2, HTTP, HTTP over SSL, IPv4 and IPv6, and FIPS140-2 validated cryptography. The inclusion of FIPS 140 cryptography allows the software to conform to standards such as PCI-DSS, HIPAA, FISMA, and SOX.
Ad-hoc file sharing is another feature of Solarwinds Serv-U Managed File Transfer Server. The idea is that you host the files to be transferred in your data centre. Your users upload the files they want to send to a secure web page hosted on the server, and set an expiration date and password. The file transfer software then sends a link to the files to the recipients, who then click the link, sign on, and download the files from the web page. File requests can be handled in a similar way, and in both cases the sender’s email address does not have to be disclosed. Links can even be sent through instant messenger or using social networks.
End-users like Serv-U file sharing because it’s easy to use. One button lets them send files and a second lets them request files from others. All the user needs is the email addresses of the other people involved, the expiration date of the sent/requested files, and an optional password if necessary. Links to files can be automatically emailed for easy access. Advanced users like the ability to copy file-sharing links into emails, instant messages, and to social networking sites.
Security and compliance are high on the priority list for Hermes, which manages the investment of assets worth more than £20 billion on behalf of over 200 clients. Jamie Dewar, Technical Services Manager at Hermes, explains: “We needed to host an FTP site so that people could post information to us, which, obviously, needed to be very secure due to the sensitivity of the data. We didn’t host FTP before as we were a ‘pull only’ organisation and just used the basic Microsoft mainline tools. However, due to changing business requirements we required an enterprise-class FTP solution that was highly secure.”
After evaluating several products, Hermes felt Ipswitch’s MOVEit best met its needs with regards to flexibility, reliability and security. Dewar adds: “We also liked the way the server partitions itself up in MOVEit, that everything on the server is encrypted and that MOVEit automatically replicates any changes to its config to the mirror MOVEit servers at our DR site.”
Furthermore MOVEit’s API allowed Hermes to integrate the package with third-party programs: “It fits in well with our overnight processing, which used to be manual. We’ve got a new job scheduler and MOVEit ties in nicely with the job scheduler through the APIs, feeding error codes back to the job scheduler.”
Another useful aspect of Serv-U Managed File Transfer is the way it integrates with Active Directory (AD) or other LDAP servers, so making it easy to manage who is allowed to transfer files. As an alternative, you can store user details in external databases, with support for SQL Server, MySQL, PostgreSQL and Oracle. If the list of users runs into thousands, this is faster than using local directories. That said, the way Serv-U is administered with regards to the server and AD is less sophisticated than rival products such as MoveIT and EFT Server, where roles for admin and file system are separated.
South River Titan FTP Server
As the name suggests, Titan FTP Server is an FTP server that can be used to share files via SSL/SFTP. It can be licensed for use on one PC or an unlimited number of internal PCs. A related product, Cornerstone MFT, adds extra transfer protocols together with other enterprise features.
Titan FTP has an administration client that you can use from Windows machines, or remotely if you’re using the Enterprise Edition. You can use SAM authentication, and the administration console will access user and group account information from your Domain Controller including authentication information and home directories. If you want to set up custom authentication, there are wizards for creating users and groups.
The Enterprise version supports event management, with the option of setting up rules to specify actions to be carried out when events occur. There’s a good range of over 100 pre-defined events, and the actions supported include email alerts, preventing transfers and blocking a user or IP address. If the list doesn’t include the action you want then you can run external commands or COM scripts. There’s even a COM API that you can use to programmatically control your server from COM-enabled languages such as Visual Basic, C# or Java.
User management is good, with options for setting maximum transfer quotas, restricting bandwidth use and managing IP addresses. You can keep users away from the actual file system by creating virtual folders that map to real directories.
Titan FTP has options aimed at blocking hackers by shutting down transfers if too many connections are made, perhaps from a Denial-of-Service attack, and you can block FXP and passive transfers. The developers claim that the server will automatically detect and refuse malicious connections without affecting legitimate connections.
Users can connect to the server using any compliant FTP client or application, but there’s also an associated WebDrive FTP Client that maps a network drive letter to your Titan Server. This lets users drag and drop to upload files, move them into other folders, or alter directory structures.
The server reports through log files written in W3C or text, and you can choose which fields should be logged. You can also write to ODBC data sources. There’s an activity monitor that shows real-time monitoring of any server activity, including that of individual users.
VanDyke VShell Server
The VShell Server comes in versions for Windows, Linux, and UNIX, and lets you configure the services you use. It uses the Secure Shell (SSH) protocol for remote system administration, and supports SFTP for secure file transfer. The developers claim that the software is designed to save valuable administrator time, from initial setup to configuration and task automation. You get a choice of user authentication options including public-key, Kerberos, and two-factor methods.
The options for managing user privileges let you decide which users or groups should be able to use the various Secure Shell services, with groups being defined within VShell as Access Control Lists (ACLs). You can specify access to the shell, SFTP, SCP, FTP/SSL and port forwarding. You can also define specific multiple directory access points on a user or group basis, using a virtual root directory. If you’re running the UNIX version, it includes the ChrootUsers and ChrootGroups options for restricting users and groups to their home directories for shell access, file transfer or remote command execution.
VShell Server has good support for automating the administration of file transfers, using a combination of event trigger conditions, remote command execution and command-line utilities. You can monitor for events such as failed logon attempts, and there’s an option to let users with lower privilege levels use RunAs commands to run scripts and any other commands that might require elevated privileges. The server also comes with a set of command-line utilities that let you run operating system utilities automatically.
SecureFX is a separate VanDyke product that provides a file transfer client for Windows, Linux and Mac with support for secure file transfer using SFTP, SCP and SSL. It has a command line utility in SFXCL for Windows and Linux that lets you set up unattended automated transfers, although most Windows users work from the graphical interface that lets you drag and drop files between the server and the desktop machine, either from other applications or from Windows Explorer. You can set up a queue of files to be transferred, and if the connection fails, the software automatically reconnects and resumes the transfer.
Authentication options include public-key, X.509, and Kerberos v5. A synchronize files option lets you upload, download and mirror files, and you can use filtering to include or exclude specific files or file types.