|
I work for a smallish software company. We are currently using four comm lines for client support and to send software updates via SNADS. The competition for these four lines is getting hot, so we're looking at alternatives before going out and setting up more lines. We believe we can provide our software updates via FTP, but we don't want to implement anything until we're fairly sure our security mechanism will work. Can someone tell me where the holes are in our scheme? I have set up an FTP user profile that has no special authority, no password, an initial program of *SIGNOFF, and a library list that contains only one library. The only objects that definitely will be placed in this library are save files intended to be available to our clients. (The save files contain program and/or file updates or additions. They would never contain a complete program or file library. They would also never contain any implementation procedures or documentation.) I have created an FTP logon exit program and a file that contains a very small list of valid user profiles for FTP. The exit program compares the incoming profile with the list in the file and either accepts or rejects the logon. If the logon is accepted, the user profile is changed to the single FTP user profile described above. I have a second exit program that looks at incoming FTP requests. All requests are rejected except for the ability to establish a connection, list the current library and get a file from that library. We will log all FTP requests from within these exit programs, but I'm still working on that piece. We do not have all libraries on our system designated as public *EXCLUDE, and I know that it's recommended. To date, we have secured our system from the outside by using our firewall to pretty much shut down anything incoming and keeping some servers (like FTP) turned off. We know that improving our security for an internet world is in our immediate future, but we would like to plan it thoroughly to minimize work disruption. Will the plan being considered for FTP be fairly secure if we haven't taken this step yet? What other things should we look at to close any holes into our system that might occur with this setup? More importantly, are there any security risks for our clients in this? I can't see that there is any risk for them, but perhaps I'm missing something major. Thanks for your help! Janet Elam Crowley Systems Analyst IFA Systems +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.