× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2009

Re: Identifying FTP encryption


On 06/02/2009, at 4:35 PM, John McKee wrote:

Does this make anyy sense? If data leaves one site, via a VPN, would there be
anyy way to know the data was not encrypted?

Isn't really enough information to work with but ...

It's probably possible but unlikely. FTP uses two connections; one (initiated by the client) for the control channel, and one (by default) initiated by the server for the data channel. It's possible that the client connects over the VPN to establish the control channel but that the server connects directly for the data channel. This would mean the control channel is encrypted via the VPN so UID/ PWD is protected but the data itself is not encrypted.

I would expect that for this to occur the VPN is incorrectly configured or the client is directly addressable without the VPN. Both states would indicate incorrect network configuration. You should be able to work around the problem via PASV which instructs the server to wait for a data connexion from the client or by disabling both PASV and PORT which will create the data connexion to the same port as the control channel (the default data connexion).

It will depend very much on the capabilities of your FTP client as to whether either of these work-arounds is available or effective. Many FTP clients don't actually implement the default data connexion because there can be communication problems with it due to TCP time- waits when closing sockets even though the RFC for FTP says they must implement it. Some clients will allow disabling PORT but if so will then use PASV. Not all clients allow disabling both PORT and PASV although the iSeries FTP client is one that does.

The proper solution is to configure routing so the VPN client is found ONLY via the VPN connexion.

Regards,
Simon Coulter.
--------------------------------------------------------------------
FlyByNight Software OS/400, i5/OS Technical Specialists

http://www.flybynight.com.au/
Phone: +61 2 6657 8251 Mobile: +61 0411 091 400 /"\
Fax: +61 2 6657 8251 \ /
X
ASCII Ribbon campaign against HTML E-Mail / \
--------------------------------------------------------------------




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.