Protocols and Security

EFT Server supports the following protocols: FTP, FTPS, SFTP, HTTP, HTTPS, and AS2. The protocols are configured and enabled/disabled at the Site level, at the User Setting Level, or per user.

EFT Server also provides data storage encryption using OpenPGP, and encrypts passwords during transmission and storage.

If you specify plain-text FTP or HTTP for a PCI DSS-enabled Site, EFT Server prompts you to disable these unsecure protocols, or continue with reason.

If you enable remote administration without enabling SSL, EFT Server prompts you to disable remote administration and/or enable SSL, or continue with reason.

FTP

The FTP protocol is an interactive file-transfer mechanism that enables file transfers between Internet sites, or, more specifically, between two systems. It was created for transferring files independently of the operating system used, for example between a Macintosh and Windows PC. FTP’s more notable features include handling for specific error situations and ensuring that a file sent from point A to point B will get there reliably.

The FTP protocol specification (RFC 959) was published many years ago when security was not a priority issue. As security became a concern, secure mechanisms such as SSL and TLS were adapted to help protect the FTP session from being intercepted or exploited. EFT Server provides security with FTPS (using SSL/TLS).

HTTP

HTTP is the communication protocol for establishing a connection with a Web server and transmitting HTML pages to the client browser or any other files required by an HTTP client application.  

HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from EFT Server, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.

For example, when you type http://www.globalscape.com/eft/whatsnew.aspx in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to EFT Server running at the host name www.globalscape.com with the HTTP command "GET /eft/whatsnew.aspx HTTP/1.1," and EFT Server replies with that file (the HTML that makes up the page). In that page, there are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.

How does HTTP support in EFT Server differ from a typical Web Server?

EFT Server is primarily a file transfer server, not a Web server. This means it is not meant to "serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser). However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).

When EFT Server is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET (download) files to EFT Server, provided the client supports both of these HTTP commands. Most Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system to select and upload (PUT) files onto EFT Server. A few dedicated clients (such as CuteFTP Professional) and various thin clients (based on ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to EFT Server in both directions.

HTTP Limitations in EFT Server

HTTPS

HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443. The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL (Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-the-middle attacks.  

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT Server will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.

The following elements work together to establish a secure HTTPS connection:

Client: The client must have SSL capabilities.

Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT Server's certificate to establish an SSL connection.

Session Key: The client and EFT Server use the session key to encrypt data. It is created by the client via EFT Server’s public key.

Public Key: The client encrypts a session key with EFT Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.

Private Key: The server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.

Certificate Signing Request: A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.

In Web pages that use HTTPS, the URL begins with https: rather than http:. HTTP clients should connect using standard requests (i.e. https://domain_name). You can configure EFT Server to provide connecting clients with a certificate, and even require that the client provide a certificate upon connection (to further validate the client's identity).

FTPS, SSL, and TLS

FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTP-SSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been merged with other protocols and authentication methods into a new protocol known as Transport Layer Security (TLS). EFT Server employs SSL/TLS to perform FTPS to keep your data secure.

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT Server will be able to decrypt the data.  

EFT Server supports SSL for client and server authentication, message integrity, and confidentiality. You can configure EFT Server's security features to verify users' identities, allows users to verify your identity, and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that take part in the process.

Elements that Work Together to Establish a Secure SSL Connection

SSL must first be enabled at the Site and Server level, and then can be enabled at the User Setting Level and per user. EFT Server provides administrators the ability to specify the symmetric key cipher (An algorithm for performing encryption; see SSL.) (s) and the ordering of those ciphers for establishing SSL sessions. EFT Server validates inbound SSL sessions, and allows or denies connections based on specified or approved ciphers.

EFT Server supports two levels of authentication with SSL:

Related Topics

Remote Administration

Enabling SFTP for a Site

Enabling FTPS, HTTPS (SSL)

Enabling FTPS, HTTPS (SSL) at the Site Level

Configuring SSL for a Site

Configuring HTTP Transfers on the Site

Configuring HTTPS Transfers on the Site

Redirecting HTTP to HTTPS

Explicit Versus Implicit SSL

SSL Certificates

SSL Allowed Ciphers

Setting Transfer Protocol Security for the Site

The AS2 Module