by Greg Shields

Transferring files is such a fundamental and common task that we can sometimes overlook security issues.  For example, we might have scripts that copy files from several different transaction processing servers to a consolidated reporting server and for convenience we embedded usernames and passwords into the scripts.  In another case we might pull backup files from remote offices to store them in a central server for added protection without thinking of the security consequences of transferring these files over the Internet.  Whether we are routinely and repeatedly transferring files or performing an occasional file transfer we can take steps to improve the security of these operations. We might not be able to achieve the level of security, reliability and audit control of a full-fledged managed file transfer solution but we can do better than simple ad hoc file transfer solutions.

Using Secure File Transfer Protocol

When it comes to ad hoc file transfers, we should consider both the interactive transfers and the standardized, scripted transfers.

Securing Interactive File Transfers

The first thing we can do to improve the security of file transfer is to use SFTP instead of FTP.  FTP, the file transfer protocol, is well known for two thing: transferring files and being insecure.  SFTP, the Secure/SSH File Transfer Protocol, is built on the SSH protocol provides for secure channels between computers with the use of public key cryptography.  Open source projects like OpenSSH (http://openssh.org/) provide a freely distributed suite of secure utilities that can replace your ftp client.

Command lines are fine sometimes, in other cases there is nothing like good GUI to get the job done.  FileZilla (http://filezilla-project.org/) is another open source project that provides support for secure file transfers.  This suite of tools include both client and server applications. FileZilla supports sftp, ftp and ftps, another secure file transfer protocol.  Mac users may want to take a look at Cyberduck (http://cyberduck.ch/); and yes, their mascot is a little yellow rubber duck.

Securing File Transfer Scripts

When it comes to scripting file transfers we have no shortage of options in terms of programming languages.  We can use operating system shell languages when portability is not a concern but we have plenty of cross platform scripting languages, like Perl, Python and Ruby if portability is an issue.  When scripting a file transfer it is not much more work to do it securely and here are some tools to help. For Perl, the Net::SFTP package (http://search.cpan.org/~drolsky/Net-SFTP-0.08/lib/Net/SFTP.pm) provides a full set of file manipulation functions for securely transferring files with Perl. Python developers have the Paramiko module (http://www.lag.net/paramiko/) which implements the SSH2 for secure communication channels.

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.