Battening down the hatches on file transfers takes more than secure connections and encrypted file storage. Learn how your ISP can provide cost-effective secure FTP services.

by Alex Goldman ISP-Planet Associate Editor [June 7, 2002]

Based in Madison, Wis., Standard Networks is a small, privately held company that was founded in 1989 to provide software and networking products for the financial industry. Its first-generation products helped companies exchange files between mainframes and networked computers. Today, the company still specializes in secure file transfer, as v. 2.2 of its MOVEit family of products prove.

Scott Meeker, Director of Sales and Marketing at Standard Networks, says FTP is inherently insecure because it transmits user names and passwords and even files in the clear.

"Most secure FTP server products address this problem by establishing encrypted connections between the client and the server, over which user names, passwords, and files are transferred," explains Meeker. "However, most so-called secure FTP servers then write those files to disks in the clear. MOVEit DMZ takes files that have been received and, while they are still in RAM memory, re-encrypts them using AES, and then writes the files to disk."

MOVEit DMZ is attached to a company's external firewall. Users sending files through MOVEit DMZ go through the firewall whether they are within the LAN or outside. The software sits in a demilitarized zone (DMZ), a protected, high-security area between the Internet and the LAN.

The company claims that this software product enables secure FTP transfer using Web browsers and cheap STP clients. MOVEit DMZ uses 128-bit key SSL encrypted connections supplemented by HTTPS for Web browsers and FTPS (TLS) for FTP clients. Additional features include:

• Secure file storage using 256-bit AES encryption, the new U.S. Federal standard that replaces DES.
• NAT-friendly encrypted FTP to and from networks using Network Addess Translation.
• Firewall-friendly passive FTP using as few as 4 firewall ports, not the typical 64,000 ports.
• Upload confirmation provided to users so that they know their files have transferred successfully.
• Arrival notification to designated users via e-mail alerting them that specific files have been received.
• Web form data collection and management, including conversion to CSV and XML file formats.
• Web accessible audit trail documentation of each action to each file, and by each end-user.

Most FTP servers require FTP clients. The company enables organizations to use the commonly available Internet Explorer in place of an FTP client. The company provides its agent for Internet Explorer, MOVEit Wizard, free of charge. MOVEit Wizard enables secure FTP functionality over Internet Explorer and is designed to make it easier to zip and upload files to MOVEitDMZ. Companies should find this useful because Internet Explorer is already on most desktops, and also because most users are already familiar with it, wheras they may not be familiar with any of the various FTP clients.

Because MOVEitDMZ is Web-accessible, the potential for compromise exists. However, the company has taken a number of steps reduce the likelihood of security breaches. For example:

• Authorization: MOVEit DMZ enables administrators to set specific authorizations on a per user basis that govern which folders on MOVEit DMZ an end-user can access, and what actions they can and cannot take in regard to the files in each folder.
  
• Authentication: MOVEit DMZ requires a valid user name and password in order to log in. The user name and password are tied to the authorizations listed above. MOVEit DMZ offers a variety of password management options to the administrator, including aging, length, characters, and an old password history file. These can be used to force users to adopt robust passwords.
  
• Session Aging: MOVEit DMZ can be set to automatically logout users whose sessions have not been active for a configurable period of time. This means users need to re-authenticate/login again.
• Caching: MOVEit DMZ restricts the browser from caching MOVEit DMZ pages.

Pricing and availability
MOVEitDMZ v. 2.2 is available now. Tentative users may request a free 30-day trial version of the software.

Number of Enterprises	Price Range
Up to 5	$7,000 to $8,000
Up to 10	$10,000 +
Up to 25	$15,000+
Up to 50	$22,000 to $23,000

Depending on features requested, a perpetual license costs between U.S.$4,000 and U.S.$5,000 for a single enterprise. The license has no restrictions on number of users, number of uploads, or number of files stored. For organizations that wish to resell the product on an ASP-like model, pricing is more complex (right).

—End