Secure File Transfer Solution

[blemoine]

GUIDLINES: i need a solution so customers can send files. The files are less than a MB. This solution needs to be secure & somewhat retard proof. Customers should not be able to access other customers files. it also needs to prompt them for a username & password. impossible for customers to access anything else on our lan.


MY IDEA/OUR CURRENT SETUP: we have two branch offices that are connected via IPSEC tunnel over dsl. we don't host our on website. i was thinking about setting up Redhat on a machine and plugging it into the DMZ port on the firewall. The redhat machine would be running SFTP. Clients could connect to the machine using Winscp & drag and drop their files into their folder.


QUESTIONS/ALTERNATIVES: i have looked at alternatives and the cost is $1250.00 to $4500.00. These are good but i would have to wait until next year since i have not planned for this in this years budget.
1. Are these statements true about a DMZ. DMZ= hosts in the dmz may not connect to the internal network but may connect to the external network. hosts in the dmz are not filtered by the firewall from outside traffic.
2. If they are true should i put a firewall between my redhat box and my dmz port on my firewall?
3. Will we be able to access the redhat box to retrieve the files from our internal network?
4. Is this even a good idea or am i a complete idiot and need to take a totally different approach?


please give ideas, suggestions, pros & cons. thanks

 

[n0cmonkey]

Traffic going to DMZs should be filtered by a firewall. Hosts in the DMZ generally shouldn't be making outbound connections.

sFTP is what popped into my head first.

 

[spyordie007]

Just throwing some ideas out for you:

sFTP is great but I wouldnt consider it "retard proof" since it generally requires a client install/someone who can handle the basics.

If it were me I would want customers to be able to use something that they are most likely going to already have and have easy/short documentation for how to go about doing it. The idea is the fewest calls to the helpdesk walking customers through this stuff.

I would probably end up going with WebDAV over SSL, if costs are a major concern you could do server 2003 web edition (~$300) plus hardware. It should be possible to do this with Linux as well but I dont have any experience with WebDAV on Linux.

 

[spyordie007]

Or of course the most "retard proof" way would be to write a web app that does it. Than all the end user has to do is use a web form to browse for the file, authentication could be built in however you desire.

 

[FreshPrince]

makers of wsftp makes a ftp server that you can connect to via web browser with ssl.

that's probably your best bet if you want secure with no client app involved.

-FP

 

[blemoine]

one of the alternatives is to use a web application that would allow them to make an SSL connection. Cost is a concern because i don't have it in this years budget and i would have two customers using it at first. once we get it setup then we would have many more using it.

Freshprince: what is wsftp? where can i go to find out about it?

 

[RebateMonger]

n.m.
I was going to say that you could quickly set up a SharePoint SSL site, but you don't have Windows Server.

 

[RebateMonger]

Originally posted by: spyordie007
Or of course the most "retard proof" way would be to write a web app that does it. Than all the end user has to do is use a web form to browse for the file, authentication could be built in however you desire.

Thats how I do it with my site. I use home-made ASP pages for login and file uploads/downloads. That site has been up for two years with zero calls from clients on how to use it. I've got a "Help! I forgot my password!" page to automatically re-send them their password if they forgot it.

Actually, with ASP.NET, this is getting a LOT easier.

 

[spyordie007]

once we get it setup then we would have many more using it

Than I would not use Sharepoint; you'd need a CAL for each user which could quickly get expensive.

I say build a web-app to do this; if you dont know how to do it hire a development consultant. Any dev worth their salt could build an app like this for you in short order.

 

[RebateMonger]

Originally posted by: spyordie007

once we get it setup then we would have many more using it

Than I would not use Sharepoint; you'd need a CAL for each user which could quickly get expensive.

Yeah, my original reply included a note about CALs. It's not a big deal if you only have a few clients. Could be a lot cheaper than writing a custom site. But for lots of clients, "free" forms-based authentication is cheaper. There's also the security risk if you somehow don't manage those Windows accounts properly and users get rights you didn't intend for them.

 

[spyordie007]

Okay we've got it all figured out for you blemoine

Linux+Apache+PHP+MySQL+SSL

 

[FreshPrince]

Originally posted by: blemoine
one of the alternatives is to use a web application that would allow them to make an SSL connection. Cost is a concern because i don't have it in this years budget and i would have two customers using it at first. once we get it setup then we would have many more using it.

Freshprince: what is wsftp? where can i go to find out about it?

actually, I have my cuteftp and wsftp clients confused....oop.

here's the link globalscape eft server

eft client

video showing you how it all works

 

[spyordie007]

Or yet another option would be to just use FTP and than have clients using something like net2ftp for the front-end:
http://www.net2ftp.com/

 

[blemoine]

here is the rest of the story. i work at a small bank. the files that are going to be sent are payroll ach files (direct deposit). they send them to us and then we send them to our processor and then accounts are credited with the proper amounts. so of course security is top priority. with all that being said if we go with a web app solution we have one that we have already scouted out and we know will pass an FDIC exam. The ideal situation would be for us to get a separate DSL connection and have a secure ftp server or even let customers make a vpn connection. that way they would be physically separated from the rest of the network. we use windows servers & workstations. i would like to use linux because i wouldn't have to buy an licenses of any sort. but either way before i can implement anything i will have to pass my idea by our auditor to see if it would pass inspection.

i really appreciate everyones ideas and thoughts. please keep them coming.

 

[FreshPrince]

Originally posted by: blemoine
here is the rest of the story. i work at a small bank. the files that are going to be sent are payroll ach files (direct deposit). they send them to us and then we send them to our processor and then accounts are credited with the proper amounts. so of course security is top priority. with all that being said if we go with a web app solution we have one that we have already scouted out and we know will pass an FDIC exam. The ideal situation would be for us to get a separate DSL connection and have a secure ftp server or even let customers make a vpn connection. that way they would be physically separated from the rest of the network. we use windows servers & workstations. i would like to use linux because i wouldn't have to buy an licenses of any sort. but either way before i can implement anything i will have to pass my idea by our auditor to see if it would pass inspection.

i really appreciate everyones ideas and thoughts. please keep them coming.

if that's the case, you will need FIPS compliant secure file server and oh, the globalscape eft server supports it

<-- works for financial institution as well

 

[Darthkim]

Originally posted by: FreshPrince

Originally posted by: blemoine
one of the alternatives is to use a web application that would allow them to make an SSL connection. Cost is a concern because i don't have it in this years budget and i would have two customers using it at first. once we get it setup then we would have many more using it.

Freshprince: what is wsftp? where can i go to find out about it?

actually, I have my cuteftp and wsftp clients confused....oop.

here's the link globalscape eft server

eft client

video showing you how it all works

Dude, that solution starts at 20K.

We use SecureFTP here, but if you want the ssl option, it cost 2k.

Yes, I'll state the obvious.

The actual cost of the secureftp server is 500 BUT, the ssl option costs 2k. Go figure

 

[her209]

Originally posted by: RebateMonger
n.m.
I was going to say that you could quickly set up a SharePoint SSL site, but you don't have Windows Server.

Yes, the OP should look into Sharepoint Services. Its free from Microsoft for Windows 2003 Server Editions.

 

[her209]

Originally posted by: spyordie007

once we get it setup then we would have many more using it

Than I would not use Sharepoint; you'd need a CAL for each user which could quickly get expensive.

I say build a web-app to do this; if you dont know how to do it hire a development consultant. Any dev worth their salt could build an app like this for you in short order.

Are you talking about Sharepoint Services or Sharepoint Portal Server that needs CALs?