Hello all....

I have a NetWare 6.5 SP5 FTP server and I am looking into securing the
downloads to it. 

My goals are two-fold:

1. I would like to make it as secure as possible.
2. I would like to make it as easy as possible on my existing users of this
FTP server without compromising goal #1.

How do I do this? (And, please, speak slowly and assume that I know nothing
about setting up an FTP server because I actually know next to nothing.
Detailed instructions are encouraged and would be greatly appreciated.)

Thanks in advance.


 
Delon E. Weuve
Senior Network Engineer
Office of Auditor of State
State of Iowa

Delon Weuve wrote:

> Hello all....
> 
> I have a NetWare 6.5 SP5 FTP server and I am looking into securing the
> downloads to it. 
> 
> My goals are two-fold:
> 
> 1. I would like to make it as secure as possible.
> 2. I would like to make it as easy as possible on my existing users
> of this FTP server without compromising goal #1.

Use a username and password and set the firewall up front to accept
only ftp connections from predefined IP addresses.


-- 
Cheers,
Edward

first thing i would do i read the documentation.  but maybe that's just 
me...   :-)


--
Cheers!
    Richard Beels
    ~ Network Consultant
    ~ Sysop, Novell Support Connection
    ~ MCNE, CNE*, CNA*, CNS*, N*LS

Hello, Edward...

Thanks for the suggestion.

However, that would not make the transmission secure it would only make sure
that the right person is logging in. It wouldn't prevent someone from
eavesdropping and getting the data that way.

Do you know how to get SSL on FTP working on a NetWare 6.5 SP5 server?


 
Delon E. Weuve
Senior Network Engineer
Office of Auditor of State
State of Iowa


>>> On 1/23/2007 at 10:03 PM, in message
<IUAth.6501$Sz4.6232@prv-forum2.provo.novell.com>, Edward van der
Maas<edmaa_remove_this!@and+_this!@myrealbox.com > wrote:
> Delon Weuve wrote:
> 
>> Hello all....
>> 
>> I have a NetWare 6.5 SP5 FTP server and I am looking into securing the
>> downloads to it. 
>> 
>> My goals are two-fold:
>> 
>> 1. I would like to make it as secure as possible.
>> 2. I would like to make it as easy as possible on my existing users
>> of this FTP server without compromising goal #1.
> 
> Use a username and password and set the firewall up front to accept
> only ftp connections from predefined IP addresses.
> 

Hello, Richard...

I did look at the documentation. There is one paragraph about SSL on FTP but
when I turn it on that way described in the documentation, I am unable to
connect via my FTP client. I'm not sure if it is the server or the client in
this case. I'll be checking on that.

I have also checked the knowledge base, etc... They have lots of information
about how to configuration a client for an SSL connection but very little on
the server side to force an SSL connection.

Any other ideas....??

 
Delon E. Weuve
Senior Network Engineer
Office of Auditor of State
State of Iowa


>>> On 1/24/2007 at 12:01 AM, in message
<VA.00001dd7.0702dd88@technologist.com>, Richard Beels
[SysOp]<beels@technologist.com> wrote:

> first thing i would do i read the documentation.  but maybe that's just 
> me...   :-)
> 
> 
> --
> Cheers!
>     Richard Beels
>     ~ Network Consultant
>     ~ Sysop, Novell Support Connection
>     ~ MCNE, CNE*, CNA*, CNS*, N*LS

Delon Weuve wrote:

> Hello, Richard...
> 
> I did look at the documentation. There is one paragraph about SSL on
> FTP but when I turn it on that way described in the documentation, I
> am unable to connect via my FTP client. I'm not sure if it is the
> server or the client in this case. I'll be checking on that.
> 
> I have also checked the knowledge base, etc... They have lots of
> information about how to configuration a client for an SSL connection
> but very little on the server side to force an SSL connection.

You'll probably need to import the certificate I'd say in the client.
Not every FTP client has SSL support though.

-- 
Cheers,
Edward

the bit on how to force an ssl connection is in the docs, configuring 
section...

http://www.novell.com/documentation/oes/ftp_enu/data/a2fbytp.html

you will need to configure the client with the server's cert.


--
Cheers!
    Richard Beels
    ~ Network Consultant
    ~ Sysop, Novell Support Connection
    ~ MCNE, CNE*, CNA*, CNS*, N*LS

Is this helpful at all?

This related to correctly setting up clients to use SSL FTP once it's 
turned on.
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10085857&sliceId=&dialogID=25079269&stateId=0%200%2025081989

Came upon it when setting up OpenSSH with SFTP which isn't related to 
SSL FTP. Speaking of that any chance you'd use OpenSSH instead? It's a 
lot more secure than FTP from all that I've read and it's free.

You can use WinSCP to attach to it.

SFTPDRIVE or WEBDRIVE are neat ways to map drives to it.

If you try OpenSSH do it with SP6 on. I had issues with LDAP 
authentication with SP%.

-Nyle

Delon Weuve wrote:
> Hello all....
> 
> I have a NetWare 6.5 SP5 FTP server and I am looking into securing the
> downloads to it. 
> 
> My goals are two-fold:
> 
> 1. I would like to make it as secure as possible.
> 2. I would like to make it as easy as possible on my existing users of this
> FTP server without compromising goal #1.
> 
> How do I do this? (And, please, speak slowly and assume that I know nothing
> about setting up an FTP server because I actually know next to nothing.
> Detailed instructions are encouraged and would be greatly appreciated.)
> 
> Thanks in advance.
> 
> 
>  
> Delon E. Weuve
> Senior Network Engineer
> Office of Auditor of State
> State of Iowa
> 

> Is this helpful at all?
> 
> This related to correctly setting up clients to use SSL FTP once it's 
> turned on.
>
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10085857&sliceId=&dialogID=25079269&stateId=0%200%2025081989
> 
> Came upon it when setting up OpenSSH with SFTP which isn't related to 
> SSL FTP. Speaking of that any chance you'd use OpenSSH instead? It's a 
> lot more secure than FTP from all that I've read and it's free.
> 
> You can use WinSCP to attach to it.
> 
> SFTPDRIVE or WEBDRIVE are neat ways to map drives to it.
> 
> If you try OpenSSH do it with SP6 on. I had issues with LDAP 
> authentication with SP%.
> 
> -Nyle
> 
> Delon Weuve wrote:
> > Hello all....
> > 
> > I have a NetWare 6.5 SP5 FTP server and I am looking into securing the
> > downloads to it. 
> > 
> > My goals are two-fold:
> > 
> > 1. I would like to make it as secure as possible.
> > 2. I would like to make it as easy as possible on my existing users of this
> > FTP server without compromising goal #1.
> > 
> > How do I do this? (And, please, speak slowly and assume that I know nothing
> > about setting up an FTP server because I actually know next to nothing.
> > Detailed instructions are encouraged and would be greatly appreciated.)
> > 
> > Thanks in advance.
> > 
> > 
> >  
> > Delon E. Weuve
> > Senior Network Engineer
> > Office of Auditor of State
> > State of Iowa
> > 
I agree use SSH :) 

I'm not an SSL expert, but I have a lot of experience with using FTP over 
SSL with NWFTPD.NLM.  I'm more of an expert on the FTP side.

NetWare FTP server (NWFTPD.NLM) on NW 6.5 is capable of doing secure FTP 
per RFC 2228.  This is one of those things that as far as what the FTP 
server can control, it "just works" and there is almost nothing to 
configure.  The only thing that you can do with NWFTPD do effect this is 
the setting which determine whether you will allow both secure and 
unsecure connections, or just secure ones.  SECURE_CONNECTIONS_ONLY=YES/NO

As far as what might be wrong if it doesn't "just work":

NWFTPD doesn't support 'implicit' SSL connections, only "explicit".  Some 
FTP clients let you select which type.

Beyond that, either something else is wrong at the client, or something 
is wrong with your NetWare certificate server or the certificate itself.

NWFTPD is hard coded to use SSL CertificateDNS - <servername> so if that 
certificate has a problem, FTP can fail to do secure connections.

Some people test SSL / certificate server by doing a https (secure) 
connection to Portal on that same server, and then if that works they 
think they are fine.  But portal uses SSL CertificateIP by default. If 
you want to test portal using SSL CertificateDNS, httpstk.nlm must be 
loaded differently than the autoexec.ncf normally does it:

NORMAL:
load httpstk.nlm /SSL /keyfile:"SSL CertifiateIP"
TO TEST THE OTHER CERTIFICATE:
load httpstk.nlm /SSL /keyfile:"SSL CertifiateDNS"

(note that the quotes are part of the syntax)

If portal fails either way, then it's a general SSL issue.  If it fails 
just with SSL CertificateDNS, then it's specific to that cert.  
PKIDIAG.NLM may help, either way.

There is no need to import any certificate to the client.  NWFTPD doesn't 
need to receive a cert from the client or anything like that. My 
understanding it that it won't hurt anything to have a client side cert, 
but it doesn't actually accomplish anything when used with NWFTPD. But 
I'm not sure about that part.  I just know that NWFTPD doesn't require 
the client to have a cert of it's own.