Stylus Studio® Developer Network | Contact Us | Email this page

PRODUCTS

TRY

BUY

LEARN

SUPPORT

COMPANY

Cart

[EDI-L Mailing List Archive Home] [Message List] [Reply To This Message] RE: FTP to VAN From: "Epshteyn, Vladimir" <vladimir.epshteyn@...> Date: Wed Feb 18, 2004  6:57 pm Subject: RE: [EDI-L] FTP to VAN Play the video I'm not a big guru in security aspects of EDI, but I guess, if such reputable VAN's like Advantis, Sterling etc. do not request any "security vulnerabilities", that means they have not gotten any problems with any of their customers since they offered their VAN services. Probably it's not that easy to do what was described in a couple of post earlier today. Vladimir -----Original Message----- From: SAFExchange Services [mailto: Sent: Wednesday, February 18, 2004 10:15 AM To: Subject: Re: [EDI-L] FTP to VAN Importance: Low Shan makes a good point--anything other than open (unprotected) FTP is necessary. I am surprised to hear that a reputable VAN like QRS/Advantis would allow the use of open FTP for EDI exchanges! That would appear to expose the VAN to high liabilities. I am wondering why a manager at any VAN or major business site would ignore the well known security vulnerabilities of open FTP and agree to its long-term, regular use for such high-value transactions? Am I missing something? Bob Frank Open Commerce SAFExchange Services Pleasanton, CA ----- Original Message ----- From: "Shan Harter" < To: "'Epshteyn, Vladimir'" < < Sent: Wednesday, February 18, 2004 8:33 AM Subject: RE: [EDI-L] FTP to VAN > The issues with FTP are known such as denial of service attacks and may > others listed in > http://www.rfc-editor.org/rfc/rfc2577.txt (or see it at IETF) > > The real problem is malicious behavior. Since FTP user ID's and passwords > are in the clear its easy > to get them. Most of the issues would be someone trying to "hurt" the > company in some way. Theft may > also occur. Say someone intercepted the passwords then captured some orders > worth 1000's or millions > and changed the address or the order quantity and directed to a warehouse > someone where they picked it up. > > This is just one of millions of possibilities. I have rarely seen it happen > but the possibility is out there. > > I strongly recommend that you go with an ebXML solution (over SSL) or AS2 > (over SSL). Even NAESB 1.6 (with SSL) > is better than FTP. Some VAN's support AS2. ebXML is still too new to them, > I would imagine, but there are "hubs" > that support ebXML as a simple command line client (like ftp) but has the > SSL component, and they have the interconnects > to other VANs such as GEIS, sterling, etc. > > The main issues are if you can't encrypt your payload (an order 850, lets > say) with GNUPG or some method, then > at least encrypt your transmission. > > Shan > Regards, > > Shan > > > Shan Harter > VP of Project Services > Systrends, Inc. > 7855 S. River Pkwy, Suite 111, Tempe, AZ 85284-2510 > Phone 480-756-6777, Fax 480-756-9755 > > > > > > > > -----Original Message----- > From: Epshteyn, Vladimir [mailto: > Sent: Wednesday, February 18, 2004 9:06 AM > To: > Subject: RE: [EDI-L] FTP to VAN > > > We are using FTP (just regular FTP) with QRS (Advantis) and we use it for a > while. During last several years we did not have any issues with security > and any other major issues at all. > > Vladimir > > -----Original Message----- > From: Earl Wertheimer [mailto: > Sent: Tuesday, February 17, 2004 2:08 PM > To: > Subject: Re: [EDI-L] FTP to VAN > > Tracy > > > For those using ftp to your van, are you worried about security? If > > so, what are you doing about it? I am specifically interested in QRS > > and Sterling VAN's. We will be using GIS as our translator on a Unix > > box. > > I've never had a client complain about the lack of security... yet. > The Trading Partners, WalMart in particular are a whole different story. > > QRS is supposed to be pretty secure, but I don't have any clients connecting > to > QRS/Advantis using ftp yet. They are still on dial-up ;-) > > Sterling just uses straight ftp, and it hasn't been a problem. > > Earl Wertheimer > > http://www.spe-edi.com > > > > . > Please use the following Message Identifiers as your subject prefix: > <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC> > Access the list online at: http://groups.yahoo.com/group/EDI-L > > Yahoo! Groups Links > > > > > > [Non-text portions of this message have been removed] > > > > . > Please use the following Message Identifiers as your subject prefix: > <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC> > Access the list online at: http://groups.yahoo.com/group/EDI-L > > Yahoo! Groups Links > > > > > > > > . > Please use the following Message Identifiers as your subject prefix: <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC> > Access the list online at: http://groups.yahoo.com/group/EDI-L > > Yahoo! Groups Links > > > > > . Please use the following Message Identifiers as your subject prefix: <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC> Access the list online at: http://groups.yahoo.com/group/EDI-L Yahoo! Groups Links [Non-text portions of this message have been removed]

Subscribe in XML format RSS 2.0 Atom 0.3

Stylus Studio® and DataDirect XQuery™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2007 All Rights Reserved.