|
[EDI-L Mailing List Archive Home]
[Message List]
[Reply To This Message]
Re: FTP to VAN
On Wed, 18 Feb 2004, SAFExchange Services wrote:
> Shan makes a good point--anything other than open (unprotected) FTP is
> necessary. I am surprised to hear that a reputable VAN like QRS/Advantis
> would allow the use of open FTP for EDI exchanges! That would appear to
> expose the VAN to high liabilities. I am wondering why a manager at any
> VAN or major business site would ignore the well known security
> vulnerabilities of open FTP and agree to its long-term, regular use for
> such high-value transactions? Am I missing something?
Bob,
Some transactions aren't high-value, and some companies are comfortable
using plaintext transmissions with no encryption whatsoever; that's their
decision. Making this an option doesn't introduce additional liabilities
for the VAN, as long as the VAN maintains security within their systems.
You may not realize it, but all the email you send and receive is also
plaintext communications, just like FTP. It can either be sniffed as you
send it to your mail server using SMTP, or as it is being bounced from
mail server to mail server on the way to its final destination. This is
of course assuming you don't use PGP or S/MIME to secure all your email.
Likewise, if you check your email using either POP3 or IMAP without SSL,
your password can be sniffed by anyone who happens to be packet sniffing.
In reality, your competitors aren't going to be sniffing traffic on the
Tier 1 or 2 Internet backbone through which you connect as you send your
purchase orders or invoices along to your VAN for processing. However,
security is always a good thing, and things such as VPN tunnels, AS2
connections, S/FTP, HTTPS, and other such protocols do help things.
Some of my favorites for further reading:
http://www.amazon.com/exec/obidos/tg/detail/-/0471413569/
http://www.schneier.com/book-applied.html
> ----- Original Message -----
> From: "Shan Harter" <
> To: "'Epshteyn, Vladimir'" <
> <
> Sent: Wednesday, February 18, 2004 8:33 AM
> Subject: RE: [EDI-L] FTP to VAN
> > The issues with FTP are known such as denial of service attacks and
> > may others listed in http://www.rfc-editor.org/rfc/rfc2577.txt (or see
> > it at IETF)
> > The real problem is malicious behavior. Since FTP user ID's and
> > passwords are in the clear its easy to get them. Most of the issues
> > would be someone trying to "hurt" the company in some way. Theft may
> > also occur. Say someone intercepted the passwords then captured some
> > worth 1000's or millions and changed the address or the order quantity
> > and directed to a warehouse someone where they picked it up.
> > This is just one of millions of possibilities. I have rarely seen it
> > happen but the possibility is out there.
> > I strongly recommend that you go with an ebXML solution (over SSL) or
> > AS2 (over SSL). Even NAESB 1.6 (with SSL) is better than FTP. Some
> > VAN's support AS2. ebXML is still too new to them, I would imagine,
> > but there are "hubs" that support ebXML as a simple command line
> > client (like ftp) but has the SSL component, and they have the
> > interconnects to other VANs such as GEIS, sterling, etc.
> > The main issues are if you can't encrypt your payload (an order 850,
> > lets say) with GNUPG or some method, then at least encrypt your
> > transmission.
-- _
__ __ ___ _| | William R. Lorenz <
\ V V / '_| | EC/EDI, Inc. <http://www.ecediinc.com/>
\./\./|_| |_| EDI Outsourcing; VAN Services; B2B E-Commerce
|
 |
Subscribe in XML format
| RSS 2.0 |
|
| Atom 0.3 |
|
|
Cart
