|
[EDI-L Mailing List Archive Home]
[Message List]
[Reply To This Message]
RE: FTP to VAN
Keep in mind that just because something has not happened or has not been
disclosed doesn't mean
it won't happen. For example, For years the government has known about the
potential to use an
commercial airliner as a weapon, it took until 9/11 for it to happen and
what was the cost?
You tell me.
I know I would not want to be the one that had to explain to my CEO or my
investors that I
could have prevented a financial disaster at minimal cost but decided it was
too easy not to and didn't feel
or believe that there was a risk or that it was possible Or that the
everybody else does not do it so why should I?
I'd love to live in a Disneyland world, but as we have seen this is not the
case in our
world.
Good luck,
Regards,
Shan
-----Original Message-----
From: Epshteyn, Vladimir [mailto:
Sent: Wednesday, February 18, 2004 11:57 AM
To:
Subject: RE: [EDI-L] FTP to VAN
I'm not a big guru in security aspects of EDI, but I guess, if such
reputable VAN's like Advantis, Sterling etc. do not request any "security
vulnerabilities", that means they have not gotten any problems with any of
their customers since they offered their VAN services. Probably it's not
that easy to do what was described in a couple of post earlier today.
Vladimir
-----Original Message-----
From: SAFExchange Services [mailto:
Sent: Wednesday, February 18, 2004 10:15 AM
To:
Subject: Re: [EDI-L] FTP to VAN
Importance: Low
Shan makes a good point--anything other than open (unprotected) FTP is
necessary.
I am surprised to hear that a reputable VAN like QRS/Advantis would allow
the
use of open FTP for EDI exchanges! That would appear to expose the VAN to
high liabilities. I am wondering why a manager at any VAN or major business
site
would ignore the well known security vulnerabilities of open FTP and agree
to its
long-term, regular use for such high-value transactions? Am I missing
something?
Bob Frank
Open Commerce SAFExchange Services
Pleasanton, CA
----- Original Message -----
From: "Shan Harter" <
To: "'Epshteyn, Vladimir'" <
<
Sent: Wednesday, February 18, 2004 8:33 AM
Subject: RE: [EDI-L] FTP to VAN
> The issues with FTP are known such as denial of service attacks and may
> others listed in
> http://www.rfc-editor.org/rfc/rfc2577.txt (or see it at IETF)
>
> The real problem is malicious behavior. Since FTP user ID's and passwords
> are in the clear its easy
> to get them. Most of the issues would be someone trying to "hurt" the
> company in some way. Theft may
> also occur. Say someone intercepted the passwords then captured some
orders
> worth 1000's or millions
> and changed the address or the order quantity and directed to a warehouse
> someone where they picked it up.
>
> This is just one of millions of possibilities. I have rarely seen it
happen
> but the possibility is out there.
>
> I strongly recommend that you go with an ebXML solution (over SSL) or AS2
> (over SSL). Even NAESB 1.6 (with SSL)
> is better than FTP. Some VAN's support AS2. ebXML is still too new to
them,
> I would imagine, but there are "hubs"
> that support ebXML as a simple command line client (like ftp) but has the
> SSL component, and they have the interconnects
> to other VANs such as GEIS, sterling, etc.
>
> The main issues are if you can't encrypt your payload (an order 850, lets
> say) with GNUPG or some method, then
> at least encrypt your transmission.
>
> Shan
> Regards,
>
> Shan
>
>
> Shan Harter
> VP of Project Services
> Systrends, Inc.
> 7855 S. River Pkwy, Suite 111, Tempe, AZ 85284-2510
> Phone 480-756-6777, Fax 480-756-9755
>
>
>
>
>
>
>
> -----Original Message-----
> From: Epshteyn, Vladimir [mailto:
> Sent: Wednesday, February 18, 2004 9:06 AM
> To:
> Subject: RE: [EDI-L] FTP to VAN
>
>
> We are using FTP (just regular FTP) with QRS (Advantis) and we use it for
a
> while. During last several years we did not have any issues with security
> and any other major issues at all.
>
> Vladimir
>
> -----Original Message-----
> From: Earl Wertheimer [mailto:
> Sent: Tuesday, February 17, 2004 2:08 PM
> To:
> Subject: Re: [EDI-L] FTP to VAN
>
> Tracy
>
> > For those using ftp to your van, are you worried about security? If
> > so, what are you doing about it? I am specifically interested in QRS
> > and Sterling VAN's. We will be using GIS as our translator on a Unix
> > box.
>
> I've never had a client complain about the lack of security... yet.
> The Trading Partners, WalMart in particular are a whole different story.
>
> QRS is supposed to be pretty secure, but I don't have any clients
connecting
> to
> QRS/Advantis using ftp yet. They are still on dial-up ;-)
>
> Sterling just uses straight ftp, and it hasn't been a problem.
>
> Earl Wertheimer
>
> http://www.spe-edi.com
>
>
>
> .
> Please use the following Message Identifiers as your subject prefix:
> <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC>
> Access the list online at: http://groups.yahoo.com/group/EDI-L
>
> Yahoo! Groups Links
>
>
>
>
>
> [Non-text portions of this message have been removed]
>
>
>
> .
> Please use the following Message Identifiers as your subject prefix:
> <SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC>
> Access the list online at: http://groups.yahoo.com/group/EDI-L
>
> Yahoo! Groups Links
>
>
>
>
>
>
>
> .
> Please use the following Message Identifiers as your subject prefix:
<SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC>
> Access the list online at: http://groups.yahoo.com/group/EDI-L
>
> Yahoo! Groups Links
>
>
>
>
>
.
Please use the following Message Identifiers as your subject prefix:
<SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC>
Access the list online at: http://groups.yahoo.com/group/EDI-L
Yahoo! Groups Links
[Non-text portions of this message have been removed]
.
Please use the following Message Identifiers as your subject prefix:
<SALES>, <JOBS>, <LIST>, <TECH>, <MISC>, <EVENT>, <OFF-TOPIC>
Access the list online at: http://groups.yahoo.com/group/EDI-L
Yahoo! Groups Links
|
 |
Subscribe in XML format
| RSS 2.0 |
|
| Atom 0.3 |
|
|
Cart
