Task 7.9: Performing Secure File Exchange
Identifying the individuals you communicate with via the Internet is just one of the tasks that a security professional is faced with. Many times, you are going to want to send or receive files from these individuals. This needs to be done in a secure way to protect the confidentiality and integrity of the information.
Scenario
Individuals in your company need to send and receive files to a branch that is opening in India. Management has tasked you with coming up with a way to do this securely.
Scope of Task
Duration
This task should take about 30 minutes.
Setup
For this task, you need two Windows XP, Windows Vista, or Windows 7 computers; access to the Administrator account; and an Internet connection.
Caveat
Although there are secure methods to send and receive information, attackers may still attempt to analyze the flow and amount of encrypted traffic that moves between two parties. If the flow of information increases, they may infer that a significant event is about to occur.
Procedure
In this task, you will learn how to implement a secure alternative to File Transfer Protocol (FTP).
Equipment Used
For this task, you must have:
- Two Windows XP computers
- Access to the Administrator account
- An Internet connection
Details
This task will teach you how to set up a Secure FTP (SFTP) server and use it to send and receive files securely.
Setting Up an SFTP Server
1. This task will involve using the VShell server software from http://vandyke.com/. The program can be downloaded as a 30-day trial by going to VanDyke Software’s site and choosing the Download option.
2. During the installation, accept the default settings and continue with the setup; allow the system to reboot as needed once the installation is complete.
3. After the reboot, VShell will automatically load the VShell dialog box.
4. Look first at the Access Control category. VShell uses your existing Windows user accounts and privileges; there is no need to set up another user list. If you were running this on a production server, you could simply use the list of users already built in.
5. In the VShell dialog box, click the Access Control category on the left side. This opens the Access Control dialog box. In the Name area, you will want to add at least one user. Click the Add button and then enter a username. For this example, we created the user Jerry to test the account.
6. Make sure that Allow is checked next to the SFTP option and that all other options are left blank.
7. Select the SFTP category on the left side of the dialog box.
8. Select the folders that you want your users to have access to. It’s a good idea to limit users to a selected subfolder.
9. Use Windows Explorer to browse to the C: drive and create a folder named SFTP.
10. Return to the VShell program and click the Add button under the SFTP Options category.
11. In the SFTP Root Path dialog box, in the SFTP Root field add the SFTP folder you created in the last step. Name it root in the Alias field. Then click OK.
12. Click OK to save your configuration.
13. You have now completed the setup of your SFTP server.
Setting Up an SFTP Client
Now that you have set up an SFTP server, you will want to check it out to see how it works. To do so, you will need an SFTP client. For this task, you will use WinSCP. It is a free SFTP client that you can download.
1. Download the WinSCP client by going to http://winscp.net/eng/index.php.
2. To execute the program, simply open it; no installation is necessary.
3. Once WinSCP is open, enter the IP address of the server on which you have installed VShell. You will also need to enter the username and password of the account that had SFTP enabled.
4. WinSCP will now connect to the VShell, which is the SFTP server. Upon connection, it will open the folder you have configured as the default folder.
5. You can now upload or download files as you like from this folder, as no restrictions have been established.
6. The real value of SFTP over FTP is that the communication channel is secure and items like usernames and passwords are not passed in clear text. To see this yourself, download a copy of Wireshark, which is available at www.wireshark.org. Once installed, it can be used to capture encrypted and unencrypted traffic. If you were to capture SFTP traffic, you would see that the information above the TCP level is actually encrypted.
Criteria for Completion
You have completed this task when you have set up an SFTP server, connected to it with an SFTP client, and verified its operation.