[unisog] Ftp access to Web servers

Jim Dillon Jim.Dillon at cusys.edu
Wed Jun 12 00:24:54 GMT 2002


Please don't read too much into this, or take it as just an attack against
your position - I share some of your concern - particularly in understanding
user requirements and environments, however: 

If you don't have the resources to do something well, should you be doing it
at all?  

I'm afraid that under the guise of academic freedom and the apparent
simplicity of doing many things, that we all to often allow end-users to do
many things, without a careful, studied review of the real impact to other
users and the ongoing costs/impact of the decision.  Because I can set up an
FTP server cheaply does not imply I should - there are real economics
involved.  That server may cost 10 - 100 times its purchase price to support
and network over the course of time, and too often we back away from the
end-user without challenging the assumption that this really meets their
needs.  It may in fact undermine the needs of the many by exposing a trusted
address/machine to the net that in reality cannot be trusted due to its poor
security practice.  This long-term support cost and failed security may
cause more harm than it provides in service value.

Do not get me wrong, I fully believe that IT is a service function, and our
ultimate goal is to provide service to the academic, research,
administrative, and student services functions, which involves accepting
some risk.  I do not believe however that this service should always be
provided unchallenged.  The main problem is we do not typically have the
robust technical voice, managerial presence, or even the skills to clearly
demonstrate the risks/concerns and the Total Cost (TCO anyone) of a

All to often end-users believe the CompUSA or Gateway advertised price is
the cost of implementing a solution, and they overlook the infrastructure
impact on the other side. (It came with a wireless card, so I turned it on!)
They should be steered (gently mind you) to that understanding, and prodded
to make good economic choices.  Economic limitation is a real barrier we
can't make go away by wishing it so.  We do not serve our users by allowing
them to cut their own throats (or their neighbor's) without at least warning
and guiding them to a reality-based assessment.

You too were concerned with the economic impact on the end user, so I think
we share the same dilemma.  I don't want that to be the excuse for not
touting or recommending strong practices however!!!  We best serve our
institutions when we can clearly define the cost and impact of a technology
enhancement or solution, and help them avoid costly incrementalism that will
ultimately create a brittle, fragile environment with little security (think
availability and continuity) assurance.  I fear our over-taxed
infrastructures may someday fail us if we don't learn to provide this
service well.

Best regards,


Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: Karen A Swanberg [mailto:swanberg at tc.umn.edu]
Sent: Tuesday, June 11, 2002 2:36 PM
To: Reg Quinton
Cc: unisog at sans.org
Subject: Re: [unisog] Ftp access to Web servers

on 06/11/02, Reg Quinton wisely declared:

> > The PuTTY clients (SSH2, SCP, SFTP) are good stuff too,
> > http://www.chiark.greenend.org.uk/~sgtatham/putty/

> Why would one even think about FTP?

I'm sorry, I have to chime in on this one. I'm a bit stunned at how often
I get this response in the academic community. Many in the academic
community have neither the funds, the equipment, the time, the abiltiy or
the wherewithall to set up VPN's or certificate servers. Certainly not in
many K-12 situations, and in many small departments such as mine. I've
been working on a solution for port forwarding ftp through SSH for a while
now (mostly a documentation project), and I'm amazed at how often it comes
in handy. Or is _required_ by many propriatary or un-updatable software.

1) Many applications which are in common use have ftp built in but do not
have SSH capabilities. E.g. Dreamweaver 3.0 and before, many data
collecting programs, and Netscape Composer (4.79 and before), to name a

2) I've talked to two seperate vendors of netappliance and remote network
monitoring tools in the last six months that are sending critical security
data (e.g. video camera of server room, processeses running on
workstations) across the internet via ftp. When I asked them about SSH (or
relatives) their responses were variously a) SSH is too processor
intensive, b) who'd want to look at this data anyway and c) OpenSSH is too
buggy/has to be patched too often. Granted, this is *their* problem, but
we have to work with this attitude in vendors all of the time.

3) Some users will simply not change their applications. They know Fetch,
they'll use Fetch, and if a SysAdmin tries to force them to use something
else, they'll go over the SysAdmin's head.

and I've run up against a few others.

As I said, I'm doing some write-ups on how to port forward FTP to various
Server OS's, so what is below is very incomplete, but this is a system
which allows port forwarded FTP to *BSD servers, and I'll be including
Linux, OS X and Windows soon. The nice thing about this is that the user
can set up the tunnel once on each client, open it, and use their own
familiar applications. Clients are Win and Mac:

(These are all works in progress...)

How to set up the SSH server to allow port forwarded SSH (on BSD, I'm
working on other platforms):

How to set up a Mac client:

How to set up a PC client:

And a SSH/VPN info page for the non-computer savvy:

I hope these can help a few people out who are in tight spots. My uses
have found this system to access my webserver to be pretty easy, even
those users who are very stubborn.


-                                                                  -
    Karen Swanberg | Sys Admin | Dept. of Geology and Geophysics    
206 Pillsbury Hall | 310 Pillsbury Ave. SE | University of Minnesota
     Minneapolis, MN 55455  (612) 624-6541  (612) 625-3819 (f)

 Ever try to blow dry a wet werewolf? Well, I wouldn't recommend it.
-                                          -Fredrick Obermeyer     -

More information about the unisog mailing list