FTP of ZIP files

JonathanRyan

JonathanRyan

Messages
10,351
Name
Jonathan
Edit My Images
Yes
I have a bunch of corporate clients. Their firewalls are locked down pretty hard so the only way I have found to get files to them is to upload a zip file to some private web storage by FTP. They can click and download. It works but it doesn't look great - also I pay for FTP storage and my hosting package is up for renewal so I'm looking at other options.

Amazon S3 looks a good substitute. Anybody have any experiences of it? I think my main worry is that despite its name, it's a really complicated product and I can imagine suddenly getting a massive bill from Amazon for using things I don't even understand :)

Typically I'll be delivering a 50 meg zip file of jpegs once or twice a week. So maybe 2GB through the year. What options are there?

(BTW Dropbox won't work, GDrive won't work, OneDrive definitely won't work, WeTransfer is blocked - pretty much everything you can suggest that isn't FTP of ZIP won't work :D. I'm also not looking for an all in one service - I just need to send 2GB through some heavy duty firewalls.)
 
As someone who administers such firewalls if you can make a good enough case, anything is possible...

Changing service could be a deal breaker with their information security bodies (you're potentially providing both an attack vector for malware and perhaps a mechanism for exfiltrating files) - so check with them before you splash the cash on a new service.

Add to this if I find one of my users engaging in this through unapproved (by infomation security) methods you can be sure it will be shut down pronto and searching (career limiting) questions asked.
 
Last edited:
"Hard" copies? Could an optical disc or USB stick be cleared by the clients' cyber security?
 
hunnymonster said:
As someone who administers such firewalls if you can make a good enough case, anything is possible...
Click to expand...

Unfortunately InfoSecurity people don't seem to like justifications like "but we've paid a lot of money for these files" :) Main problem is that at one big client they have split hiring me among several different departments so I'd either need corporate exemption (which ain't going to happen) or lots of little permissions.

jonneymendoza said:
Try and host your own ftp server from home?
Click to expand...

The poor quality of my home internet connection says no.....

Nod said:
"Hard" copies? Could an optical disc or USB stick be cleared by the clients' cyber security?
Click to expand...

I can practically feel @hunnymonster 's eyes rolling at the idea of USB :) CyberSec hate those things..... :D Also, I hate them when they get lost in the post.
 
It's entirely possible to be that granular (down to the person level) about who gets access. It's the subterfuge that grinds my gears and makes me suspicious.

Infosec/HR have given 3 people their cards in the 2 years I've worked in my current role (in an organisation of just over 1000 people). It isn't a trivial matter.

And yes, USB drive access should be locked down - that's just good practice.
 
As mentioned above, such large organisations have in place security protocols that need to be complied with........even if commissioning departments for external suppliers are buying digital deliverables from a range of suppliers.

What, unless I missed it, I did not see was ~ why not directly ask "the security team" what is their preferred method for delivering digital data? Only by knowing that, surely you can avoid the guesswork that is being discussed;)

However, if their method is a costly one to you or lacks clarity then it beggars the question as to whether they are 'too high maintenance' customer to be selling to???

All the best with finding a mutually acceptable solution :)
 
It may sound a little whacky but how about they download it at home or 4g via personal device and smugle it back to work any way they can themselves if it is do badly locked down, which is not your fault.

At the moment I could upload zip file to my web host via cpanel or FTP client, but it would have to be gone very quickly due to limited space. Crazy it rules might still kill zip file. And as you can guess they will never properly save it the first time round leading to further unnecessary exchanges.
Normally it is Mega for me and it's up to them to use a working device as they don't even pay anywhere near what they are supposed to.
 
hunnymonster said:
It's entirely possible to be that granular (down to the person level) about who gets access. It's the subterfuge that grinds my gears and makes me suspicious.

Infosec/HR have given 3 people their cards in the 2 years I've worked in my current role (in an organisation of just over 1000 people). It isn't a trivial matter.

And yes, USB drive access should be locked down - that's just good practice.
Click to expand...

It's interesting to see things from "the other side". Like most people, I assume InfoSec are simply there to get in the way - until something bad happens :)

FWIW I don't really think we are circumventing anything. It's a download link on a secure(ish) website containing an unprotected zip file of jpegs. Presumably this should go through all the malware scanners before it opens. Dropbox etc are rightly locked down because as you say, they are a vector for getting information out of the company as well as in.

And don't worry - I get paid well enough to make it worthwhile finding a solution :)

And.....anybody know anything about S3?
 
When you say FTP, is that just for the upload? For the download, is the client clicking on an http(s):// link or an ftp:// link?
 
Retune said:
When you say FTP, is that just for the upload? For the download, is the client clicking on an http(s):// link or an ftp:// link?
Click to expand...

http - not ftp for download. Yes, I realise now I confused people by saying FTP.
 
Can you turn the question on its head - how do their infosec people want you to deliver the files?

At my day job things are pretty locked down, to the point that it can make my job difficult to do, but working with the IT team, there is always a way.

With regards to your original question, I use S3 regularly (outside of work) and once it is set up it is simple. The only time I have had unexpected charges was when some 500GB uploads failed and were still counting towards my usage quota, despite not being visible - the tool I had used for the uploads did not fail correctly. AWS help were useful, told me what to do, and added a credit to my account to cover the extra fees (which were only a few dollars).
 
do you have a budget ? hosting with someone like sitegound, £8.95 a month, set up a second domain for your files downloads. sitegroukbd give you a free SSL certificate as well so you would be https Alternatively something like zipshare?

What is amazing is the fact that the clients allow ZIP files to be downloaded from a website.
 
Last edited:
Craikeybaby said:
Can you turn the question on its head - how do their infosec people want you to deliver the files?
Click to expand...

My problem is that it isn't just one firm. I'll bet each InfoSec would be happy to engage in a 10 week programme to check that I could comply with their standards :)

Studio488commercial said:
What is amazing is the fact that the clients allow ZIP files to be downloaded from a website.
Click to expand...

As above - I really don't think it's bypassing any security. Any zips that hit a firewalled machine should be scanned anyway and it would be a pretty exotic piece of malware that could hide in a jpeg and still do anything. (And yes, I know that's possible but it should also trip other stuff before it actually does anything.)

As for budget - sure £8.95 a month would be fine. But if S3 or something similar is actually better then I'd rather use that.
 
JonathanRyan said:
It's interesting to see things from "the other side". Like most people, I assume InfoSec are simply there to get in the way - until something bad happens :)
Click to expand...
Nah, they're usually there solely to protect the organisation against infiltration (by spyware, malware, ransomware, etc) and exfiltration of data by the previous, or disgruntled/compromised employees (and the infosec body is usually the one that would be standing up in court in the event of a breach)

What they generally object to is people trying to sidestep restrictions (like others, I'm amazed that downloading of "random" zip files is allowed) - if there is a demonstrable business need, then they will generally find a way for it to be able to happen.
 
Last edited:
Actually how about those crazy companies switch to running linux or mac clients. If their systems are as open as windows and patchy as swiss cheese it shouldn't be the problem for the outside world.
 
hunnymonster said:
What they generally object to is people trying to sidestep restrictions
Click to expand...
You've put your finger on the spot. I've sat on both sides of that desk and it's just so hard to get people to understand what their "simple little need" could cost the business.

It seems to me that if it's worth doing business with these customers it's worth providing them with a demonstrably secure method of transfering your product to them. To do that you need the people who you're dealing with to find out how the security team want the data transferred and set yourself up to comply.
 
AndrewFlannigan said:
you need the people who you're dealing with to find out how the security team want the data transferred and set yourself up to comply.
Click to expand...

Very much this!
 
AndrewFlannigan said:
You've put your finger on the spot. I've sat on both sides of that desk and it's just so hard to get people to understand what their "simple little need" could cost the business.

It seems to me that if it's worth doing business with these customers it's worth providing them with a demonstrably secure method of transfering your product to them. To do that you need the people who you're dealing with to find out how the security team want the data transferred and set yourself up to comply.
Click to expand...

Again, it's not one client with one security policy, it's a bunch of them. As a group, sure it's worth it. On an individual basis, not so much.

And yes, if they could provide a demonstrably secure route I'd be happy to comply. But they seem more interested in locking things down than opening them up.
 
What have they said when you've asked them how they would like the files?
 
JonathanRyan said:
But they seem more interested in locking things down than opening them up.
Click to expand...
Because that is their job and they will be covered in messy brown stuff if they screw it up. If you want to do business with these people you have to realise that your convenience is a total irrelevance to them. Just ask your buyers exactly how they want the files delivered and then make sure you virus check each file carefully.
 
Exactly - my information security manager doesn't want to be standing in the dock in the Court of Session defending against a potential €20 million fine (or 4% of global turnover if that's more) because the hole you're exploiting for your convenience has been used by some cybercrim (who may have used you as a conduit to wreak havoc and nearly left you on the nail for that)
 
Craikeybaby said:
Yes. What do you want to know?
Click to expand...

:)

  1. Is it as simple as uploading a ZIP of jpegs to a "folder" and telling my clients where it is?
  2. For the usage I specify above (50MB * 100 users / year) do you have an idea of ballpark costs?
  3. Am I right to worry about sudden unexpected bills?
  4. Are there any (PC based) tools you would recommend for me to simplify the upload?
 
JonathanRyan said:
Thanks. I *think* a fair summary of that article is "sometimes people turn off the security in S3 and when they do, it's not secure".
Click to expand...
That’s a very fair assessment of the article and of the situation.

I’ve been involved at the sharp end of system security on a few occasions. You’re paid to make sure that it isn’t your organisation on the front page of the tabloids with a headline about how a black hat has looted the account details of your customers. That’s why system managers have a default setting about incoming data: “My way or no way”. It’s really in your best interest to have each customer tell you exactly how they want you to deliver files and stick to those instructions like glue.
 
I use a free MEGA account... create individual folders and send them the link with key. Just don't loose your login/password, because anything you uploaded will be lost. I would unzip the files on the MEGA server as most security systems do not want zip/compressed files.
 
Last edited:
JonathanRyan said:
:)

  1. Is it as simple as uploading a ZIP of jpegs to a "folder" and telling my clients where it is?
  2. For the usage I specify above (50MB * 100 users / year) do you have an idea of ballpark costs?
  3. Am I right to worry about sudden unexpected bills?
  4. Are there any (PC based) tools you would recommend for me to simplify the upload?
Click to expand...
  1. Not quite, unless you want them to be available to anyone.
  2. Cents.
  3. The only time I have had unexpected bills, it was a failed upload and when I queried it with Amazon they put a credit back onto my account.
  4. No idea, I use Macs, but mostly use the AWS command line tool for uploads.
 
AndrewFlannigan said:
That’s a very fair assessment of the article and of the situation.
Click to expand...

However, I have just spent a little time with the AWS manual. I had somehow imagined I could create a list of credentials (usernames and passwords) and allow them access to a bucket. It seems I can either
  1. Hide it from everyone
  2. Allow anyone to access it
  3. Set up some JSON policy documents with access control to individual users who must (if they have not already) create AWS accounts in advance or belong to an organisation that may have an AWS policy granted which can then be allowed limited access via JSON furthermore the external ID value that a third party uses to assume a role must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-). For more information about the external ID etc etc
I can quite see how some people might choose option 2...….
 
Retune said:
If they're blocking Dropbox etc., they're certainly blocking Mega.
Click to expand...
I missed that...

When I was doing remote work for the military I had their IT set up a secured SSH FTP folder for me and I used CyberDuck (SFTP program for Mac) to upload directly to their server. The files were automatically scanned for viruses and the folder was accessible by all/only the departments on the inside that needed it.
 
Last edited:
sk66 said:
I missed that...

When I was doing remote work for the military I had their IT set up a secured SSH FTP folder for me and I used CyberDuck (SFTP program for Mac) to upload directly to their server. The files were automatically scanned for viruses and the folder was accessible by all/only the departments on the inside that needed it.
Click to expand...
That is similar to my work with major automotive manufacturers.
 
I too administer very strict firewalls, and the only way we allow transfers is via Secure FTP, we have multiple partners who automate their data retrieval using SCP, works flawlessly.

Maybe ask if SFTP is acceptable as they can lock an outbound connection to an IP address (you can get SFTP hosting) and the client can use certificate auth. Worth a shot
 
You must log in or register to reply here.
Back
Top