Every day, countless files change hands across the Internet via FTP. Although popular, convenient and reliable, standard insecure FTP isn’t appropriate for transferring many types of sensitive information, particularly if your organization is subject to any of the alphabet soup of data security and privacy regulations like PCI and HIPAA.
The most recent version of EFT Server from GlobalScape takes the oxymoron out of secure FTP server.
GlobalScape’s Enhanced File Transfer Server 6.1 (known as Secure FTP Server prior to version 4) offers firms a way to securely exchange files with remote offices, clients, or business partners. The $695 EFT Server software (plus $139 for optional maintenance and support) is compatible with 32- or 64-bit Windows Server 2003, 2008 R2, or XP Professional. It may work with other Windows versions as well, but only the aforementioned are officially tested and supported by GlobalScape. EFT Server’s base version is highly modular, so you can license individual components depending on your needs. There’s also an EFT Server Enterprise offering that includes many of the components as well as some additional features that aren’t available a la carte.
EFT Server can be deployed a number of different ways, but the preferred scenarios involve installing an optional DMZ Gateway on a separate server, which allows the EFT Server to remain ensconced behind the corporate firewall while still enabling outside parties to access data via the gateway. EFT Server’s install wizard walks you through the particulars of setting up the server and configuring one or more FTP sites. By default, EFT Server uses its own integrated authentication manager that enhances security by isolating FTP accounts from domain users. It also allows authentication via other means like Active Directory or NTLM. Out of the box, EFT Server supports only secure file transfer via FTPS (SSL/TLS). Other secure protocols, like SFTP (SSH2), HTTPS (SSL), and AS2 are available as add-ons.
Once you’re through with EFT Server’s initial wizard-based setup, there’s still a bit of ancillary work to do, like creating a Windows user account for the EFT service and configuring the service to use it rather than the default Local System account. You must also edit default access permissions for EFT Server’s program and data folders, and if Microsoft Internet Information Server (IIS) is active on the EFT Server, you must take some extra steps to avoid conflicts over the use of ports 21 and 80 (FTP and HTTP). The exhaustive (700+ pages) manual does a good job of detailing what’s required to ensure proper operation of the software, not to mention optimal security.
Administration for EFT Server is handled via a Windows utility — no browser-based administration here — but you can install it on other systems as needed for remote configuration. The tabbed admin interface is straightforward and makes it relatively simple to manage users, groups, and EFT Server’s Virtual File System (VFS), which lets you define your FTP folder structure. With VFS you can create new physical folders or virtual ones that point to existing ones on disk, then apply upload/download permissions that are independent of the Windows operating system’s underlying NTFS file system.
Through the admin interface, you can configure a range of FTP site restrictions, like blocking connections from specific IP addresses, enforcing password rules, banning certain file types, or applying transfer limits to particular users. If you must maintain multiple FTP sites, you can create additional administrators with full control over individual sites, although more granular delegation (like the ability to manipulate only user accounts or passwords) requires the Enterprise version.
The standard EFT Server’s logging capabilities can be augmented by an optional Reporting and Auditing module that can generate about three dozen types of reports and record detailed information to either an existing SQL or Oracle database. There’s also a built-in MS SQL Server Express 2005 database available for testing purposes. EFT Server’s extensive rules system can be configured to execute a command or generate a notification in response to a variety of file, user, or connection-related events.
Although EFT Server’s ostensible $695 cost tag is eye catching, the price tag heads north quickly once you factor in the price of optional modules (which range from $695 for SFTP, to $1,995 for Auditing and Reporting) or the need for a feature only available in Enterprise. This detailed chart highlights which features are optional or Enterprise-specific.
EFT Server is available as a 30-day trial download (you’ll need to ante up contact info to get the link), but if you need longer than that to evaluate the software, GlobalScape offers the option to request a trial period extension directly via EFT Server’s admin console. Also, the trial download includes access to the Enterprise version, and helpfully indicates which modules and features are not included in the core EFT Server product.
If you need a flexible but comprehensive way to handle your secure file transfers, GlobalScape’s EFT Server is worth checking out.
Price: $695, plus $139 for maintenance and support and cost of optional modules
Pros: More secure than traditional FTP, yet still easy to administer; Modular architecture allows you to buy only the functionality that you need.
Cons: On the flipside, the packaging is somewhat deceptive, as modules and add-ons are required to get the security most enterprsies need.
Joseph Moran is co-author of Getting StartED with Windows 7 (friends of ED, 2009).