Describing an alternative method to FTP over TLS by the use of WebDav over TLS published through ISA 2006 Firewall

In this article we will describe an alternative method to FTPS(FTP over TLS).

A lot of people use WebDav over TLS for viewing files and easily manage them(drag and drop). It's actually quite popular among universities for example.

The old FTP protocol does not meet the security requirements for transfering files over an insecure connection. FTP over TLS can perform secure file transfers. It uses SSL/TLS to encrypt the control and/or data channels. RFC4217 Securing FTP with TLS, an "Internet Official Protocol Standards" (STD 1), describes FTPS.

Before moving to WebDav we will first discuss FTP and FTPS. You can skip this part but I think is quite useful to put a couple of pictures along with a few comments about FTP and FTPS.

Publishing WebDav over TLS through ISA 2006 Firewall enable us to use features like SSL bridging, pre-authentication, HTTP filtering or user level control.

Actually adding ISA 2006 Firewall into equation gives us a high secure method for transfering files.

Since ISA pre-authenticates any client, no packet will reach the IIS server before ISA accepts the user credentials. Also ISA does SSL bridging meaning that you actually terminate the TLS tunnel on ISA and ISA initiates another TLS connection to the IIS server. In this way ISA is able to do HTTP filtering(normaly encrypted traffic cannot be inspected by the firewall) which is a key security feature these days. Since you know what HTTP methods are good for your WebDav server you can instruct ISA to allow only these methods. Thus if for example ISA is set not to allow the "DELETE" method, when the client will use it, it will blocked at the firewall and therefore it will never reach the IIS server.


Comments are closed