Possible risks for corporate network by opening FTP over internet

Hi experts,

I have to make a risk analysis in the event of installing an FTP client on a corporate network.

The picture is something like this:

The users will have a FTP client installed on their PC and they will be able to upload and download files to a folder in the FTP server. We will be using filezila.

So if you can give some examples of the possible risks that you think the corporate network could be suceptible to, and the possibilities of it to happen in your professional opinion, I will be very greatful.

Regards!
LVL 3
macoronatAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IT-Monkey-DaveCommented:
The public IP address of your FTP server will be under constant attack, mostly from brute-force password hacking.  You should try to limit FTP access to only authorized external IPs if you can via firewall rule.  If that's not possible, expect attacks.  Make sure there are no unprotected guest accounts, no anonymous access, use strong passwords.  If you're lucky you have a firewall or other device that can automatically detect & block brute force attackers.
And put the FTP server in a DMZ if you can.
0
IT-Monkey-DaveCommented:
Also avoid publishing a public DNS name for your FTP server if possible.  Make people use the public IP address to access it.  If you must publish the server in DNS, use a name that doesn't obviously identify it as an FTP server.  Don't give clues out to the server's role via DNS records.
0
macoronatAuthor Commented:
Dave, thanks for your answer, but we do not own the FTP server, let me be more specific:

The FTP server is not in our hands. It's a service from Filezila. Basically we just have FTP client software in our PC's and we have to log using the credentials provided by Filezila to us (username & password), then it makes a connection to the FTP server using TCP port 21.

We are just allowing access to our users to that service.

Is there any potential risk we might be running into?
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

IT-Monkey-DaveCommented:
Oh.  Well then.  ;)
Is the FTP data sensitive in nature, needs to be secure?  Does Filezilla's FTP hosting service promise any level of security?  Does it support encrypted data transfers between the client and the server?
0
macoronatAuthor Commented:
Data is important. Most of it is going to be used by several users, and they need to have the same information.

The only level of security is the username and passwords that Filezila provided; and there is no encrypted data transfers between client and servers.
0
IT-Monkey-DaveCommented:
Well there's "important" data, and there's "sensitive" data.  Important means you obviously need it and don't want to lose it.  Sensitive means it cannot be allowed to fall into unauthorized hands or be accessed by any unauthorized personnel.  If your data is sensitive, then the security arrangement you've described is about as minimal as it can get.  You'll be transferring your data across the public Internet without any encryption.  .  The FTP accounts are only as secure as the login names and passwords.  The FTP server itself is only as secure as FileZilla makes it.
My opinion would be this arrangement is probably ok for important data, but very inadequate for sensitive data.
0
IT-Monkey-DaveCommented:
Also, under the category of "important data", is the Filezilla FTP server backed up regularly?  Will you be storing the only copy of any important files on it?  If the only copy will be on the Filezilla server, then unless Filezilla states that they back up their servers and have disaster recovery procedures in place, then this arrangement is also unsatisfactory for important data.
0
macoronatAuthor Commented:
Understood, and thank you so much for that information, but more specifically, my question about possible treats, was going towards the corporate network, for example, possible attempts of intrusion into the corporate network when a FTP transfer is taking place. Is that something I should concern about?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.