Solved

Looking for an SFTP AD aware product

Posted on 2010-08-24
9
662 Views
Last Modified: 2013-12-09
Hi,

We are looking for for an SFTP AD aware product. We need to implement a secure FTP that will integrate with AD and will allow users to authenticate and access to it with their Active Directory accounts.

Does anyone knows any good products that we could use?
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
ID: 33513941
Cerberus FTP is both an excellent product and does SFTP with AD integration.
http://www.cerberusftp.com/ 
0
 
LVL 26

Expert Comment

by:arober11
ID: 33519248
Another product to consider: http://www.bitvise.com/winsshd

Also most Linux / Unix implementations can be made to authenticate against an LDAP Directory e.g.  AD  
Also via Samba a Linux / Unix box can access Windows shares, so a vanilla Linux install and a bit of tweaking may suffice, see:  http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication   OR http://ubuntuforums.org/showthread.php?t=91510

0
 

Author Comment

by:llarava
ID: 33550284
Thank you.

The FTP will be placed on the DMZ and will be to authenticate with the DC's which they are part of our internal network. Any of you have any suggestions/experience building something like this? Any suggestions about the lay out so that we can reach want we want to do without compromising the security of the env?

Can we use either of the products listed above to acomplish this type of setup?  
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 26

Expert Comment

by:arober11
ID: 33577664
Yes the suggested solutions may form the basis of a solution BUT if your corporate network contains any sensitive, financial or personal details I'd suggest you hire a security consultant / architect, preferable one whose CISSP, CISM, and / or CISA certified.

Without knowing the set-up and any regulatory requirements I wouldn't want to suggest anything.
0
 
LVL 3

Expert Comment

by:lwalcher
ID: 33633621
Two suggestions:

1) If you aren't tied to using FTP variants, Sharepoint 2010 or Microsoft Office Sharepoint Server (MOSS) 2007. You can place this behind an ISA Server 2006 or Forefront Threat Management Gateway (TMG) 2010 Reverse Proxy in the DMZ.
2) If you are required to use some form of FTP and are a Windows shop, I'd recommend an ISA Server 2006 or Forefront TMG 2010 Reverse Proxy in the DMZ with an IIS 7 server on the back-end running Microsoft FTP 7.5. You can then configure FTP-S (basically FTP over SSL/TLS) for encrypted connections that will be supported by most FTP clients, and you can have AD integration.

As a CISSP myself, I strongly agree with arober11's comment about bringing in a security consultant/architect as it would appear by definition there is sensitive data involved. Otherwise why would you want FTPS?
0
 

Author Comment

by:llarava
ID: 33636474
The data isn't confidential. I am concerned about the authentication. Would an SFTP be necessary? What are the mechanisms that are being used to protect the authentication process is an SFTP is not being used?  

Unfortunately ISA/TMG can't be used we have to go through our regular firewall.

FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389.

I am strongely considering getting the following app:

http://www.xlightftpd.com/tutorial/ldap_eDirectory.html

Any thoughts?

Thank you

0
 
LVL 3

Assisted Solution

by:lwalcher
lwalcher earned 250 total points
ID: 33639097
If the owner of your data being transferred has defined it as all being public data, then you are correct that securing the credentials is what you need to focus on here. Most of the secure FTP solutions (e.g., sFTP, FTP-S) will secure the data channel by default--or at least try--if they secure the control channel, though.

I have no experience with xlightftpd but it theoretically could work based on the requirements you've provided so far. What are you going to use to authenticate against AD?:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD?
* Are you planning to open the firewall betwen the DMZ and your domain controller directly?
* Something else?

I strongly recommend doing some research and/or bringing a security guru so you are aware of the security implications. The security issue to be addressed here is not just the FTP data itself. The issue is that this is a new entry point into your network, and you are using domain credentials to authenticate. If those credentials get compromised, that is a serious security breach that could have major ramifications from a regulatory perspective, depending on your business, and would generally be bad news.
0
 

Author Comment

by:llarava
ID: 33639235


* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD? Initially I though about it...

* Are you planning to open the firewall betwen the DMZ and your domain controller directly? Allow port access from xlightftpd to the DC's.  The files will remain in the xlightftpd server. Also as far as I am concerned xlightftpd works with a service account that only needs read access to AD so worst case scenario if the xlightftpd box gets compromised the will only have access to this account and the data which doesn't have much value since is considered public data.

We only need to authenticate against the DC's from a front-end same way we (and others) are currently doing with OWA or any other AD aware apps out there.

Any other thoughts?
0
 

Author Comment

by:llarava
ID: 33657076
Here is the final approach:

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Any ideas, suggestions, comments would be appreciated.


0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question