Solved

Looking for an SFTP AD aware product

Posted on 2010-08-24
9
645 Views
Last Modified: 2013-12-09
Hi,

We are looking for for an SFTP AD aware product. We need to implement a secure FTP that will integrate with AD and will allow users to authenticate and access to it with their Active Directory accounts.

Does anyone knows any good products that we could use?
0
Comment
Question by:llarava
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
Comment Utility
Cerberus FTP is both an excellent product and does SFTP with AD integration.
http://www.cerberusftp.com/
0
 
LVL 26

Expert Comment

by:arober11
Comment Utility
Another product to consider: http://www.bitvise.com/winsshd

Also most Linux / Unix implementations can be made to authenticate against an LDAP Directory e.g.  AD  
Also via Samba a Linux / Unix box can access Windows shares, so a vanilla Linux install and a bit of tweaking may suffice, see:  http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication   OR http://ubuntuforums.org/showthread.php?t=91510

0
 

Author Comment

by:llarava
Comment Utility
Thank you.

The FTP will be placed on the DMZ and will be to authenticate with the DC's which they are part of our internal network. Any of you have any suggestions/experience building something like this? Any suggestions about the lay out so that we can reach want we want to do without compromising the security of the env?

Can we use either of the products listed above to acomplish this type of setup?  
0
 
LVL 26

Expert Comment

by:arober11
Comment Utility
Yes the suggested solutions may form the basis of a solution BUT if your corporate network contains any sensitive, financial or personal details I'd suggest you hire a security consultant / architect, preferable one whose CISSP, CISM, and / or CISA certified.

Without knowing the set-up and any regulatory requirements I wouldn't want to suggest anything.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 3

Expert Comment

by:lwalcher
Comment Utility
Two suggestions:

1) If you aren't tied to using FTP variants, Sharepoint 2010 or Microsoft Office Sharepoint Server (MOSS) 2007. You can place this behind an ISA Server 2006 or Forefront Threat Management Gateway (TMG) 2010 Reverse Proxy in the DMZ.
2) If you are required to use some form of FTP and are a Windows shop, I'd recommend an ISA Server 2006 or Forefront TMG 2010 Reverse Proxy in the DMZ with an IIS 7 server on the back-end running Microsoft FTP 7.5. You can then configure FTP-S (basically FTP over SSL/TLS) for encrypted connections that will be supported by most FTP clients, and you can have AD integration.

As a CISSP myself, I strongly agree with arober11's comment about bringing in a security consultant/architect as it would appear by definition there is sensitive data involved. Otherwise why would you want FTPS?
0
 

Author Comment

by:llarava
Comment Utility
The data isn't confidential. I am concerned about the authentication. Would an SFTP be necessary? What are the mechanisms that are being used to protect the authentication process is an SFTP is not being used?  

Unfortunately ISA/TMG can't be used we have to go through our regular firewall.

FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389.

I am strongely considering getting the following app:

http://www.xlightftpd.com/tutorial/ldap_eDirectory.html

Any thoughts?

Thank you

0
 
LVL 3

Assisted Solution

by:lwalcher
lwalcher earned 250 total points
Comment Utility
If the owner of your data being transferred has defined it as all being public data, then you are correct that securing the credentials is what you need to focus on here. Most of the secure FTP solutions (e.g., sFTP, FTP-S) will secure the data channel by default--or at least try--if they secure the control channel, though.

I have no experience with xlightftpd but it theoretically could work based on the requirements you've provided so far. What are you going to use to authenticate against AD?:

* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD?
* Are you planning to open the firewall betwen the DMZ and your domain controller directly?
* Something else?

I strongly recommend doing some research and/or bringing a security guru so you are aware of the security implications. The security issue to be addressed here is not just the FTP data itself. The issue is that this is a new entry point into your network, and you are using domain credentials to authenticate. If those credentials get compromised, that is a serious security breach that could have major ramifications from a regulatory perspective, depending on your business, and would generally be bad news.
0
 

Author Comment

by:llarava
Comment Utility


* Are you going to put an ADAM or AD LDS server in the DMZ then (as the xlightftpd link you sent implies), and sync that against AD? Initially I though about it...

* Are you planning to open the firewall betwen the DMZ and your domain controller directly? Allow port access from xlightftpd to the DC's.  The files will remain in the xlightftpd server. Also as far as I am concerned xlightftpd works with a service account that only needs read access to AD so worst case scenario if the xlightftpd box gets compromised the will only have access to this account and the data which doesn't have much value since is considered public data.

We only need to authenticate against the DC's from a front-end same way we (and others) are currently doing with OWA or any other AD aware apps out there.

Any other thoughts?
0
 

Author Comment

by:llarava
Comment Utility
Here is the final approach:

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Any ideas, suggestions, comments would be appreciated.


0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now