Solved

FTP-server in DMZ or LAN? (Fast Ethernet in DMZ)

Posted on 2011-09-14
9
1,000 Views
Last Modified: 2012-05-12
Hi everyone,

I just bought the new cisco ASA 5505. When I wanted to configure the DMZ for my FTP-server I realized that the ASA 5505 only has 7 Fast-Ethernet Ports and no gigabit ports. Currently the FTP-server is connected to a gigabit-port on the switch (without DMZ).

What would be your pick?
      1. Just put the FTP-server in the LAN on gigabit speed.
      2. Put the FTP-server on the DMZ-interface of the ASA 5505, but then internally the
          speeds of the transfers will drop.

Thanks for your advice! The previous years the FTP-server was active, it was always running in the LAN-network.. (I just took over the network).
0
Comment
Question by:Silencer001
  • 3
  • 3
  • 3
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36535370
Well, of course putting it in to a DMZ is the most secure. The question is: do you need that speed for the LAN? What's the main use: internally or externally. If it's only used internally then of course it is simple. If there are external clients using it you might prefer security over speed.
0
 

Author Comment

by:Silencer001
ID: 36535409
Well the client all have 100mbit lines, so I was thinking if now 1 of them would be using the FTP-server on the fast ethernet it would be the same download speed as 10 users would be using it on the gigabit speed.

I know a DMZ is more secure, but does it really poses a threat if I let it in the LAN-network. What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 125 total points
ID: 36535447
Assuming you want to ensure that security issues with the FTP server do not endanger your LAN segment, putting the FTP on the DMZ LAN is the more secure solution of course. And, of course, it limits the throughput you will get, and might even cause slowdown on the external uplink as the 5505 is rated at only about 150mbit of Firewall traffic.
Having said that, if you really require maximum throughput between LAN and the FTP server, you could decide to add the IDS module to the 5505 in order to improve the security of permitted external FTP-Access to your server; at least in theory the IDS module should recognize known attack patterns and mitigate the results. In this case (well, really any case), at least ensure that the FTP server does not send identifying information about the software running, not that security by obscurity is really much of a protection ...
Another option could be to operate an FTP proxy in the DMZ and the physical in the LAN; that way, you'd still have to GBit performance to the server from the inside, while only openly presenting the proxy to the outside ... of course this would still leave a possible attack vector if anybody would be able to exploit anything there, but that way two security holes would need to be present ...
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 125 total points
ID: 36535459
What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
Knowing the password to the FTP login is one thing, the bigger risk are bugs/security holes in services ... e.g. finding a buffer overflow that could let you get shell access to the server, and then using additional measures either on that server for privilege increase, or attacking other hosts on the same network. Or installing a bot to abuse your internet connection ...
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:Silencer001
ID: 36541698
Wow thanks, didn't know these kind of things, thanks for the information!

I will be putting the FTP-server in the DMZ after some considerations, thanks!
But do you know how to set-up this on an ASA5505? I have been reading the manual, but can't get it to work.

I says that I need a static NAT rule from my inside interface to my dmz-interface. The source and address are the same.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36541712
Can you elaborate on the IP addressing plan? From the "are the same" I'd expect the ASA being handed a subnet of public IPs for forwarding/routing. If you have those public IPs on the DMZ, all you need to do is either activate the "Enable traffic through the firewall without address translation" checkmark on the NAT Rules page, or create an explicit NAT exemption rule for that IP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541715
The source and address are the same

What exactly do you mean by that?

You have to set up a static from your outside ip to the DMZ ip of the server:
static (DMZ,outside) tcp public_address 21 private_address 21 netmask 255.255.255.255
And allow the port through:
access-list outside permit tcp any host public_ip eq 21
access-group outside in interface outside


This is of course somewhat generic and based on a < 8.3 version.
You'll need to know what ip's to use (is it the public on the interface or do you have more?).
0
 

Author Comment

by:Silencer001
ID: 36541841
@erniebeek: I have enclosed an attachment to let you see how I configured this. It was just some testing and found it strange that this needed to be done (following ASA guide) or maybe I just misunderstood.

@Garry-G:

Internet: DHCP from ISP
DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

I have also setup some port forwarding to RDP to my servers in the LAN and also SMTP because the company is using a SBS2011 server.

I have set-up a new topic on EE, because it was actually a different question than my first one. Could you maybe start using this topic so I can award points for this question? Thanks in advance!


http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27309498.html
Cisco.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541853
Ah it's you over there :)

Ok, I'll move on to that one. See you there.

With regards to the attachement: when going through the asa (in this case from low security to high security) some sort of translations has to be done. What you're doing here is translate the ip range from the DMZ to itself. So the net result is that the addresses from the DMZ stay the same when going to the LAN.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now