Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP-server in DMZ or LAN? (Fast Ethernet in DMZ)

Posted on 2011-09-14
9
Medium Priority
?
1,065 Views
Last Modified: 2012-05-12
Hi everyone,

I just bought the new cisco ASA 5505. When I wanted to configure the DMZ for my FTP-server I realized that the ASA 5505 only has 7 Fast-Ethernet Ports and no gigabit ports. Currently the FTP-server is connected to a gigabit-port on the switch (without DMZ).

What would be your pick?
      1. Just put the FTP-server in the LAN on gigabit speed.
      2. Put the FTP-server on the DMZ-interface of the ASA 5505, but then internally the
          speeds of the transfers will drop.

Thanks for your advice! The previous years the FTP-server was active, it was always running in the LAN-network.. (I just took over the network).
0
Comment
Question by:Silencer001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36535370
Well, of course putting it in to a DMZ is the most secure. The question is: do you need that speed for the LAN? What's the main use: internally or externally. If it's only used internally then of course it is simple. If there are external clients using it you might prefer security over speed.
0
 

Author Comment

by:Silencer001
ID: 36535409
Well the client all have 100mbit lines, so I was thinking if now 1 of them would be using the FTP-server on the fast ethernet it would be the same download speed as 10 users would be using it on the gigabit speed.

I know a DMZ is more secure, but does it really poses a threat if I let it in the LAN-network. What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 36535447
Assuming you want to ensure that security issues with the FTP server do not endanger your LAN segment, putting the FTP on the DMZ LAN is the more secure solution of course. And, of course, it limits the throughput you will get, and might even cause slowdown on the external uplink as the 5505 is rated at only about 150mbit of Firewall traffic.
Having said that, if you really require maximum throughput between LAN and the FTP server, you could decide to add the IDS module to the 5505 in order to improve the security of permitted external FTP-Access to your server; at least in theory the IDS module should recognize known attack patterns and mitigate the results. In this case (well, really any case), at least ensure that the FTP server does not send identifying information about the software running, not that security by obscurity is really much of a protection ...
Another option could be to operate an FTP proxy in the DMZ and the physical in the LAN; that way, you'd still have to GBit performance to the server from the inside, while only openly presenting the proxy to the outside ... of course this would still leave a possible attack vector if anybody would be able to exploit anything there, but that way two security holes would need to be present ...
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 500 total points
ID: 36535459
What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
Knowing the password to the FTP login is one thing, the bigger risk are bugs/security holes in services ... e.g. finding a buffer overflow that could let you get shell access to the server, and then using additional measures either on that server for privilege increase, or attacking other hosts on the same network. Or installing a bot to abuse your internet connection ...
0
 

Author Comment

by:Silencer001
ID: 36541698
Wow thanks, didn't know these kind of things, thanks for the information!

I will be putting the FTP-server in the DMZ after some considerations, thanks!
But do you know how to set-up this on an ASA5505? I have been reading the manual, but can't get it to work.

I says that I need a static NAT rule from my inside interface to my dmz-interface. The source and address are the same.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36541712
Can you elaborate on the IP addressing plan? From the "are the same" I'd expect the ASA being handed a subnet of public IPs for forwarding/routing. If you have those public IPs on the DMZ, all you need to do is either activate the "Enable traffic through the firewall without address translation" checkmark on the NAT Rules page, or create an explicit NAT exemption rule for that IP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541715
The source and address are the same

What exactly do you mean by that?

You have to set up a static from your outside ip to the DMZ ip of the server:
static (DMZ,outside) tcp public_address 21 private_address 21 netmask 255.255.255.255
And allow the port through:
access-list outside permit tcp any host public_ip eq 21
access-group outside in interface outside


This is of course somewhat generic and based on a < 8.3 version.
You'll need to know what ip's to use (is it the public on the interface or do you have more?).
0
 

Author Comment

by:Silencer001
ID: 36541841
@erniebeek: I have enclosed an attachment to let you see how I configured this. It was just some testing and found it strange that this needed to be done (following ASA guide) or maybe I just misunderstood.

@Garry-G:

Internet: DHCP from ISP
DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

I have also setup some port forwarding to RDP to my servers in the LAN and also SMTP because the company is using a SBS2011 server.

I have set-up a new topic on EE, because it was actually a different question than my first one. Could you maybe start using this topic so I can award points for this question? Thanks in advance!


http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27309498.html
Cisco.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541853
Ah it's you over there :)

Ok, I'll move on to that one. See you there.

With regards to the attachement: when going through the asa (in this case from low security to high security) some sort of translations has to be done. What you're doing here is translate the ip range from the DMZ to itself. So the net result is that the addresses from the DMZ stay the same when going to the LAN.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question