Solved

FTP-server in DMZ or LAN? (Fast Ethernet in DMZ)

Posted on 2011-09-14
9
1,020 Views
Last Modified: 2012-05-12
Hi everyone,

I just bought the new cisco ASA 5505. When I wanted to configure the DMZ for my FTP-server I realized that the ASA 5505 only has 7 Fast-Ethernet Ports and no gigabit ports. Currently the FTP-server is connected to a gigabit-port on the switch (without DMZ).

What would be your pick?
      1. Just put the FTP-server in the LAN on gigabit speed.
      2. Put the FTP-server on the DMZ-interface of the ASA 5505, but then internally the
          speeds of the transfers will drop.

Thanks for your advice! The previous years the FTP-server was active, it was always running in the LAN-network.. (I just took over the network).
0
Comment
Question by:Silencer001
  • 3
  • 3
  • 3
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36535370
Well, of course putting it in to a DMZ is the most secure. The question is: do you need that speed for the LAN? What's the main use: internally or externally. If it's only used internally then of course it is simple. If there are external clients using it you might prefer security over speed.
0
 

Author Comment

by:Silencer001
ID: 36535409
Well the client all have 100mbit lines, so I was thinking if now 1 of them would be using the FTP-server on the fast ethernet it would be the same download speed as 10 users would be using it on the gigabit speed.

I know a DMZ is more secure, but does it really poses a threat if I let it in the LAN-network. What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 125 total points
ID: 36535447
Assuming you want to ensure that security issues with the FTP server do not endanger your LAN segment, putting the FTP on the DMZ LAN is the more secure solution of course. And, of course, it limits the throughput you will get, and might even cause slowdown on the external uplink as the 5505 is rated at only about 150mbit of Firewall traffic.
Having said that, if you really require maximum throughput between LAN and the FTP server, you could decide to add the IDS module to the 5505 in order to improve the security of permitted external FTP-Access to your server; at least in theory the IDS module should recognize known attack patterns and mitigate the results. In this case (well, really any case), at least ensure that the FTP server does not send identifying information about the software running, not that security by obscurity is really much of a protection ...
Another option could be to operate an FTP proxy in the DMZ and the physical in the LAN; that way, you'd still have to GBit performance to the server from the inside, while only openly presenting the proxy to the outside ... of course this would still leave a possible attack vector if anybody would be able to exploit anything there, but that way two security holes would need to be present ...
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 125 total points
ID: 36535459
What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
Knowing the password to the FTP login is one thing, the bigger risk are bugs/security holes in services ... e.g. finding a buffer overflow that could let you get shell access to the server, and then using additional measures either on that server for privilege increase, or attacking other hosts on the same network. Or installing a bot to abuse your internet connection ...
0
 

Author Comment

by:Silencer001
ID: 36541698
Wow thanks, didn't know these kind of things, thanks for the information!

I will be putting the FTP-server in the DMZ after some considerations, thanks!
But do you know how to set-up this on an ASA5505? I have been reading the manual, but can't get it to work.

I says that I need a static NAT rule from my inside interface to my dmz-interface. The source and address are the same.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36541712
Can you elaborate on the IP addressing plan? From the "are the same" I'd expect the ASA being handed a subnet of public IPs for forwarding/routing. If you have those public IPs on the DMZ, all you need to do is either activate the "Enable traffic through the firewall without address translation" checkmark on the NAT Rules page, or create an explicit NAT exemption rule for that IP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541715
The source and address are the same

What exactly do you mean by that?

You have to set up a static from your outside ip to the DMZ ip of the server:
static (DMZ,outside) tcp public_address 21 private_address 21 netmask 255.255.255.255
And allow the port through:
access-list outside permit tcp any host public_ip eq 21
access-group outside in interface outside


This is of course somewhat generic and based on a < 8.3 version.
You'll need to know what ip's to use (is it the public on the interface or do you have more?).
0
 

Author Comment

by:Silencer001
ID: 36541841
@erniebeek: I have enclosed an attachment to let you see how I configured this. It was just some testing and found it strange that this needed to be done (following ASA guide) or maybe I just misunderstood.

@Garry-G:

Internet: DHCP from ISP
DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

I have also setup some port forwarding to RDP to my servers in the LAN and also SMTP because the company is using a SBS2011 server.

I have set-up a new topic on EE, because it was actually a different question than my first one. Could you maybe start using this topic so I can award points for this question? Thanks in advance!


http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27309498.html
Cisco.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541853
Ah it's you over there :)

Ok, I'll move on to that one. See you there.

With regards to the attachement: when going through the asa (in this case from low security to high security) some sort of translations has to be done. What you're doing here is translate the ip range from the DMZ to itself. So the net result is that the addresses from the DMZ stay the same when going to the LAN.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question