Solved

FTP-server in DMZ or LAN? (Fast Ethernet in DMZ)

Posted on 2011-09-14
9
995 Views
Last Modified: 2012-05-12
Hi everyone,

I just bought the new cisco ASA 5505. When I wanted to configure the DMZ for my FTP-server I realized that the ASA 5505 only has 7 Fast-Ethernet Ports and no gigabit ports. Currently the FTP-server is connected to a gigabit-port on the switch (without DMZ).

What would be your pick?
      1. Just put the FTP-server in the LAN on gigabit speed.
      2. Put the FTP-server on the DMZ-interface of the ASA 5505, but then internally the
          speeds of the transfers will drop.

Thanks for your advice! The previous years the FTP-server was active, it was always running in the LAN-network.. (I just took over the network).
0
Comment
Question by:Silencer001
  • 3
  • 3
  • 3
9 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36535370
Well, of course putting it in to a DMZ is the most secure. The question is: do you need that speed for the LAN? What's the main use: internally or externally. If it's only used internally then of course it is simple. If there are external clients using it you might prefer security over speed.
0
 

Author Comment

by:Silencer001
ID: 36535409
Well the client all have 100mbit lines, so I was thinking if now 1 of them would be using the FTP-server on the fast ethernet it would be the same download speed as 10 users would be using it on the gigabit speed.

I know a DMZ is more secure, but does it really poses a threat if I let it in the LAN-network. What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 125 total points
ID: 36535447
Assuming you want to ensure that security issues with the FTP server do not endanger your LAN segment, putting the FTP on the DMZ LAN is the more secure solution of course. And, of course, it limits the throughput you will get, and might even cause slowdown on the external uplink as the 5505 is rated at only about 150mbit of Firewall traffic.
Having said that, if you really require maximum throughput between LAN and the FTP server, you could decide to add the IDS module to the 5505 in order to improve the security of permitted external FTP-Access to your server; at least in theory the IDS module should recognize known attack patterns and mitigate the results. In this case (well, really any case), at least ensure that the FTP server does not send identifying information about the software running, not that security by obscurity is really much of a protection ...
Another option could be to operate an FTP proxy in the DMZ and the physical in the LAN; that way, you'd still have to GBit performance to the server from the inside, while only openly presenting the proxy to the outside ... of course this would still leave a possible attack vector if anybody would be able to exploit anything there, but that way two security holes would need to be present ...
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 125 total points
ID: 36535459
What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
Knowing the password to the FTP login is one thing, the bigger risk are bugs/security holes in services ... e.g. finding a buffer overflow that could let you get shell access to the server, and then using additional measures either on that server for privilege increase, or attacking other hosts on the same network. Or installing a bot to abuse your internet connection ...
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Silencer001
ID: 36541698
Wow thanks, didn't know these kind of things, thanks for the information!

I will be putting the FTP-server in the DMZ after some considerations, thanks!
But do you know how to set-up this on an ASA5505? I have been reading the manual, but can't get it to work.

I says that I need a static NAT rule from my inside interface to my dmz-interface. The source and address are the same.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36541712
Can you elaborate on the IP addressing plan? From the "are the same" I'd expect the ASA being handed a subnet of public IPs for forwarding/routing. If you have those public IPs on the DMZ, all you need to do is either activate the "Enable traffic through the firewall without address translation" checkmark on the NAT Rules page, or create an explicit NAT exemption rule for that IP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541715
The source and address are the same

What exactly do you mean by that?

You have to set up a static from your outside ip to the DMZ ip of the server:
static (DMZ,outside) tcp public_address 21 private_address 21 netmask 255.255.255.255
And allow the port through:
access-list outside permit tcp any host public_ip eq 21
access-group outside in interface outside


This is of course somewhat generic and based on a < 8.3 version.
You'll need to know what ip's to use (is it the public on the interface or do you have more?).
0
 

Author Comment

by:Silencer001
ID: 36541841
@erniebeek: I have enclosed an attachment to let you see how I configured this. It was just some testing and found it strange that this needed to be done (following ASA guide) or maybe I just misunderstood.

@Garry-G:

Internet: DHCP from ISP
DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

I have also setup some port forwarding to RDP to my servers in the LAN and also SMTP because the company is using a SBS2011 server.

I have set-up a new topic on EE, because it was actually a different question than my first one. Could you maybe start using this topic so I can award points for this question? Thanks in advance!


http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27309498.html
Cisco.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541853
Ah it's you over there :)

Ok, I'll move on to that one. See you there.

With regards to the attachement: when going through the asa (in this case from low security to high security) some sort of translations has to be done. What you're doing here is translate the ip range from the DMZ to itself. So the net result is that the addresses from the DMZ stay the same when going to the LAN.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now