Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

FTP-server in DMZ or LAN? (Fast Ethernet in DMZ)

Hi everyone,

I just bought the new cisco ASA 5505. When I wanted to configure the DMZ for my FTP-server I realized that the ASA 5505 only has 7 Fast-Ethernet Ports and no gigabit ports. Currently the FTP-server is connected to a gigabit-port on the switch (without DMZ).

What would be your pick?
      1. Just put the FTP-server in the LAN on gigabit speed.
      2. Put the FTP-server on the DMZ-interface of the ASA 5505, but then internally the
          speeds of the transfers will drop.

Thanks for your advice! The previous years the FTP-server was active, it was always running in the LAN-network.. (I just took over the network).
0
Silencer001
Asked:
Silencer001
  • 3
  • 3
  • 3
2 Solutions
 
Ernie BeekCommented:
Well, of course putting it in to a DMZ is the most secure. The question is: do you need that speed for the LAN? What's the main use: internally or externally. If it's only used internally then of course it is simple. If there are external clients using it you might prefer security over speed.
0
 
Silencer001Author Commented:
Well the client all have 100mbit lines, so I was thinking if now 1 of them would be using the FTP-server on the fast ethernet it would be the same download speed as 10 users would be using it on the gigabit speed.

I know a DMZ is more secure, but does it really poses a threat if I let it in the LAN-network. What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Assuming you want to ensure that security issues with the FTP server do not endanger your LAN segment, putting the FTP on the DMZ LAN is the more secure solution of course. And, of course, it limits the throughput you will get, and might even cause slowdown on the external uplink as the 5505 is rated at only about 150mbit of Firewall traffic.
Having said that, if you really require maximum throughput between LAN and the FTP server, you could decide to add the IDS module to the 5505 in order to improve the security of permitted external FTP-Access to your server; at least in theory the IDS module should recognize known attack patterns and mitigate the results. In this case (well, really any case), at least ensure that the FTP server does not send identifying information about the software running, not that security by obscurity is really much of a protection ...
Another option could be to operate an FTP proxy in the DMZ and the physical in the LAN; that way, you'd still have to GBit performance to the server from the inside, while only openly presenting the proxy to the outside ... of course this would still leave a possible attack vector if anybody would be able to exploit anything there, but that way two security holes would need to be present ...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
What could happen when a hacker for example knows the password of the FTP-server? He can only login to the files that are linked to that user account but nothing else I think?
Knowing the password to the FTP login is one thing, the bigger risk are bugs/security holes in services ... e.g. finding a buffer overflow that could let you get shell access to the server, and then using additional measures either on that server for privilege increase, or attacking other hosts on the same network. Or installing a bot to abuse your internet connection ...
0
 
Silencer001Author Commented:
Wow thanks, didn't know these kind of things, thanks for the information!

I will be putting the FTP-server in the DMZ after some considerations, thanks!
But do you know how to set-up this on an ASA5505? I have been reading the manual, but can't get it to work.

I says that I need a static NAT rule from my inside interface to my dmz-interface. The source and address are the same.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Can you elaborate on the IP addressing plan? From the "are the same" I'd expect the ASA being handed a subnet of public IPs for forwarding/routing. If you have those public IPs on the DMZ, all you need to do is either activate the "Enable traffic through the firewall without address translation" checkmark on the NAT Rules page, or create an explicit NAT exemption rule for that IP.
0
 
Ernie BeekCommented:
The source and address are the same

What exactly do you mean by that?

You have to set up a static from your outside ip to the DMZ ip of the server:
static (DMZ,outside) tcp public_address 21 private_address 21 netmask 255.255.255.255
And allow the port through:
access-list outside permit tcp any host public_ip eq 21
access-group outside in interface outside


This is of course somewhat generic and based on a < 8.3 version.
You'll need to know what ip's to use (is it the public on the interface or do you have more?).
0
 
Silencer001Author Commented:
@erniebeek: I have enclosed an attachment to let you see how I configured this. It was just some testing and found it strange that this needed to be done (following ASA guide) or maybe I just misunderstood.

@Garry-G:

Internet: DHCP from ISP
DMZ: 192.168.3.0 /24
LAN: 192.168.2.0 /24

I have also setup some port forwarding to RDP to my servers in the LAN and also SMTP because the company is using a SBS2011 server.

I have set-up a new topic on EE, because it was actually a different question than my first one. Could you maybe start using this topic so I can award points for this question? Thanks in advance!


http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27309498.html
Cisco.png
0
 
Ernie BeekCommented:
Ah it's you over there :)

Ok, I'll move on to that one. See you there.

With regards to the attachement: when going through the asa (in this case from low security to high security) some sort of translations has to be done. What you're doing here is translate the ip range from the DMZ to itself. So the net result is that the addresses from the DMZ stay the same when going to the LAN.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now