Encinitas
asked on
File Access from DMZ to LAN
We are planing on deploying a web server (DMZ) which will make calls to a file server on our LAN. We would like to know the best way of securing data between these servers so that the communication and risk associated is minimized. Our original plan was to create a local account (user account) on our file server(on LAN) and have the web server pass these credentials in order to map a network drive which was located on the file server. The only thing that will be allowed between DMZ->LAN are file/print sharing ports (i have to look them up....) The account which will be created on the file server will be part of "users" group and will only have read-access to data on the file server. Please advise on best practice. Refer to image attached for idea of infrastructure setup.
webextractor.jpg
webextractor.jpg
Davis McCarn
I would suggest making the user, not as a member of any group; but rather granting it explicit rights to the shared folder. That way you wouldn't have to worry about what other permissions were granted to the users group.
Everything sounds good so far, a limited user account with only the necessary privileges is recommended. Also make sure to only allow traffic in the firewall between those exact nodes (as in, use host ip's and ports, not subnets, for filtering). Direct connections from WAN to LAN should not be possible and I would also limit connections from LAN to WAN from the file server only to the sites that are required. Additionally, consider replacing the Windows file sharing (CIFS/SMB) for the file server connections with eg. SFTP or IIS ftp over SSL:
https://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/
https://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/
ASKER
i've read several threads that have a variety of ports open for file sharing. What would be the minimum (ports needed) to allow a single windows file share access from DMZ->LAN?
ASKER
UDP 137, UDP 138, UDP 445, and TCP 139, and TCP 445 are ones i've read but i'm not sure i need all of these just to 1 file server. I need no DC authentication...
Most of the time, putting a computer in the DMZ still leaves it on the local LAN; but, not protected by the NAT firewall. If this is true, you don't need to open any ports at all.
"Most of the time, putting a computer in the DMZ still leaves it on the local LAN; but, not protected by the NAT firewall. If this is true, you don't need to open any ports at all."
I think this is only true with some unmanaged consumer grade hardware that should have no place in an enterprise environment to begin with. There has to be a firewall to filter traffic both between the WAN and the DMZ and the DMZ and the LAN, otherwise its not a DMZ, which by definition should be segregated from the internal network.
I think this is only true with some unmanaged consumer grade hardware that should have no place in an enterprise environment to begin with. There has to be a firewall to filter traffic both between the WAN and the DMZ and the DMZ and the LAN, otherwise its not a DMZ, which by definition should be segregated from the internal network.
agree with CoccoBill.
another possibility is to have a direct connection from the DMZ file server to the internal LAN, say, the file server has an additional NIC connecting the LAN.
all of these scenarios should NOT be recommended as whole security will be collapsed once the DMZ file server is compromised.
however, one-way access from LAN to DMZ can be granted and established if for some reasons the LAN computers need to access the DMZ file server..
another possibility is to have a direct connection from the DMZ file server to the internal LAN, say, the file server has an additional NIC connecting the LAN.
all of these scenarios should NOT be recommended as whole security will be collapsed once the DMZ file server is compromised.
however, one-way access from LAN to DMZ can be granted and established if for some reasons the LAN computers need to access the DMZ file server..
ASKER
I just need access to specific files on lan server from the dmz. would you recommend adding another nic on dmz machine which does have access to single lan node via ports mentioned above? would this in fact add security that I would not have with single nic? which ports do I open (minimum)? I have dual protection, from wan to dmz, and dmz to lan. previous post mentioning that no ports need to ne opened defeats purpose of having a dmz as there would be no additional protection wan to lan
sorry, just realised the file server is not located in the DMZ, on the LAN instead.
however, as a best practice, it is recommended that only one-way access from the LAN to the DMZ is allowed. in this approach, you may consider actively synchronise the required files from LAN to DMZ and then the DMZ server access the files locally.
why does the DMZ server need to access the LAN file server? what kind of files to be accessed? static or dynamic content? we do need the background information or business requirements to work out the right solution.
however, as a best practice, it is recommended that only one-way access from the LAN to the DMZ is allowed. in this approach, you may consider actively synchronise the required files from LAN to DMZ and then the DMZ server access the files locally.
why does the DMZ server need to access the LAN file server? what kind of files to be accessed? static or dynamic content? we do need the background information or business requirements to work out the right solution.
ASKER
dynamic content. we have a document archive (on lan) which contains historical data (which is updated multiple times a day) and needs to be made available via our website. in order to make content crawlable it we need to have the ability for our web server to see the archive repository. unfortunately, we do not have the storage to replicate a large archive and push changes onto a locally mirrored archive in dmz. we were planning on creating a single hole in our fidewall to our docarchive with a limited "read only" account which will allow for crawling. the solution proposed must be cost effective and as secure as possible with existing resources being used.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Suggest also to consider having web application firewall fronting your web appl to defend against layer 7 cyber attacks and create the virtual patching capability during patching of security flawed appl. That would not required any additional ports to be opened by firewall. Also I see there maybe performance issue as you go through ssl over wan, consider server offload to a global load balancer that is capable of ssl termination and handling it at fast speed using on board hardware crypto chip. There can even be NAC implementation to check remote access health before even authentication and authorisation checks.
ASKER
Great, thanks!