We help IT Professionals succeed at work.

File Access from DMZ to LAN

We are planing on deploying a web server (DMZ) which will make calls to a file server on our LAN. We would like to know the best way of securing data between these servers so that the communication and risk associated is minimized. Our original plan was to create a local account (user account) on our file server(on LAN) and have the web server pass these credentials in order to map a network drive which was located on the file server. The only thing that will be allowed between DMZ->LAN are file/print sharing ports (i have to look them up....) The account which will be created on the file server will be part of "users" group and will only have read-access to data on the file server. Please advise on best practice. Refer to image attached for idea of infrastructure setup.
webextractor.jpg
Comment
Watch Question

I would suggest making the user, not as a member of any group; but rather granting it explicit rights to the shared folder.  That way you wouldn't have to worry about what other permissions were granted to the users group.
Everything sounds good so far, a limited user account with only the necessary privileges is recommended. Also make sure to only allow traffic in the firewall between those exact nodes (as in, use host ip's and ports, not subnets, for filtering). Direct connections from WAN to LAN should not be possible and I would also limit connections from LAN to WAN from the file server only to the sites that are required. Additionally, consider replacing the Windows file sharing (CIFS/SMB) for the file server connections with eg. SFTP or IIS ftp over SSL:

https://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/

Author

Commented:
i've read several threads that have a variety of ports open for file sharing. What would be the minimum (ports needed) to allow a single windows file share access from DMZ->LAN?

Author

Commented:
UDP 137, UDP 138, UDP 445, and TCP 139, and TCP 445 are ones i've read but i'm not sure i need all of these just to 1 file server. I need no DC authentication...
Most of the time, putting a computer in the DMZ still leaves it on the local LAN; but, not protected by the NAT firewall.  If this is true, you don't need to open any ports at all.
"Most of the time, putting a computer in the DMZ still leaves it on the local LAN; but, not protected by the NAT firewall.  If this is true, you don't need to open any ports at all."

I think this is only true with some unmanaged consumer grade hardware that should have no place in an enterprise environment to begin with. There has to be a firewall to filter traffic both between the WAN and the DMZ and the DMZ and the LAN, otherwise its not a DMZ, which by definition should be segregated from the internal network.
bbaoIT Consultant

Commented:
agree with CoccoBill.

another possibility is to have a direct connection from the DMZ file server to the internal LAN, say, the file server has an additional NIC connecting the LAN.

all of these scenarios should NOT be recommended as whole security will be collapsed once the DMZ file server is compromised.

however, one-way access from LAN to DMZ can be granted and established if for some reasons the LAN computers need to access the DMZ file server..

Author

Commented:
I just need access to specific files on lan server from the dmz. would you recommend adding another nic on dmz machine which does have access to single lan node via ports mentioned above? would this in fact add security that I would not have with single nic? which ports do I open (minimum)? I have dual protection, from wan to dmz, and dmz to lan. previous post mentioning that no ports need to ne opened defeats purpose of having a dmz as there would be no additional protection wan to lan
bbaoIT Consultant

Commented:
sorry, just realised the file server is not located in the DMZ, on the LAN instead.

however, as a best practice, it is recommended that only one-way access from the LAN to the DMZ is allowed. in this approach, you may consider actively synchronise the required files from LAN to DMZ and then the DMZ server access the files locally.

why does the DMZ server need to access the LAN file server? what kind of files to be accessed? static or dynamic content? we do need the background information or business requirements to work out the right solution.

Author

Commented:
dynamic content. we have a document archive (on lan) which contains historical data (which is updated multiple times a day) and needs to be made available via our website. in order to make content crawlable it we need to have the ability for our web server to see the archive repository. unfortunately, we do not have the storage to replicate a large archive and push changes onto a locally mirrored archive in dmz. we were planning on creating a single hole in our fidewall to our docarchive with a limited "read only" account which will allow for crawling. the solution proposed must be cost effective and as secure as possible with existing resources being used.
IT Consultant
Commented:
two things first:

* enable reverse NAT on the inner firewall. normally outgoing NAT is already enabled there for access the internet and DMZ, so two-way NAT should be allowed on this firewall.

* add one more static route on the DMZ web server in order to send traffic to the inner firewall, instead of the default gateway on the external firewall, when the web server needs to access the LAN file server by IP or domain name.

say your LAN file server is 172.16.1.100, the inner firewall is 192.168.1.1 on its WAN interface, and the DMZ web server is 192.168.1.200. the the following command should be executed on the DMZ web server.

ROUTE ADD -P 172.16.1.100 MASK 255.255.255.255 192.168.1.1

if the files are shared over SMB (the traditional Windows file and printer sharing), do the following:

* enable UDP Port 137/138 and TCP Port 139 for allowing SMB sessions on the inner firewall. better to allow access only from the DMZ web server to the LAN file server by the additional rules on the firewall.

if the files are shared over web such as SharePoint server, do the following:

* enable TCP Port 80/443 on the inner firewall. the same principle, better to also apply the IP-to-IP restriction using the firewall rules.

hope it helps,
bbao
btanExec Consultant
Distinguished Expert 2019

Commented:
Suggest also to consider having web application firewall fronting your web appl to defend against layer 7 cyber attacks and create the virtual patching capability during patching of security flawed appl. That would not required any additional ports to be opened by firewall. Also I see there maybe performance issue as you go through ssl over wan, consider server offload to a global load balancer that is capable of ssl termination and handling it at fast speed using on board hardware crypto chip. There can even be NAC implementation to check remote access health before even authentication and authorisation checks.

Author

Commented:
Great, thanks!