Solved

DMZ and FTP servers

Posted on 2014-04-21
4
962 Views
Last Modified: 2014-04-22
Almost there....  Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.  I understand that

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

Thanks
0
Comment
Question by:Anthony Lucia
4 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40013338
I'm not sure what you are asking here. Can yo give me some more information please?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 167 total points
ID: 40013435
Usually, the FTP server is autonomous - you can upload files to it from inside the LAN, to make them available to outside sites, and external users upload files to it from outside the DMZ, which internal users then "pull" to their own machines, again using FTP.

Normally, the FTP server can't itself request files, and in fact, all traffic should flow *to* the DMZ in most circumstances (web->DMZ and lan->DMZ)

If you really need a DMZ host to have the same files as an internal (LAN) host, consider using software (such as rsync) that can connect from LAN to DMZ, compare the contents of two directories, and copy files as needed to bring them back into sync.
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 166 total points
ID: 40013584
Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.

Your FTP server may or may not be safe during a DoS attack.   Entirely depends on the nature of the DoS attack.  

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

If your FTP server is under a DoS attack, then depending on the scale of the DoS attack, the FTP server won't receive any valid FTP requests.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40015070
DMZ's look like this:
FTP_Server ->Firewall -> (10mbps)Internet
People come from the internet, through the allowed FTP ports (20 and 21 typically), and then access the FTP service.
A DoS attack, if it fills up the pipe, a 10mbps cable connection we'll say, then anything else that is trying to come out or go into the firewall will not get through at an acceptable rate and probably be lost/dropped/time-out.
The service doesn't matter in that case, ftp, http, ssh etc... nothing is going in or out if the circuit is overloaded.
If it's an attack against JUST FTP, and it doesn't use all 10mpbs, then other services will function in/out of the firewall, maybe with some delay but probably acceptable rates. Most servers do not sit out on the internet without a firewall in front of them. That firewall should dictate what is allowed in/out of the network, that firewall is effectively the DMZ outside perimeter. The inside perimeter of the DMZ should also limit who/what can access the FTP server from INSIDE the network, a DMZ is a locked down perimeter.
Internal network ->firewall->FTP_Server->Firewall->Internets (aka el tuba reno's)
-rich
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question