Solved

DMZ and FTP servers

Posted on 2014-04-21
4
906 Views
Last Modified: 2014-04-22
Almost there....  Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.  I understand that

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

Thanks
0
Comment
Question by:Anthony Lucia
4 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40013338
I'm not sure what you are asking here. Can yo give me some more information please?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 167 total points
ID: 40013435
Usually, the FTP server is autonomous - you can upload files to it from inside the LAN, to make them available to outside sites, and external users upload files to it from outside the DMZ, which internal users then "pull" to their own machines, again using FTP.

Normally, the FTP server can't itself request files, and in fact, all traffic should flow *to* the DMZ in most circumstances (web->DMZ and lan->DMZ)

If you really need a DMZ host to have the same files as an internal (LAN) host, consider using software (such as rsync) that can connect from LAN to DMZ, compare the contents of two directories, and copy files as needed to bring them back into sync.
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 166 total points
ID: 40013584
Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.

Your FTP server may or may not be safe during a DoS attack.   Entirely depends on the nature of the DoS attack.  

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

If your FTP server is under a DoS attack, then depending on the scale of the DoS attack, the FTP server won't receive any valid FTP requests.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40015070
DMZ's look like this:
FTP_Server ->Firewall -> (10mbps)Internet
People come from the internet, through the allowed FTP ports (20 and 21 typically), and then access the FTP service.
A DoS attack, if it fills up the pipe, a 10mbps cable connection we'll say, then anything else that is trying to come out or go into the firewall will not get through at an acceptable rate and probably be lost/dropped/time-out.
The service doesn't matter in that case, ftp, http, ssh etc... nothing is going in or out if the circuit is overloaded.
If it's an attack against JUST FTP, and it doesn't use all 10mpbs, then other services will function in/out of the firewall, maybe with some delay but probably acceptable rates. Most servers do not sit out on the internet without a firewall in front of them. That firewall should dictate what is allowed in/out of the network, that firewall is effectively the DMZ outside perimeter. The inside perimeter of the DMZ should also limit who/what can access the FTP server from INSIDE the network, a DMZ is a locked down perimeter.
Internal network ->firewall->FTP_Server->Firewall->Internets (aka el tuba reno's)
-rich
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now