[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


DMZ and FTP servers

Posted on 2014-04-21
Medium Priority
Last Modified: 2014-04-22
Almost there....  Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.  I understand that

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

Question by:Anthony Lucia
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 40013338
I'm not sure what you are asking here. Can yo give me some more information please?
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 668 total points
ID: 40013435
Usually, the FTP server is autonomous - you can upload files to it from inside the LAN, to make them available to outside sites, and external users upload files to it from outside the DMZ, which internal users then "pull" to their own machines, again using FTP.

Normally, the FTP server can't itself request files, and in fact, all traffic should flow *to* the DMZ in most circumstances (web->DMZ and lan->DMZ)

If you really need a DMZ host to have the same files as an internal (LAN) host, consider using software (such as rsync) that can connect from LAN to DMZ, compare the contents of two directories, and copy files as needed to bring them back into sync.
LVL 48

Assisted Solution

Tintin earned 664 total points
ID: 40013584
Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.

Your FTP server may or may not be safe during a DoS attack.   Entirely depends on the nature of the DoS attack.  

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

If your FTP server is under a DoS attack, then depending on the scale of the DoS attack, the FTP server won't receive any valid FTP requests.
LVL 38

Accepted Solution

Rich Rumble earned 668 total points
ID: 40015070
DMZ's look like this:
FTP_Server ->Firewall -> (10mbps)Internet
People come from the internet, through the allowed FTP ports (20 and 21 typically), and then access the FTP service.
A DoS attack, if it fills up the pipe, a 10mbps cable connection we'll say, then anything else that is trying to come out or go into the firewall will not get through at an acceptable rate and probably be lost/dropped/time-out.
The service doesn't matter in that case, ftp, http, ssh etc... nothing is going in or out if the circuit is overloaded.
If it's an attack against JUST FTP, and it doesn't use all 10mpbs, then other services will function in/out of the firewall, maybe with some delay but probably acceptable rates. Most servers do not sit out on the internet without a firewall in front of them. That firewall should dictate what is allowed in/out of the network, that firewall is effectively the DMZ outside perimeter. The inside perimeter of the DMZ should also limit who/what can access the FTP server from INSIDE the network, a DMZ is a locked down perimeter.
Internal network ->firewall->FTP_Server->Firewall->Internets (aka el tuba reno's)

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question