[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1278
  • Last Modified:

DMZ and FTP servers

Almost there....  Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.  I understand that

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

Thanks
0
Anthony Lucia
Asked:
Anthony Lucia
3 Solutions
 
BigPapaGottiCommented:
I'm not sure what you are asking here. Can yo give me some more information please?
0
 
Dave HoweCommented:
Usually, the FTP server is autonomous - you can upload files to it from inside the LAN, to make them available to outside sites, and external users upload files to it from outside the DMZ, which internal users then "pull" to their own machines, again using FTP.

Normally, the FTP server can't itself request files, and in fact, all traffic should flow *to* the DMZ in most circumstances (web->DMZ and lan->DMZ)

If you really need a DMZ host to have the same files as an internal (LAN) host, consider using software (such as rsync) that can connect from LAN to DMZ, compare the contents of two directories, and copy files as needed to bring them back into sync.
0
 
TintinCommented:
Lets say that I have a FTP server in the DMZ.  You get DoS attacks on the FTP Server, so everything in you host is safe.

Your FTP server may or may not be safe during a DoS attack.   Entirely depends on the nature of the DoS attack.  

How then does the FTP server work, since it can not server up a file on the host, because it is residing on the FTP Server within the DMZ

If your FTP server is under a DoS attack, then depending on the scale of the DoS attack, the FTP server won't receive any valid FTP requests.
0
 
Rich RumbleSecurity SamuraiCommented:
DMZ's look like this:
FTP_Server ->Firewall -> (10mbps)Internet
People come from the internet, through the allowed FTP ports (20 and 21 typically), and then access the FTP service.
A DoS attack, if it fills up the pipe, a 10mbps cable connection we'll say, then anything else that is trying to come out or go into the firewall will not get through at an acceptable rate and probably be lost/dropped/time-out.
The service doesn't matter in that case, ftp, http, ssh etc... nothing is going in or out if the circuit is overloaded.
If it's an attack against JUST FTP, and it doesn't use all 10mpbs, then other services will function in/out of the firewall, maybe with some delay but probably acceptable rates. Most servers do not sit out on the internet without a firewall in front of them. That firewall should dictate what is allowed in/out of the network, that firewall is effectively the DMZ outside perimeter. The inside perimeter of the DMZ should also limit who/what can access the FTP server from INSIDE the network, a DMZ is a locked down perimeter.
Internal network ->firewall->FTP_Server->Firewall->Internets (aka el tuba reno's)
-rich
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now