Solved

DMZ FTP Server Access

Posted on 2014-10-06
8
436 Views
Last Modified: 2014-10-06
We have a Microsoft Server 2008 Server running IIS 7.5 acting as an FTP-S server, located in our DMZ.  External customers post files to this FTP server, and then our internal staff pull the files for further work.

Right now, our internal staff also use FTP-S to connect in to the DMZ FTP server to pull the files directly.  I feel that this creates a security risk.

Other than having our internal staff directly connect to the DMZ FTP server (with any protocol - FTP, SSH, RDP, File share, etc...), what is the best practice way to allow our internal staff access to the files our external partners are posting on the FTP server?
0
Comment
Question by:southpau1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 40363627
Network Shared FIles on the server
0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 400 total points
ID: 40363652
Not sure I fully understand the question. If you are trying to segregate external ftp from internal access you could create an internal mirror of the ftp folder and have a script sync the files between.

For example:
1. a customer1 uploads a file to FTP server
2. a scheduled task runs possibly every 15 minutes to sync the files to an internal folder. See robocopy:(http://technet.microsoft.com/en-us/library/cc733145.aspx)
3. Staff only has access to the 'internal' folder which will exactly mirror the ftp folder since the previous script syncs the files.
0
 
LVL 28

Assisted Solution

by:Dan McFadden
Dan McFadden earned 100 total points
ID: 40363653
I do not understand why you think using a secured connection to an application server, in this case FTP-S, constitutes a security risk.

Since the server is in a DMZ, I would not recommend direct file share access.  IMO, a file share is much more of a security risk.  Plus you would have to open additional ports thru your firewall to allow direct file share access.

FTP-S indicates that FTP communicates, at least on the control channel, over an SSL/TLS encrypted session.  This is the same security used when using a website over HTTPS.  Depending on how your FTP server is configured, the entire session (data and control) may be encrypted... secured.

Also, the FTP protocol is much more effect at file transfer than using a SMB/CIFS to access file share.

My recommendation is to leave the FTP-S access in place for your external clients as well as your internal users.

Dan
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 7

Author Comment

by:southpau1
ID: 40363654
The security risk isn't the FTP access, but the fact that we have access to the server from both internal and external.

I like Ori's idea, I was thinking of something along those lines.
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40363668
The definition of a DMZ (from an IT perspective) is a network outside on the internal LAN but inside the secured perimeter of the network's boundaries.

A DMZ should not be completely open to the public, but a limited number of ports open to allow the public access to services necessary for the business to operate on a daily basis.

Why increase the complexity of the systems on your network when is sounds like you are already running an FTP server in a way that constitutes a best practice.  Meaning:  running FTP in a DMZ and operating it with SSL/TLS enabled.

Dan
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363686
To your point Dan, the DMZ should have as limited ports open as required for the business to operate.  Right now, we have port 21 inbound open from external and internal to the DMZ server.  By using an internal server to mirror the FTP server, as Ori recommends, we would be restricting the internal access to the FTP server to just a single server - rather than all internal users.

It doesn't seem that complicated to me, and reduces the exposure of untrusted DMZ access to our internal network.

Thoughts?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40363713
But a DMZ should not be an untrusted network location.  Those are your servers which you control and which you secure... locally and from a network perspective.

I still don't see the risk if the DMZ is properly configured.

The solution the Ori suggested is viable.
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363718
Thanks guys
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question