• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 449
  • Last Modified:

DMZ FTP Server Access

We have a Microsoft Server 2008 Server running IIS 7.5 acting as an FTP-S server, located in our DMZ.  External customers post files to this FTP server, and then our internal staff pull the files for further work.

Right now, our internal staff also use FTP-S to connect in to the DMZ FTP server to pull the files directly.  I feel that this creates a security risk.

Other than having our internal staff directly connect to the DMZ FTP server (with any protocol - FTP, SSH, RDP, File share, etc...), what is the best practice way to allow our internal staff access to the files our external partners are posting on the FTP server?
0
southpau1
Asked:
southpau1
2 Solutions
 
Imtiaz HashamTechnical Director / IT ConsultantCommented:
Network Shared FIles on the server
0
 
OriNetworksCommented:
Not sure I fully understand the question. If you are trying to segregate external ftp from internal access you could create an internal mirror of the ftp folder and have a script sync the files between.

For example:
1. a customer1 uploads a file to FTP server
2. a scheduled task runs possibly every 15 minutes to sync the files to an internal folder. See robocopy:(http://technet.microsoft.com/en-us/library/cc733145.aspx)
3. Staff only has access to the 'internal' folder which will exactly mirror the ftp folder since the previous script syncs the files.
0
 
Dan McFaddenSystems EngineerCommented:
I do not understand why you think using a secured connection to an application server, in this case FTP-S, constitutes a security risk.

Since the server is in a DMZ, I would not recommend direct file share access.  IMO, a file share is much more of a security risk.  Plus you would have to open additional ports thru your firewall to allow direct file share access.

FTP-S indicates that FTP communicates, at least on the control channel, over an SSL/TLS encrypted session.  This is the same security used when using a website over HTTPS.  Depending on how your FTP server is configured, the entire session (data and control) may be encrypted... secured.

Also, the FTP protocol is much more effect at file transfer than using a SMB/CIFS to access file share.

My recommendation is to leave the FTP-S access in place for your external clients as well as your internal users.

Dan
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
southpau1Author Commented:
The security risk isn't the FTP access, but the fact that we have access to the server from both internal and external.

I like Ori's idea, I was thinking of something along those lines.
0
 
Dan McFaddenSystems EngineerCommented:
The definition of a DMZ (from an IT perspective) is a network outside on the internal LAN but inside the secured perimeter of the network's boundaries.

A DMZ should not be completely open to the public, but a limited number of ports open to allow the public access to services necessary for the business to operate on a daily basis.

Why increase the complexity of the systems on your network when is sounds like you are already running an FTP server in a way that constitutes a best practice.  Meaning:  running FTP in a DMZ and operating it with SSL/TLS enabled.

Dan
0
 
southpau1Author Commented:
To your point Dan, the DMZ should have as limited ports open as required for the business to operate.  Right now, we have port 21 inbound open from external and internal to the DMZ server.  By using an internal server to mirror the FTP server, as Ori recommends, we would be restricting the internal access to the FTP server to just a single server - rather than all internal users.

It doesn't seem that complicated to me, and reduces the exposure of untrusted DMZ access to our internal network.

Thoughts?
0
 
Dan McFaddenSystems EngineerCommented:
But a DMZ should not be an untrusted network location.  Those are your servers which you control and which you secure... locally and from a network perspective.

I still don't see the risk if the DMZ is properly configured.

The solution the Ori suggested is viable.
0
 
southpau1Author Commented:
Thanks guys
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now