DMZ FTP Server Access

We have a Microsoft Server 2008 Server running IIS 7.5 acting as an FTP-S server, located in our DMZ.  External customers post files to this FTP server, and then our internal staff pull the files for further work.

Right now, our internal staff also use FTP-S to connect in to the DMZ FTP server to pull the files directly.  I feel that this creates a security risk.

Other than having our internal staff directly connect to the DMZ FTP server (with any protocol - FTP, SSH, RDP, File share, etc...), what is the best practice way to allow our internal staff access to the files our external partners are posting on the FTP server?
LVL 7
southpau1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Imtiaz HashamTechnical Director / IT ConsultantCommented:
Network Shared FIles on the server
0
OriNetworksCommented:
Not sure I fully understand the question. If you are trying to segregate external ftp from internal access you could create an internal mirror of the ftp folder and have a script sync the files between.

For example:
1. a customer1 uploads a file to FTP server
2. a scheduled task runs possibly every 15 minutes to sync the files to an internal folder. See robocopy:(http://technet.microsoft.com/en-us/library/cc733145.aspx)
3. Staff only has access to the 'internal' folder which will exactly mirror the ftp folder since the previous script syncs the files.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan McFaddenSystems EngineerCommented:
I do not understand why you think using a secured connection to an application server, in this case FTP-S, constitutes a security risk.

Since the server is in a DMZ, I would not recommend direct file share access.  IMO, a file share is much more of a security risk.  Plus you would have to open additional ports thru your firewall to allow direct file share access.

FTP-S indicates that FTP communicates, at least on the control channel, over an SSL/TLS encrypted session.  This is the same security used when using a website over HTTPS.  Depending on how your FTP server is configured, the entire session (data and control) may be encrypted... secured.

Also, the FTP protocol is much more effect at file transfer than using a SMB/CIFS to access file share.

My recommendation is to leave the FTP-S access in place for your external clients as well as your internal users.

Dan
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

southpau1Author Commented:
The security risk isn't the FTP access, but the fact that we have access to the server from both internal and external.

I like Ori's idea, I was thinking of something along those lines.
0
Dan McFaddenSystems EngineerCommented:
The definition of a DMZ (from an IT perspective) is a network outside on the internal LAN but inside the secured perimeter of the network's boundaries.

A DMZ should not be completely open to the public, but a limited number of ports open to allow the public access to services necessary for the business to operate on a daily basis.

Why increase the complexity of the systems on your network when is sounds like you are already running an FTP server in a way that constitutes a best practice.  Meaning:  running FTP in a DMZ and operating it with SSL/TLS enabled.

Dan
0
southpau1Author Commented:
To your point Dan, the DMZ should have as limited ports open as required for the business to operate.  Right now, we have port 21 inbound open from external and internal to the DMZ server.  By using an internal server to mirror the FTP server, as Ori recommends, we would be restricting the internal access to the FTP server to just a single server - rather than all internal users.

It doesn't seem that complicated to me, and reduces the exposure of untrusted DMZ access to our internal network.

Thoughts?
0
Dan McFaddenSystems EngineerCommented:
But a DMZ should not be an untrusted network location.  Those are your servers which you control and which you secure... locally and from a network perspective.

I still don't see the risk if the DMZ is properly configured.

The solution the Ori suggested is viable.
0
southpau1Author Commented:
Thanks guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.