Solved

DMZ FTP Server Access

Posted on 2014-10-06
8
427 Views
Last Modified: 2014-10-06
We have a Microsoft Server 2008 Server running IIS 7.5 acting as an FTP-S server, located in our DMZ.  External customers post files to this FTP server, and then our internal staff pull the files for further work.

Right now, our internal staff also use FTP-S to connect in to the DMZ FTP server to pull the files directly.  I feel that this creates a security risk.

Other than having our internal staff directly connect to the DMZ FTP server (with any protocol - FTP, SSH, RDP, File share, etc...), what is the best practice way to allow our internal staff access to the files our external partners are posting on the FTP server?
0
Comment
Question by:southpau1
8 Comments
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 40363627
Network Shared FIles on the server
0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 400 total points
ID: 40363652
Not sure I fully understand the question. If you are trying to segregate external ftp from internal access you could create an internal mirror of the ftp folder and have a script sync the files between.

For example:
1. a customer1 uploads a file to FTP server
2. a scheduled task runs possibly every 15 minutes to sync the files to an internal folder. See robocopy:(http://technet.microsoft.com/en-us/library/cc733145.aspx)
3. Staff only has access to the 'internal' folder which will exactly mirror the ftp folder since the previous script syncs the files.
0
 
LVL 27

Assisted Solution

by:Dan McFadden
Dan McFadden earned 100 total points
ID: 40363653
I do not understand why you think using a secured connection to an application server, in this case FTP-S, constitutes a security risk.

Since the server is in a DMZ, I would not recommend direct file share access.  IMO, a file share is much more of a security risk.  Plus you would have to open additional ports thru your firewall to allow direct file share access.

FTP-S indicates that FTP communicates, at least on the control channel, over an SSL/TLS encrypted session.  This is the same security used when using a website over HTTPS.  Depending on how your FTP server is configured, the entire session (data and control) may be encrypted... secured.

Also, the FTP protocol is much more effect at file transfer than using a SMB/CIFS to access file share.

My recommendation is to leave the FTP-S access in place for your external clients as well as your internal users.

Dan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Author Comment

by:southpau1
ID: 40363654
The security risk isn't the FTP access, but the fact that we have access to the server from both internal and external.

I like Ori's idea, I was thinking of something along those lines.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40363668
The definition of a DMZ (from an IT perspective) is a network outside on the internal LAN but inside the secured perimeter of the network's boundaries.

A DMZ should not be completely open to the public, but a limited number of ports open to allow the public access to services necessary for the business to operate on a daily basis.

Why increase the complexity of the systems on your network when is sounds like you are already running an FTP server in a way that constitutes a best practice.  Meaning:  running FTP in a DMZ and operating it with SSL/TLS enabled.

Dan
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363686
To your point Dan, the DMZ should have as limited ports open as required for the business to operate.  Right now, we have port 21 inbound open from external and internal to the DMZ server.  By using an internal server to mirror the FTP server, as Ori recommends, we would be restricting the internal access to the FTP server to just a single server - rather than all internal users.

It doesn't seem that complicated to me, and reduces the exposure of untrusted DMZ access to our internal network.

Thoughts?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40363713
But a DMZ should not be an untrusted network location.  Those are your servers which you control and which you secure... locally and from a network perspective.

I still don't see the risk if the DMZ is properly configured.

The solution the Ori suggested is viable.
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363718
Thanks guys
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Using Outlook for iOS securely 2 44
Initial get page response times and IIS8 15 51
Security Overview Report 8 55
Disable SSLv3.0/TLSv1.0 - Windows 2012R2 3 34
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question