Solved

DMZ FTP Server Access

Posted on 2014-10-06
8
432 Views
Last Modified: 2014-10-06
We have a Microsoft Server 2008 Server running IIS 7.5 acting as an FTP-S server, located in our DMZ.  External customers post files to this FTP server, and then our internal staff pull the files for further work.

Right now, our internal staff also use FTP-S to connect in to the DMZ FTP server to pull the files directly.  I feel that this creates a security risk.

Other than having our internal staff directly connect to the DMZ FTP server (with any protocol - FTP, SSH, RDP, File share, etc...), what is the best practice way to allow our internal staff access to the files our external partners are posting on the FTP server?
0
Comment
Question by:southpau1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 40363627
Network Shared FIles on the server
0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 400 total points
ID: 40363652
Not sure I fully understand the question. If you are trying to segregate external ftp from internal access you could create an internal mirror of the ftp folder and have a script sync the files between.

For example:
1. a customer1 uploads a file to FTP server
2. a scheduled task runs possibly every 15 minutes to sync the files to an internal folder. See robocopy:(http://technet.microsoft.com/en-us/library/cc733145.aspx)
3. Staff only has access to the 'internal' folder which will exactly mirror the ftp folder since the previous script syncs the files.
0
 
LVL 27

Assisted Solution

by:Dan McFadden
Dan McFadden earned 100 total points
ID: 40363653
I do not understand why you think using a secured connection to an application server, in this case FTP-S, constitutes a security risk.

Since the server is in a DMZ, I would not recommend direct file share access.  IMO, a file share is much more of a security risk.  Plus you would have to open additional ports thru your firewall to allow direct file share access.

FTP-S indicates that FTP communicates, at least on the control channel, over an SSL/TLS encrypted session.  This is the same security used when using a website over HTTPS.  Depending on how your FTP server is configured, the entire session (data and control) may be encrypted... secured.

Also, the FTP protocol is much more effect at file transfer than using a SMB/CIFS to access file share.

My recommendation is to leave the FTP-S access in place for your external clients as well as your internal users.

Dan
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 7

Author Comment

by:southpau1
ID: 40363654
The security risk isn't the FTP access, but the fact that we have access to the server from both internal and external.

I like Ori's idea, I was thinking of something along those lines.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40363668
The definition of a DMZ (from an IT perspective) is a network outside on the internal LAN but inside the secured perimeter of the network's boundaries.

A DMZ should not be completely open to the public, but a limited number of ports open to allow the public access to services necessary for the business to operate on a daily basis.

Why increase the complexity of the systems on your network when is sounds like you are already running an FTP server in a way that constitutes a best practice.  Meaning:  running FTP in a DMZ and operating it with SSL/TLS enabled.

Dan
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363686
To your point Dan, the DMZ should have as limited ports open as required for the business to operate.  Right now, we have port 21 inbound open from external and internal to the DMZ server.  By using an internal server to mirror the FTP server, as Ori recommends, we would be restricting the internal access to the FTP server to just a single server - rather than all internal users.

It doesn't seem that complicated to me, and reduces the exposure of untrusted DMZ access to our internal network.

Thoughts?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40363713
But a DMZ should not be an untrusted network location.  Those are your servers which you control and which you secure... locally and from a network perspective.

I still don't see the risk if the DMZ is properly configured.

The solution the Ori suggested is viable.
0
 
LVL 7

Author Comment

by:southpau1
ID: 40363718
Thanks guys
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question