Solved

Accessing Servers on the Firewall DMZ from the Internal Network

Posted on 2014-11-12
3
220 Views
Last Modified: 2014-12-26
We have an FTP server on the DMZ of our firewall.
External access is available from selected FTP clients on the Internet.
Internal access is available from FTP clients on the Internal network.

My questions are these:

Is it possible to enable greater Internal Access to the FTP Server host without compromising security? For example could the file system of the FTP Server Host (a Windows Box) be shared by Windows clients on the Internal network? If this is not the best (most secure?) way of accessing the server, what alternatives are there and what are their Pros and Cons? In essence, what is the normal way that connectivity is maintained between servers on the DMZ and internal networks?
0
Comment
Question by:ajmcqueen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 22

Accepted Solution

by:
eeRoot earned 500 total points
ID: 40439074
Depending on your firewall, you may be able to set up a VPN tunnel on the internal -> DMZ interface so that approved users can connect to the DMZ when they need to, but not be connected all the time.  Alternatively, you can identify what TCP & UDP ports are needed for the server management, and open those ports.  It does pose a risk though, if your internal PC's become infected by a virus or hacked, the DMZ will then be reachable by one of these threats.

Another option is to set up a utility DMZ that is used for management of the other DMZ's.  Backups, file transfers, and other IT tasks could be performed by a few servers in the utility DMZ, with firewall rules allowing the mgmt servers access to the existing DMZ, and IT admins accessing the mgmt DMZ via a VPN tunnel.  This is a lot of work to set up, but it gives you a "double hop" between your internal network and DMZ, so that viruses & hackers that get into one segment of you netowrk, will have a harder time getting into the other.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SRX240 SYSLOG Setting 6 135
clean-up rule netscreen firewall 3 101
network error 8 65
Sonicwall TZ 190 2 36
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question