?
Solved

Accessing Servers on the Firewall DMZ from the Internal Network

Posted on 2014-11-12
3
Medium Priority
?
229 Views
Last Modified: 2014-12-26
We have an FTP server on the DMZ of our firewall.
External access is available from selected FTP clients on the Internet.
Internal access is available from FTP clients on the Internal network.

My questions are these:

Is it possible to enable greater Internal Access to the FTP Server host without compromising security? For example could the file system of the FTP Server Host (a Windows Box) be shared by Windows clients on the Internal network? If this is not the best (most secure?) way of accessing the server, what alternatives are there and what are their Pros and Cons? In essence, what is the normal way that connectivity is maintained between servers on the DMZ and internal networks?
0
Comment
Question by:ajmcqueen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 22

Accepted Solution

by:
eeRoot earned 2000 total points
ID: 40439074
Depending on your firewall, you may be able to set up a VPN tunnel on the internal -> DMZ interface so that approved users can connect to the DMZ when they need to, but not be connected all the time.  Alternatively, you can identify what TCP & UDP ports are needed for the server management, and open those ports.  It does pose a risk though, if your internal PC's become infected by a virus or hacked, the DMZ will then be reachable by one of these threats.

Another option is to set up a utility DMZ that is used for management of the other DMZ's.  Backups, file transfers, and other IT tasks could be performed by a few servers in the utility DMZ, with firewall rules allowing the mgmt servers access to the existing DMZ, and IT admins accessing the mgmt DMZ via a VPN tunnel.  This is a lot of work to set up, but it gives you a "double hop" between your internal network and DMZ, so that viruses & hackers that get into one segment of you netowrk, will have a harder time getting into the other.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question