Opinions on FTP Server Placement - DMZ or Intranet

Unanswered Question
Jan 16th, 2003
User Badges:

We have an FTP Server that We now need to have the outside world to have access to.

I can either:

open up port 21 on the PIX and point an outside address to the inside address

or

put the server in the DMZ and then point a outside address to a DMZ Address.

People in the company still need access to the server.

I tried putting the server in the DMZ, but now it cannot authenticate the users on our network that have permissions on on.

If I move it back to the intranet, then wouldn't that give someone who may have compromised the server access to other server on our intranet via port 21?

How would I do the Authentication if I wanted to keep the server in the DMZ?

Thanks,

Scott<-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rsivanandan Sun, 01/19/2003 - 20:09
User Badges:

It is good to keep it on DMZ itself as that will give you the security. Now regarding the authentiation part, why won't it authenticate? What kind of authentication are you using? Lets say if you are using an authentication server in the intranet, you can keep the authentication ports open from the DMZ to the Intranet.


Can you tell more about the kind of authentication you are looking for?


Cheers,

Rajesh

stownsend Sun, 01/19/2003 - 20:58
User Badges:

The server is currently a Member server on the Internal Network. It is part of an existing Windows Active Directory network.


I'd like to have the people on the Internal network be able to put files on the FTP Server using their Existing AD Domain Accounts.


So if I understand correctly, I would need to up up the port for the FTP Server to communicate with the AD DC to do the Authentication. If thats the case then if the FTP Server gets Hacked, then couldn't they get access to the AD Server?


Thanks,

Scott<-

travis-dennis_2 Mon, 01/20/2003 - 05:13
User Badges:
  • Gold, 750 points or more

Scott,

When posed with a similar problem I came up with 3 scenarios. All required placing the server on the DMZ. 1) Open the ports to allow commuication with the DC for authentication ....nope. I hate opening ports 2) Put the server in another domain with a one way trust by the DMZ server of the internal domain...nope...that required opening ports as well. and I hate opening ports. 3) Create an independant domain with unique user names and passwords for my internal staff to get to the server on the DMZ..my choice. No ports to open and once it was explained to upper manangement the risks involved with doing trusts/allowing communication from the DMZ to the inside I got the green light. My users don't seem to mind all that much. Think this might work for you? Some people might say that opening up the ports to allow AD to authenticate is no big deal so maybe it's just me since I hate opening ports :)

stownsend Mon, 01/20/2003 - 07:57
User Badges:

I'm with you, I'd ratehr not open up any ports.


Though I think that Management does not think the risks for us are that great compared to the ease of use.


As well as authentication, how did you deal with DNS/WINS registration? Did you jsut add static entries for the servers?


Thank you for your reply!


Scott<-

travis-dennis_2 Mon, 01/20/2003 - 10:10
User Badges:
  • Gold, 750 points or more

When you say DNS/WINS are you refering to how my clients connected to the server in the DMZ? If so, I made the server in the DMZ a DC doing it's own WINS/DNS etc. My users get to the server via private IP address using terminal services or start, run,\\ipaddress. I wold do a risk assesment to present to manangement with the big question being what is the amount of fiscal damage that could be done if someone got into the network and took you down 100% (it can and does happen) or is there any intellectual property that if taken could cause serious financial harm to the company. I find that upper manangement at most companies respond better to a potential financial loss than a loss of data. When you put $ in front of them they tend to listen more. just my $2

rsivanandan Mon, 01/20/2003 - 16:14
User Badges:

Hi Guys,


It is definitely not a good idea to open up ports to AD. In here if you are flexible on deciding the authentication mechanism to use, you could use the local accounts on the FTP server as mentioned. But what if the company policy allows only to talk to an internal authentication server (like Cisco ACS)?


Cheers,

Rajesh

Actions

This Discussion