Home page logo

basics logo Security Basics mailing list archives

Re: Question about dmz security
From: Chuck Swiger <cswiger () mac com>
Date: Sat, 15 Feb 2003 13:11:27 -0500

Jennifer Fountain wrote:
I need an opinion on a current design implementation in place.  We have
an ftp server sitting in our dmz.  This box has two nics - one is
plugged into the dmz hub and one is plugged into our network.  I think
this is a security risk and we should just allow internal users access
to the box via the firewall by opening the port instead of having dual

It is a security risk, yes. If an intruder gains access to the FTP server, this dual-homed machine will also grant access to the internal network; by going around (not through) the firewall between your DMZ and internal network.

> they do not see a security risk. maybe i am just too new at this
and need some education.

If so, there are probably worse places to begin than thinking the situation over carefully, and then double-checking with others to see whether you were right.

> what is the "best" way to implement this configuration?

Your suggested approach is the '"best" way', for that configuration.

However, better configurations may also be possible: in particular, if your users can use scp (sftp, rsync, etc) to access the FTP server. Authenticated access should be encrypted if possible.

If one's users aren't able or willing to switch, I'd even consider setting up an internal-only FTP server which gets rsync'ed to the anonymous FTP server in your DMZ. One could do so via cron every minute, or one could use the internal FTP server as a staging area. Before pushing changes live, you could do something like scan for virusses, double-check that the archives are not corrupted, or whatever else might be appropriate.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]