Home page logo

basics logo Security Basics mailing list archives

RE: Question about dmz security
From: "Jeremy Gaddis" <jeremy () gaddis org>
Date: Wed, 19 Feb 2003 21:44:50 -0500 (EST)

Well, you are right that you don't want two NICs in the FTP server, but
remember that you also don't need to pass anything from the FTP server into
the LAN.  Most good firewalls these days can handle the complexities of FTP
connections well enough that they don't require statically assigned paths
into protected networks for clients behind the firewall to be able to use
FTP with a host outside of it.

In short, you simply allow OUTBOUND connections (from your protected
network to your FTP server in the DMZ) through your firewall, and
this will enable you to use the resource while still not letting any new
connections from the DMZ (including your FTP server) to your
internal LAN.

This may also require the clients on the internal network to
use passive mode when communicating with the FTP server,
but that's not a bad thing(tm).


Jeremy L. Gaddis
<jeremy () gaddis org>   <http://www.gaddis.org>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]