Re: FTP Server Implementation
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Thu, 7 Apr 2005 07:47:30 +1000
if you DMZ the FTP server and do your transfers from the SBS LAN to the FTP
Server as FTP connections you do not need any particular routing.
eg.
NOTE: /24 is shorthand for mask 255.255.255.0
NOTE2: I do not consider this a true DMZ but it's close enough for our
purposes. Anyone wishing to discuss this comment can do so with someone
else.
Internet
|
|
Router WAN 1.2.3.4 DG ISP router
Router LAN 192.168.25.1/24 -- FTP Server 192.168.25.3/24 DG 192.168.25.1
|
|
SBS External 192.168.25.2/24 DG 192.168.25.1
SBS Internal 192.168.16.2/24 no DG
|
|
Switch and SBS LAN clients 192.168.16.11-254/24 DG 192.168.16.2
The SBS and all internal clients treat anything other than 192.168.16.x
traffic as 'External' so it is subject to ISA Policy. Routing wise internal
clients use the SBS as DG, SBS then passes the traffic either directly (for
192.168.25.x) or into it's DG (the router, all traffic not in the .25 or .16
subnets).
If I make an assumption on why you are asking about routing I would have to
assume you would rather open Windows filesharing between the SBS LAN and the
FTP server. As you can see, the routing is already happening, it is only ISA
policy which would need to be adjusted. If you wish to do this you're on
your own chum, I will not assist. If you wish the users to have the
convenience of not having to use FTP to transfer files to/from the server
they can work on local copies of the files and a process can be implemented
to maintain synchronisation of the local filespace and the FTP filespace. I
would rely on manual control.
Another scenario which would allow Windows filesharing to the FTP server
puts a second NIC in the FTP server configured in the .16 subnet. This all
but defeats the purpose of the DMZ. If you were to do this you may as well
run the FTP on a single NIC machine inside the LAN and server publish it
through ISA.
Some discussion of the router is in order. Me, I'd use a simple NAT router
and permanently consider the FTP server as 'dirty'. A case could be made for
using a more advanced firewall device, if I had a public routed subnet to
use I would do so, implementing a true DMZ with a three legged appliance of
some sort (ISA 2004 appliance, WatchGuard Firebox, Cisco PIX or similar).
Generally, if you assume the FTP server is dirty at all times and behave
appropriately the NAT router and ISA on SBS is sufficient isolation.
"Laura" <Laura@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7531F99A-39BC-41CA-8169-75CA7E89027B@xxxxxxxxxxxxxxxx
> Thank you SuperGumby for the fantastic informative reply. I have been so
> afraid of this, but now I understand where my risks are. I do have just a
> few more questions - I prefer the DMZ method, so I wil pursue that. Just
> to
> make sure, I think this would require just a simple router from my ISP WAN
> connection, and then connect the SBS with its Static IP to one LAN port on
> the router, and the FTP server with another static IP to another LAN port
> on
> the router, and then the rest of the LAN would be on the other side of the
> SBS. So to get from the SBS LAN to the FTP server I would just create a
> static route from one IP to the other. Does this make sense?
>
> Thanks!
> Laura
>
> "SuperGumby [SBS MVP]" wrote:
>
>> the main problem with FTP is that the credentials are normally sent in
>> plain
>> text format. This means that theoretically someone could sniff your
>> user/pass and if the FTP user/pass is also a domain membership credential
>> they get access to your doamain.
>>
>> But you mention WS_FTP. WS_FTP can use either domain credentials via
>> lookup
>> to the DC(s) or it's own user database. IIS FTP, if running on a domain
>> controller is limited to using domain accounts (no local accounts on a
>> DC).
>>
>> SO, I reckon you've made a first good step, running WS_FTP. Next good
>> step
>> is to use WS_FTP accounts which are not related in any way to domain
>> accounts, the users will complain about having different credentials but
>> when explaining that it is a security measure it should be acceptable.
>>
>> Though I agree with all that if it can be avoided running FTP on your DC
>> should I am going to suggest that if you run these seperate user accounts
>> and _really have to provide_ FTP then two methods are acceptable.
>> 1) run it on a server in the DMZ
>> Internet
>> |
>> |
>> multiport router - - FTP server
>> |
>> |
>> SBS and LAN (either single or dual NIC setup, depending on router
>> capabilities.)
>>
>> 2) Run it on the SBS
>> Internet
>> |
>> |
>> SBS external (with ISA and preferably a simple NAT router in front)
>> SBS internal
>>
>> WS_FTP is told to bind to the internal SBS IP only and the service is
>> published via ISA.
>> There is very little to be gained by moving the FTP server to another box
>> inside the domain.
>>
>> Running the FTP server in the DMZ is preferable. Doing so normally
>> requires
>> users inside the LAN to have accounts on the FTP server and manually
>> updating available files, this can be automated by implementing an FTP
>> 'mirroring' solution, a client inside the LAN which has access to the
>> required internal filespace runs a scheduled task to synch the filespace
>> to
>> the server.
>>
>> The convenience offered by running the FTP on SBS is that internal
>> clients
>> can directly manipulate files in the FTP space. Is the convenience worth
>> the
>> increased security risk as opposed to DMZ implementation?
>>
>> WS_FTP Server (and client, but many clients do) also supports SSL. I've
>> only
>> played a little with implementing SSL FTP through ISA and never did sort
>> out
>> why it was unreliable. I seem to remember a difference in behaviour when
>> PASV FTP was/wasn't used. OHH, and whether there was/wasn't a router in
>> front of ISA.
>>
>> "Laura" <Laura@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:96C19258-246E-416B-AB7F-4187C761DB03@xxxxxxxxxxxxxxxx
>> >I want to implement a Secure FTP Server, and have seen posted here that
>> >it
>> >is
>> > not a good idea to do this on the SBS itself. How would I set this up?
>> > Get
>> > a seperate box outside of the SBS Lan and put a hardware firewall in
>> > front
>> > of
>> > both the FTP server and the SBS?
>> >
>> > Or, since I am using ISA, Couldn't I just have a box inside my LAN
>> > running
>> > WS_FTP? I don't want to compromise the security of the LAN, but all
>> > the
>> > big
>> > files I want to FTP are inside the LAN.
>> >
>> > Thanks in Advance for your ideas!
>> > Laura
>>
>>
>>
.
- Follow-Ups:
- Re: FTP Server Implementation
- From: Bill Peng [MSFT]
- Re: FTP Server Implementation
- References:
- FTP Server Implementation
- From: Laura
- Re: FTP Server Implementation
- From: SuperGumby [SBS MVP]
- Re: FTP Server Implementation
- From: Laura
- FTP Server Implementation
- Prev by Date: Re: Duplicate Email
- Next by Date: Cannot connect to outside FTP site
- Previous by thread: Re: FTP Server Implementation
- Next by thread: Re: FTP Server Implementation
- Index(es):
Relevant Pages
|
