Re: FTP through firewall

Mon, 04 Mar 2002 08:52:52 -0800


        FTP is the oldest Internet protocol so it has no security. It sends and receives everything in plaintext including passwords. It is also one of the most commonly attacked protocols because various implementations ( open source wu_ftpd from Washington University in particular) have had many serious security problems.
          So treat FTP as a security problem and find a replacement if possible. One replacement is secure FTP that comes with the Secure Shell Version 2 implementation, either open source OpenSSH  (http://www.openssh.org) or  commercial SSH from F-Secure/SSH.com (http://www.ssh.com) and VanDyke software (http://www.vandyke.com).
          There is also a SSL-ized version of regular FTP but I have not found many implementations of it.
If you have to use FTP, only allow incoming to a server in the protected segment that is well hardened and running minimal applications.
   An ASCII diagram
 
     (Internet)-----[Firewall]-----FTP Server
                                   |
                             (internal users)
Your clients will deposit data on server (account based only, not anonymous)
Your internal users can then connect to server and download the data to internal (perhaps after server does virus checks etc. on the data).
External users never connect directly inside and are time separated from the actual pickup of data by internal users.



Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239


Rick Brown <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]

03/04/02 10:42 AM

       
        To:        [EMAIL PROTECTED]
        cc:        
        Subject:        FTP through firewall



I need to send and receive FTPs from several outside
buisness partners and I'd like some advice/input on
the best way to do it.  I plan on putting an FTP
server in the DMZ to receive FTPs and restricting who
can use it.  I'll then have my internal systems
retrieve the files from the DMZ FTP server.  Make
sense so far?  For FTPs that my internal systems need
to send, should I just allow them outbound FTP access
through the firewall or should I proxy the FTPs?
Also, I'll be using a W2K-based DMZ server for the
FTPs and was planning on using Ipswitch's WS_FTP
Server Pro.  Anyone have any thought's on the Ipswitch
product?  Thanks for the help!

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - sign up for Fantasy Baseball
http://sports.yahoo.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to