topic Re: FTP server in Operating System - HP-UX

FTP server

zanwar.prashantuktransc — Thu, 04 Sep 2003 15:47:30 GMT

Hi,

I am in Customer place.

They have a FTP server for some specific need, which is placed here out of the firewall.

Few known users are placing files in FTP server, which is then getting picked up by a application which is inside firewall.

I want to know, if the ftp server can be placed inside firewall, which will be more secure too. I am in mood of suggesting to customer, can someone please confirm my views. Please answer the query.

Re: FTP server

A. Clay Stephenson — Thu, 04 Sep 2003 15:53:16 GMT

An FTP server will, of course, work perfectly well inside a firewall and be more secure BUT public and/or customer access to this server is thus prevented. If both customers/public and company users must access the data then the best choice is a "DMZ" - Demilitirized Zone -- in which some public/customer access is allowed.

Re: FTP server

Mark Grant — Thu, 04 Sep 2003 15:54:37 GMT

To be honest, it's better to leave it where it is.

If it is on your side of the firewall, you will have to open your customers machines to the outside world. If it stays where it is, you can use rules that only allow you to get information from the ftp server.

The rule is, pulls are OK, pushes are not.

Re: FTP server

Sundar_7 — Thu, 04 Sep 2003 16:03:35 GMT

Hi Prashant,

How U have been ? :-)

To answer your query

Yes no big deal to place a FTP server inside the firewall. Couple of things

1) FTP uses two ports. 20 for data and 21 for control. Port 21 is used for commands and 20 for transferring the data.

So you need to enable these ports in ur firewall

2) Also your ftp client can use the ftp service in the active/passive mode. Active mode is by default. In active mode, u need to enable outgoing connection from ur ftp server on port 20 on an already established connection. In passive mode port 20 is not used at all. For the FTP to work properly it is necessary that the firewall is a connection/state-aware. All the modern day firewalls are connection/state aware

3) one more problem with the FTP inside the firewall is, if the client is transferring huge chunk of data say more than 600MB. In this case the port 20 (data port) will be active transferring the data but port 21 (control port) will be inactive since there are no commands transferred to/from. So the firewall will close the port 21 after certain amount of predefined timeout period. Once the data is transferred the client connection will be abruptly closed by the server since the control port is already closed.

Let me know of any questions

Sundar.

Re: FTP server

Steven E. Protter — Thu, 04 Sep 2003 16:17:10 GMT

Based on earlier replies, I have a middle of the road suggestion.

If you want the ftp server accessible to the public and don't have the infrastructure and money to set up a dmz, here is how it can be done.

Make the (I assume HP-UX) ftp server the firewall. It can provide NAT to the internal network if you wish, or at the very least IP filter firewall running on the box will limit the exploit opportunities from failures in the FTP server.

If you have the bucks, you can do the dmz thing. You can even program both firewalls to forward all traffic in both directions to and from a server in the normal server zone.

With ftp in a chroot jail, the chances of security issues are pretty low. If you don't mind the fact that ftp does passwords in clear text.

SEP

Re: FTP server

zanwar.prashantuktransc — Fri, 05 Sep 2003 07:23:01 GMT

Hi,

Thanks to all, Clay, Mark, Sundar and Steven.

I am pleased with the answers from all.

Answer from Mark suits my query 100%

And Sundar, thanks for your reply in detail.

Mark has also helped out nicely..and Steven too.

I want to know where can I found information on DMZ and also about firewall setup.

Best regards
Prashant

Re: FTP server

Sundar_7 — Fri, 05 Sep 2003 15:36:36 GMT

Zanwar Shahib,

Kya re, you dont beleive in assigning points or what ?.