1834149 Members
2143 Online
110064 Solutions
New Discussion

Re: FTP server

 
zanwar.prashantuktransc
Occasional Advisor

FTP server

Hi,

I am in Customer place.

They have a FTP server for some specific need, which is placed here out of the firewall.

Few known users are placing files in FTP server, which is then getting picked up by a application which is inside firewall.

I want to know, if the ftp server can be placed inside firewall, which will be more secure too. I am in mood of suggesting to customer, can someone please confirm my views. Please answer the query.
6 REPLIES 6
A. Clay Stephenson
Acclaimed Contributor

Re: FTP server

An FTP server will, of course, work perfectly well inside a firewall and be more secure BUT public and/or customer access to this server is thus prevented. If both customers/public and company users must access the data then the best choice is a "DMZ" - Demilitirized Zone -- in which some public/customer access is allowed.

If it ain't broke, I can fix that.
Mark Grant
Honored Contributor

Re: FTP server

To be honest, it's better to leave it where it is.

If it is on your side of the firewall, you will have to open your customers machines to the outside world. If it stays where it is, you can use rules that only allow you to get information from the ftp server.

The rule is, pulls are OK, pushes are not.
Never preceed any demonstration with anything more predictive than "watch this"
Sundar_7
Honored Contributor

Re: FTP server

Hi Prashant,

How U have been ? :-)

To answer your query

Yes no big deal to place a FTP server inside the firewall. Couple of things

1) FTP uses two ports. 20 for data and 21 for control. Port 21 is used for commands and 20 for transferring the data.

So you need to enable these ports in ur firewall

2) Also your ftp client can use the ftp service in the active/passive mode. Active mode is by default. In active mode, u need to enable outgoing connection from ur ftp server on port 20 on an already established connection. In passive mode port 20 is not used at all. For the FTP to work properly it is necessary that the firewall is a connection/state-aware. All the modern day firewalls are connection/state aware

3) one more problem with the FTP inside the firewall is, if the client is transferring huge chunk of data say more than 600MB. In this case the port 20 (data port) will be active transferring the data but port 21 (control port) will be inactive since there are no commands transferred to/from. So the firewall will close the port 21 after certain amount of predefined timeout period. Once the data is transferred the client connection will be abruptly closed by the server since the control port is already closed.

Let me know of any questions

Sundar.
Learn What to do ,How to do and more importantly When to do ?
Steven E. Protter
Exalted Contributor

Re: FTP server

Based on earlier replies, I have a middle of the road suggestion.

If you want the ftp server accessible to the public and don't have the infrastructure and money to set up a dmz, here is how it can be done.

Make the (I assume HP-UX) ftp server the firewall. It can provide NAT to the internal network if you wish, or at the very least IP filter firewall running on the box will limit the exploit opportunities from failures in the FTP server.

If you have the bucks, you can do the dmz thing. You can even program both firewalls to forward all traffic in both directions to and from a server in the normal server zone.

With ftp in a chroot jail, the chances of security issues are pretty low. If you don't mind the fact that ftp does passwords in clear text.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
zanwar.prashantuktransc
Occasional Advisor

Re: FTP server

Hi,

Thanks to all, Clay, Mark, Sundar and Steven.

I am pleased with the answers from all.

Answer from Mark suits my query 100%

And Sundar, thanks for your reply in detail.

Mark has also helped out nicely..and Steven too.

I want to know where can I found information on DMZ and also about firewall setup.


Best regards
Prashant
Sundar_7
Honored Contributor

Re: FTP server

Zanwar Shahib,

Kya re, you dont beleive in assigning points or what ?.

Learn What to do ,How to do and more importantly When to do ?