LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-11-2006, 06:40 PM   #1
hondaman
Member
 
Registered: Feb 2004
Location: Dallas
Distribution: Fedora
Posts: 59

Rep: Reputation: 15
DMZ. Basic Security Questions.


I have a http/ftp server setup in a dmz. I know 99.9% of the reason a server is in a dmz is so it doesnt have access to your lan.

However...

What if there are lots of files on your lan that you want to make public on a ftp server? Is there any -secure- way to do this without copying all the files from your lan to your dmz server?
 
Old 02-12-2006, 12:49 PM   #2
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
I think in general SSH v2's S/FTP features are the prefered method nowadays and good 'ole FTP is pretty much obsolete, security-wise anyway. Penn State has a good info page on the topic with current links: http://css.its.psu.edu/internet/ssh/

Last edited by Crito; 02-12-2006 at 12:50 PM.
 
Old 02-13-2006, 05:51 AM   #3
hondaman
Member
 
Registered: Feb 2004
Location: Dallas
Distribution: Fedora
Posts: 59

Original Poster
Rep: Reputation: 15
So its ok to allow incoming connections into your lan without the need of a dmz?
 
Old 02-13-2006, 02:19 PM   #4
genlee
Member
 
Registered: Jul 2003
Distribution: Solaris 8/9, gentoo
Posts: 41

Rep: Reputation: 15
I would never allow any incoming connections to my internal lan. If I had to sync files on a dmz machine with an internal server, I would use rsync and initiate the connection from the internal network. Another possible solution would be to use a 2nd dmz network for the file server which only the ftp server has access to and whatever access the internal network needs to it. I think the best method though would be moving the files from the internal to dmz.
 
Old 02-13-2006, 11:31 PM   #5
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Quote:
Originally Posted by hondaman
Is there any -secure- way to do this without copying all the files from your lan to your dmz server?
Those were your requirements. So you've already decided that it's OK to open a port and that it's not OK to copy everything to a bastion file server in the DMZ (the prefered method.) Given those requirements, restricting internal access to SSH on port 22 (like Penn State did) would be the most secure way.
 
Old 02-14-2006, 12:10 AM   #6
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
And just to be 100% clear, bastion file server in the DMZ is prefered over SSH which is prefered over FTP. Only way you could possibly secure FTP is through an encrypted VPN tunnel.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
basic questions on hostname and domain name + related postfix questions Moebius Linux - Newbie 7 09-04-2007 12:50 PM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 02:02 AM
probably one of the most basic security questions... breezewax Linux - Security 11 10-10-2004 01:30 PM
basic DMZ Question toastermaker Linux - Networking 3 09-14-2004 07:28 PM
Basic Security questions with 2.4 and 2.6 MissMetal Linux - Security 2 04-22-2004 06:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration