Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
5
Helpful
4
Replies

Securing and Restricting Access to an FTP

Go to solution
Mark Mattix
Level 2
Level 2

‎11-07-2012 01:03 PM - edited ‎03-09-2019 11:56 PM

I performed a search here on the forums about this subject and I wasn't able to find a good topic yet for my specific questions, if there is a discussion currently on the forum please forgive me and I would appreciate a link. Anyway, my situation:

I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?

Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?

Thanks for any advice,  -Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Mark Mattix

‎11-07-2012 01:57 PM

To activate the SFTP-server on the machine where the data resides is the easiest, but by far not the most secure option.

There are some more ways to better secure that. What about:

- Put the SFTP-server into the DMZ and let that server access the internal server through a fileshare. If someone takes over your SFTP-server, then he has not directly a system in the internal network under his control.

- If the data doesn't chage constantly, the data could be copied or synced to the DMZ-SFTP-server after the changes.

SFTP is based on SSH, so it runs completely on that one port which is typically TCP/22.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎11-07-2012 01:17 PM

If the Server will be reachable from the internet, then a good place is a DMZ.

FTP or SFTP: If you need a cryptographic protection of the transfered files, then go for SFTP. If you distribute public things, then the ASA can bring in an advanced Application-inspection for further security.

For FTP you need the FTP-inspection. On your ACL you only allow TCP/21 and the inspection handles the rest to open the data-channel. If you use SFTP, then no extra connection for the data-transfer is needed.

How do you want to limit the access to the server? By IP or by user? If IP is enough, then use the source in the ACLs. If you need user-based controls for internet-users, then implement it on the FTP-server itself. If you want to restrict your own users then you can think about integrating the ASA into the Active Directory. With that you can use user-accounts or groups in your ACL.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
Mark Mattix
Level 2
Level 2
In response to Karsten Iwen

‎11-07-2012 01:42 PM

Thank you for your reply Karsten!

I would like to limit the user(s) by IP on the ASA (is this the safest method when also opening port 21?). The files we need to serve to a client are stored on our private (inside) server. The information must be secured so I think SFTP is our best option. Since the data is stored on an inside server does this mean the only option is to run the SFTP server on the same machine? Also you mentioned that no extra connection for the data-transfer is needed when using SFTP, is this because it will use SSH port 22? Thanks again.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mark Mattix

‎11-07-2012 01:57 PM

To activate the SFTP-server on the machine where the data resides is the easiest, but by far not the most secure option.

There are some more ways to better secure that. What about:

- Put the SFTP-server into the DMZ and let that server access the internal server through a fileshare. If someone takes over your SFTP-server, then he has not directly a system in the internal network under his control.

- If the data doesn't chage constantly, the data could be copied or synced to the DMZ-SFTP-server after the changes.

SFTP is based on SSH, so it runs completely on that one port which is typically TCP/22.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Karsten Iwen

‎11-09-2012 05:51 AM

Thank you for the advice Karsten! I was thinking of doing something like a fileshare to the FTP in the DMZ but wasn't sure if this was normal practice. Thanks again, -Mark

0 Helpful
Customers Also Viewed These Support Documents