[mdlug] File transfer problem

Mark Montague markmont at umich.edu
Fri Jan 7 01:08:21 EST 2011 

  On January 6, 2011 21:40 , "Michael ORourke" <mrorourke at earthlink.net> 
wrote:
> I have a web repository that is in a DMZ which serves out content via NFS to
> Apache web servers.  This server has no direct access outside the DMZ from
> our Intranet.  We need to be able to provide the web content team access to
> the web repository to upload files.  In our old environment, they could FTP
> directly to the web repository from our Intranet.  However, in the new
> environment, things are more locked down.

Why not allow the web content team to FTP files to the web repository in 
the DMZ?  If you allowed this, what would be the security risk?  Or to 
put it another way -- what threat is being protected against that 
justifies making the web content team's job harder, bringing another box 
into the mix (a box on your management network that is accessible from 
the intranet and which can access the web repository server in the DMZ), 
and setting up a lot of glue with ftp/cron/rsync/scp and shell scripting?

My assumptions:

* You trust the machines on your intranet (e.g., you believe they are 
not compromised and would not attack your web repository server).

* The FTP daemon on the web repository in the DMZ is only reachable from 
machines on your intranet.  Specifically, it is not reachable from the 
Internet.  This can be accomplished via firewall rules and/or 
configuring the FTP daemon itself.

* The FTP daemon on the web repository in the DMZ is configured to only 
allow the web content team to modify files in the appropriate web 
document root or other location; it is configured to deny both read and 
write access to any other areas of the web repository filesystems.


My justification:  The purpose of a DMZ is generally to house services 
that are exposed to the hostile Internet.  By separating these servers 
from your intranet, you are able to protect your intranet by making the 
intranet inaccessible from the Internet.  Also, if an attacker manages 
to compromise a machine in the DMZ, they have gained access to -- at 
most -- only a limited set of externally-facing services and have not 
gained any access to more sensitive resources on the intranet.  Thus, 
there is no harm in giving machines on the intranet access to services 
running on machines in the DMZ (however, the converse is not true: 
machines in the DMZ should have no access under any circumstances to 
machines on your intranet).


So setting up FTP on the web repository server in the DMZ to accept 
connections from (and only from) your intranet should not decrease 
security.  And it will save time and money, allow the web content team 
to continue working as they have been without loss in productivity (due 
to not having direct access and/or delays in publishing web content) and 
without needing to be re-trained, result in a simpler web publishing 
workflow, and result in fewer service dependencies.  If you present it 
in this way to your network security staff and/or management, hopefully 
they will go for it.


Apologies for not answering the question you asked, but I hope this helps.

--
   Mark Montague
   mark at catseye.org

More information about the mdlug mailing list