[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] ftp server "best practice"

To: suse-security@xxxxxxxx
Subject: [suse-security] ftp server "best practice"
From: Daniel Nilsson <dnilsson@xxxxxxxxxx>
Date: Thu, 24 Jul 2003 08:44:02 -0400
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Thu, 24 Jul 2003 14:47:40 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Organization: Signal Integrity Software Inc.
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.3) Gecko/20030317

All,

I'm tasked to add an ftp server to our companys "internet presence", theftp server will need to have accounts on it since the data is not forthe public. Currently our setup consists of a number of Linux firewallsfor our 4 office locations that then in turn connects these 4 officelocations using ipsec. In addition, at our main office location we havea DMZ with a webserver.

The ftp server should be located at the main office, but I could usesome recommendations on where to place this server. From reading mailinglists I understand the issue of active vs. passive ftp and placing theftp server in the DMZ. I don't think I can ask our customers to togglethe active/passive flag of their ftp client since are customers areusually not very computer savvy people. Putting an ftp server in the DMZthat supports both active and passive ftp seems tricky, does anyone havea recipe of how to make that work (using SuSEFirewall 2 on the firewallmachine).

Other options include using the firewall machine itself as the ftpserver, but that makes me very nervous. I was leaning toward using thevsftpd, but regardless how secure that is by design I'm still not tocomfortable using the firewall as the ftp server (what if the ftpd ishacked ???).

The last option is to place the ftp server outside the company LAN andmake it a standalone machine with it's own firewall. This would probablybe the best solution in terms of company LAN security, but the onlything I don't like about this solution is that I will have to administeraccounts on this machine. I was hoping to be able to hook up to an LDAPserver that is available inside the firewall (not in the DMZ).


Any thoughts / recommendations are greatly appreciated.

Thanks
--
Daniel Nilsson


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] ftp server "best practice"
  - From: Markus Gaugusch
- [suse-security] Re: ftp server "best practice"
  - From: Stefan Andreas Tichy

Prev by Date: RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES (fwd)
Next by Date: Re: [suse-security] ftp server "best practice"
Previous by thread: RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES (fwd)
Next by thread: Re: [suse-security] ftp server "best practice"
Index(es):
- Date
- Thread