[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] ftp server "best practice"



All,

I'm tasked to add an ftp server to our companys "internet presence", the ftp server will need to have accounts on it since the data is not for the public. Currently our setup consists of a number of Linux firewalls for our 4 office locations that then in turn connects these 4 office locations using ipsec. In addition, at our main office location we have a DMZ with a webserver.

The ftp server should be located at the main office, but I could use some recommendations on where to place this server. From reading mailing lists I understand the issue of active vs. passive ftp and placing the ftp server in the DMZ. I don't think I can ask our customers to toggle the active/passive flag of their ftp client since are customers are usually not very computer savvy people. Putting an ftp server in the DMZ that supports both active and passive ftp seems tricky, does anyone have a recipe of how to make that work (using SuSEFirewall 2 on the firewall machine).

Other options include using the firewall machine itself as the ftp server, but that makes me very nervous. I was leaning toward using the vsftpd, but regardless how secure that is by design I'm still not to comfortable using the firewall as the ftp server (what if the ftpd is hacked ???).

The last option is to place the ftp server outside the company LAN and make it a standalone machine with it's own firewall. This would probably be the best solution in terms of company LAN security, but the only thing I don't like about this solution is that I will have to administer accounts on this machine. I was hoping to be able to hook up to an LDAP server that is available inside the firewall (not in the DMZ).

Any thoughts / recommendations are greatly appreciated.

Thanks
--
Daniel Nilsson


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here