1

I need to transfer data originally from the internet that is first transported to a DMZ, then from the DMZ into an internal network. The data is basically real-time data that is needed on the internal network for further testing, nothing confidential though.

My question is what protocols is best to use to transport the data from the DMZ back into the internal network? I know since wannacry SMB is a very bad word to use so I was wondering what would be a secure and performant protocol to use in this case?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Castr3l
  • 11
  • 3
  • *"...basically real-time data..."* - does this mean that it is a data stream which need to be forwarded to the internal network or are these files which only should be copied into the internal network (would not call this real-time then though)? – Steffen Ullrich Feb 08 '18 at 18:40

1 Answers1

2

SMB is fine in general as long as you're using SMBv2 with SMBv1 disabled, although in this scenario I wouldn't use SMB because it involves opening port 445 on a Windows box into the DMZ, and that offers up quite a large attack surface.

I'd personally use SCP. There are tools for it on almost every OS in existence, it's based on SSH, it's standardised, it's fast, and you can secure it with an SSH key rather than a password. You could also use rsync over stunnel, but that's a bit more complex. In both cases you can easily set up a firewall rule for TCP connections from the DMZ host IP on any port, to the internal host on port 22 (or whatever you've got your stunnel port set as).

Polynomial
  • 132,208
  • 43
  • 298
  • 379