1

I have the task to place an FTP server in the company DMZ for our partners to store sensitive data that can not be sent by mail.

I have chosen the IIS FTPS. I will generate a self-signed certificate for server authentication. Also, I was planning to configure client certificate authentication.

I will open Implicit FTPS port 990 with source Any. Is there something that I can do to harden the FTP server, because source will be Any? What would be the best practice? Also is it smart to leave port 990 open, with source Any?

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
John
  • 167
  • 4
  • Not using a self-signed certificate will help a lot, unless you can ensure thatt all partners will mark that certificate as trusted. –  Dec 12 '19 at 20:59

1 Answers1

1

You should not worry about the source being Any. It is the common way for public server side protocols like FTP or HTTPS. Simply you should ensure that only the expected server(s) is (are) reachable on their open ports.

But FTP is an old protocol that was invented when firewalls and encryption were not used. It uses one TCP connection for the command stream, and a distinct one per file transfer. In the sendport mode, the data connection is initiated by the server form a well-known port (20 for FTP, 989 for implicit FTPS). That means that is is nice for your own firewall, but will cause headaches to your partners firewall admins: they will have to open input connection on their firewall to random ports...

The passive mode in a little more client firewall friendly, because the client will open the data connection. But only a little more, because the server will listen on a (quasi) random port and no longer on a well known one. And the nightmare is for the server side firewall: a legitimate connection coming from a random port and reaching a random port! In non encrypted FTP mode, the firewall was spying on the command connection to know the data ports, but no way if the command channel is encrypted...

This is one of the reason why FTPS is only seldom used, despite being a very robust protocol.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Serge, thanks for clarifying this. Do you have some suggestions what can I place in DMZ instead of FTPS for file transfering that is secure and better? – John Dec 13 '19 at 12:35
  • @John: HTTPS upload is commonly used nowadays. It's natively supported in browsers and firewalls, and security is straightforward (same certificates as for HTTPS download). – MSalters Dec 13 '19 at 12:41
  • If you can use an encrypted VPN between your partners and your site to protect the credentials, you could revert to an unencrypted FTP protocol. SFTP is also a nice protocol, but you should make sure that only the file transfer subsystem is activated because by default the client could get a shell on the server... Maybe MIME encryption of mails (possible with self signed certificates provided both side trust them) would be a simpler way. – Serge Ballesta Dec 13 '19 at 12:46
  • @mSalters: Can you guide me with some advice what program to use that uses https for file transfer? – John Dec 13 '19 at 13:11
  • @Serge: I wanted to use VPN, but then partners will have two softwares to install...maybe little complicated for them. Wanted to make all in one step for them. Thanks for advices. – John Dec 13 '19 at 13:13
  • @John there's tons of software for this. Owncloud can be configured as a file drop for instance. – vidarlo Jan 12 '20 at 13:55
  • @vidarlo Thanks, I will try it, looks very good – John Jan 12 '20 at 18:14