1

Our support staff established remote access connection from jumphosts that are isolated within a DMZ. To provide support they need project files (up to a few GB of size) which are stored on a file server within our LAN. Currently, the transfer is always done manually, which consumes a lot of time.

Therefore, we thought about replicating the files from LAN to DMZ. As I found out, from a security perspective it seems to be best practice to initiate a push from the internal file server to the DMZ file server. But the files need to be changed on the DMZ hosts too. So how about transfering data back?

We thought about initiating a pull from the internal LAN server. How is this seen from a security point of view? Is there other way to establish two-way file replication between DMZ and LAN that can be considered as best practice?

BR

gumlozol
  • 21
  • 2
  • 2
    Do I understand it correctly that you want to automatically duplicate many possible sensitive files from LAN to DMZ just because they might ever be needed in the DMZ (and usually only for a short time) and that you want to automatically duplicate arbitrary files which ended up in the DMZ into you local LAN? In my opinion this unnecessarily exposes possible sensitive files into a less trusted environment (i.e. where the chance is higher that an attacker is there too) and also automatically moves potentially compromised data into the local LAN. – Steffen Ullrich Jan 11 '20 at 10:16
  • I can see your point. Of course, we would limit the file replication only to the files that are really needed in the DMZ (we would only need to replicate files from specific folders that have special file type and naming schemes). Our problem is that these files are needed in both environments everyday. Currently, they are copied manually and are possible exposed to the less trusted environment in an even more chaotic way. That's why we are looking for a secure way to sync these files. – gumlozol Jan 11 '20 at 10:50

1 Answers1

2

It is better to initiate connection from the LAN to the DMZ to sync the files, no matter in which direction the sync is done. Initiating the connection from the DMZ would mean to open the firewall between LAN and DMZ which makes the LAN prone to attacks from the less secure DMZ.

When allowing connection establishment from the DMZ to the LAN you essentially expose the internal host to attacks from the DMZ. Even if the firewall is strict in that it only allows connection from the DMZ to a specific internal IP+Port an attacker which took over the DMZ (it is less protected than the LAN by design) can flood this internal IP and thus cause a denial of service. Also, firewall rules often are forgotten when they are no longer needed and it might happen that the system reachable by the rule changes and now the attacker can reach a different system through the same rule. And then there are bugs in the firewall configuration which might actually expose more than was intended - see here for a report (in German) about a bug in the router which exposed not only the intended port 443 for VPN but also 445 (SMB, i.e. windows file sharing) and this way made sensitive data available to the internet.

If instead connections are only allowed from the LAN to the DMZ, then the LAN keeps full control over what gets transferred. An attacker in the DMZ cannot simply flood the LAN from the DMZ since packets not matching an established connections are blocked by the firewall. If the data exchange is no longer needed no firewall rules need to be removed. If the IP of the internal system changes (for example due to DHCP) no firewall rule needs to be adapted. And if no firewall rule is there it also cannot be too broad.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424