Re: securing an FTP service

[Alessandro Bottonelli <a.bottonelli () axis-net it>]

On Tuesday 23 November 2004 00:11, Davide wrote:
> (internet)---(router)---(firewall)---(LAN)---(server)
the LAN is NATted? If so, you'll need to set Port Address 
Translation on the firewall/nat.

> employees access from a remote location office using their win
> logon credentials (no anonym access is provided). The local
> branch office acceses internet with a dinamic IP provided by
> ISP. What security concerns are rised in this setting?
First, you don't know your branch offices IP address in advance, 
so you cannot filter traffic based on source IP address.

> Should
> I use a DMZ, using the server to provide FTP services and
> moving the ftproot folder to another server INSIDE the DMZ
> (linked to a shared folder)? 
I personally see this solution as being bad... You are moving 
company's data in the DMZ, not a good idea in principle...

> How can I overcome the problem
> that FTP passwords are transmitted not enchrypted? Should a
> VPN between HQ provide the panacea for these problems?
VPN is a solution, maybe FTP over SSL is another (but I am not 
familiar with Microsoft to point you to a specific product, any 
takers?).

Cheers

-- 
Alessandro Bottonelli, CISSP & BS7799 Lead Auditor
AXIS-NET Privacy & InfoSec Consulting
http://www.axis-net.it