Re: securing an FTP service

[Davide <ak_71 () libero it>]

In-Reply-To: <41A043F900025D3B () vsmtp2alice tin it (added by postmaster () aliceposta it)>

thanks  pingywon and alessandro for your hints.
yes, the lan is natted. FTP service on the firewall
is redirected to the Server. I understand the fact that
since at branch office IP is dynamic i cannot
reject (at the firewall level) ftp requests
that do not come from IP others than branch office's.

But I think I failed to explain the prospected solution:
the ftp-server is placed in the DMZ
(internet)---(router)---(firewall)---(ftp-server)---(internal firewall AKA "holed fiewall")---(LAN)---(computer hosting 
the ftproot)

i.e. the ftproot sits in another computer inside the LAN. this would expose to the DMZ the NETBIOS sharing
needed to the ftp-server to access the ftproot:
on the internal firewall, netbios ports should be 
redirected to the computer hosting the ftproot.
On the computer hosting the ftproot, we configure:
.a folder, containig the documents, read-only;
.another folder used to host the files the remote
user finally needs to give (put) to the colleagues
with read/write/delete access.
. users in the central office access the ftproot 
as any normal shared resource in the LAN.

Does this setup give any sense?

thanks
davide

> On Tuesday 23 November 2004 00:11, Davide wrote:
> >
(internet)---(router)---(firewall)---(LAN)---(server)
> >
> the LAN is NATted? If so, you'll need to set Port Address 
> Translation on the firewall/nat.
[...]
> takers?).
>
> Cheers
>
> -- 
> Alessandro Bottonelli, CISSP & BS7799 Lead Auditor
> AXIS-NET Privacy & InfoSec Consulting
> http://www.axis-net.it