FTP for internal users and external customers.

G

Gabriel/TFI

We need to implement a SFTP server that will be used by internal users and
external customers to exchange files.
As a coporate policy, any connections coming from the internet has to be
accepted and managed by a reverse proxy in DMZ.

Questions:
1) is it better to place the SFTP server in the Trusted Internal Network or
in the DMZ?
2) the SFTP server supports Active Directory. Is it a good choice to create
a DMZ-Extranet Forest and create a one-way trust to the internal AD?

Ideas? Suggestions?

Regards,
Gabriele
 
S

S. Pidgorny

1) Internal network is better and
2) No. It's overengineering, thus the answer to 1.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@microsoft.com...
> We need to implement a SFTP server that will be used by internal users and
> external customers to exchange files.
> As a coporate policy, any connections coming from the internet has to be
> accepted and managed by a reverse proxy in DMZ.
>
> Questions:
> 1) is it better to place the SFTP server in the Trusted Internal Network
> or
> in the DMZ?
> 2) the SFTP server supports Active Directory. Is it a good choice to
> create
> a DMZ-Extranet Forest and create a one-way trust to the internal AD?
>
> Ideas? Suggestions?
>
> Regards,
> Gabriele
 
G

Gabriel/TFI

Hi Svyatoslav,

thanks for your reply.

In the meanwhile I came throguh some readings of
Microsoft_Identity_and_Access_Management_Series_v1.4

It looks like the basic level of security wants a separate AD forest for
external authentication with a trust relationship to the corporate AD forest
to preserve users' SSO experience.

Because of ports to be opened on the firewall to allow trust relationship
between DMZ and Intranet, another way to achieve authentication is shadowing
corporate identities to the external AD forest by the use of MIIS, or in some
cases, if application are claims-aware, with the deployment of ADFS to
federate identities of the 2 forests (ADFS proxy in the DMZ). This second
option does not require an AD trust relationship.

An external forest can even allow mapping of digital certificates to improve
authenticaion security (SSL/TLS) without requiring password to be replicated
to shadowed accounts.

According to this vision, the DMZ should be layered:
- the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
- the external AD forest and SFTP server to be placed in the "production
zone" (let's call it "inner DMZ)
- the internal AD forest obviously to be placed in the Internal Zone (aka
"Intranet")

Of course I am talking about an authentication framework that will be used
not only for FTP services, but ready to host additional application servers
to be shared with external users.

What's your opinion?

Thanks,
Gabriele


"S. Pidgorny <MVP>" wrote:

> 1) Internal network is better and
> 2) No. It's overengineering, thus the answer to 1.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
> news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@microsoft.com...
> > We need to implement a SFTP server that will be used by internal users and
> > external customers to exchange files.
> > As a coporate policy, any connections coming from the internet has to be
> > accepted and managed by a reverse proxy in DMZ.
> >
> > Questions:
> > 1) is it better to place the SFTP server in the Trusted Internal Network
> > or
> > in the DMZ?
> > 2) the SFTP server supports Active Directory. Is it a good choice to
> > create
> > a DMZ-Extranet Forest and create a one-way trust to the internal AD?
> >
> > Ideas? Suggestions?
> >
> > Regards,
> > Gabriele
>
>
>
 
S

S. Pidgorny

That is a reasonable architecture by Microsoft. As more radical in my own
views, I'd prefer using single domain. There are enough means to segregate
different types of users within the domain. On the other hand, separate
domains give different account policies, admin authority and replication
boundry, which is more useful in big organisations.

Yet there's one thing that's not justified: putting the external user in DMZ
and using a firewall to separate it from internal space. You have provided
reasons for that - and there are some more. Thinking of different domains
and identity management is the right thing to do thinking in terms of
firewall zones is now obsolete.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
news:9D114E85-5A4D-4C3B-9964-C7BE03A27E8B@microsoft.com...
> Hi Svyatoslav,
>
> thanks for your reply.
>
> In the meanwhile I came throguh some readings of
> Microsoft_Identity_and_Access_Management_Series_v1.4
>
> It looks like the basic level of security wants a separate AD forest for
> external authentication with a trust relationship to the corporate AD
> forest
> to preserve users' SSO experience.
>
> Because of ports to be opened on the firewall to allow trust relationship
> between DMZ and Intranet, another way to achieve authentication is
> shadowing
> corporate identities to the external AD forest by the use of MIIS, or in
> some
> cases, if application are claims-aware, with the deployment of ADFS to
> federate identities of the 2 forests (ADFS proxy in the DMZ). This second
> option does not require an AD trust relationship.
>
> An external forest can even allow mapping of digital certificates to
> improve
> authenticaion security (SSL/TLS) without requiring password to be
> replicated
> to shadowed accounts.
>
> According to this vision, the DMZ should be layered:
> - the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
> - the external AD forest and SFTP server to be placed in the "production
> zone" (let's call it "inner DMZ)
> - the internal AD forest obviously to be placed in the Internal Zone (aka
> "Intranet")
>
> Of course I am talking about an authentication framework that will be used
> not only for FTP services, but ready to host additional application
> servers
> to be shared with external users.
>
> What's your opinion?
>
> Thanks,
> Gabriele
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> 1) Internal network is better and
>> 2) No. It's overengineering, thus the answer to 1.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
>> news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@microsoft.com...
>> > We need to implement a SFTP server that will be used by internal users
>> > and
>> > external customers to exchange files.
>> > As a coporate policy, any connections coming from the internet has to
>> > be
>> > accepted and managed by a reverse proxy in DMZ.
>> >
>> > Questions:
>> > 1) is it better to place the SFTP server in the Trusted Internal
>> > Network
>> > or
>> > in the DMZ?
>> > 2) the SFTP server supports Active Directory. Is it a good choice to
>> > create
>> > a DMZ-Extranet Forest and create a one-way trust to the internal AD?
>> >
>> > Ideas? Suggestions?
>> >
>> > Regards,
>> > Gabriele
>>
>>
>>
 
G

Gabriel/TFI

Svyatoslav, thanks for your comments.

Secure network architecture and authentication, expecially when secure
external access is needed, is a big head-ache for me, due to my limited
knowledge of this matter and to many conflicting literature I find on the
Internet.
Very confusing.

I even gave a look at IBM's vision of Enterprise Security Architecture.
http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf
Although firewall zone is said to be obsolete by many sides, as you stated
too, IBM concept of network architecture still relies on firewall zones.

My will to have separate ADs for internal and external users come from my
concerns about:
1) the security boundary in AD is the forest
2) regulatory standards such as Sarbox or best-practice standards such as
CoBIT, do all of these allow external users to be profiled in the corporate
directory?

As you can understand I am confused and lost! :-(

Thanks for your support.

Regards,
Gabriele





"S. Pidgorny <MVP>" wrote:

> That is a reasonable architecture by Microsoft. As more radical in my own
> views, I'd prefer using single domain. There are enough means to segregate
> different types of users within the domain. On the other hand, separate
> domains give different account policies, admin authority and replication
> boundry, which is more useful in big organisations.
>
> Yet there's one thing that's not justified: putting the external user in DMZ
> and using a firewall to separate it from internal space. You have provided
> reasons for that - and there are some more. Thinking of different domains
> and identity management is the right thing to do thinking in terms of
> firewall zones is now obsolete.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
> news:9D114E85-5A4D-4C3B-9964-C7BE03A27E8B@microsoft.com...
> > Hi Svyatoslav,
> >
> > thanks for your reply.
> >
> > In the meanwhile I came throguh some readings of
> > Microsoft_Identity_and_Access_Management_Series_v1.4
> >
> > It looks like the basic level of security wants a separate AD forest for
> > external authentication with a trust relationship to the corporate AD
> > forest
> > to preserve users' SSO experience.
> >
> > Because of ports to be opened on the firewall to allow trust relationship
> > between DMZ and Intranet, another way to achieve authentication is
> > shadowing
> > corporate identities to the external AD forest by the use of MIIS, or in
> > some
> > cases, if application are claims-aware, with the deployment of ADFS to
> > federate identities of the 2 forests (ADFS proxy in the DMZ). This second
> > option does not require an AD trust relationship.
> >
> > An external forest can even allow mapping of digital certificates to
> > improve
> > authenticaion security (SSL/TLS) without requiring password to be
> > replicated
> > to shadowed accounts.
> >
> > According to this vision, the DMZ should be layered:
> > - the reverse-proxy to be placed in the DMZ (let's call it "outer DMZ")
> > - the external AD forest and SFTP server to be placed in the "production
> > zone" (let's call it "inner DMZ)
> > - the internal AD forest obviously to be placed in the Internal Zone (aka
> > "Intranet")
> >
> > Of course I am talking about an authentication framework that will be used
> > not only for FTP services, but ready to host additional application
> > servers
> > to be shared with external users.
> >
> > What's your opinion?
> >
> > Thanks,
> > Gabriele
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> 1) Internal network is better and
> >> 2) No. It's overengineering, thus the answer to 1.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >> "Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
> >> news:0BE705A4-30C0-46E5-A191-25306C1D4DB2@microsoft.com...
> >> > We need to implement a SFTP server that will be used by internal users
> >> > and
> >> > external customers to exchange files.
> >> > As a coporate policy, any connections coming from the internet has to
> >> > be
> >> > accepted and managed by a reverse proxy in DMZ.
> >> >
> >> > Questions:
> >> > 1) is it better to place the SFTP server in the Trusted Internal
> >> > Network
> >> > or
> >> > in the DMZ?
> >> > 2) the SFTP server supports Active Directory. Is it a good choice to
> >> > create
> >> > a DMZ-Extranet Forest and create a one-way trust to the internal AD?
> >> >
> >> > Ideas? Suggestions?
> >> >
> >> > Regards,
> >> > Gabriele
> >>
> >>
> >>
>
>
>
 
S

S. Pidgorny

Gabriel - unfortunately, worn-out cliches are still often considered
security requirements, thanks to IBM and the likes, the companies
profiteering from your confusion (and implementing unnecessary and useless
infrastructure). Your mention of Sarbox is a good example: the
Sarbanes-Oxley Act is all about financial accountability and in no way it
specifies using firewalls. But it empowers auditors to come up with
arbitrary requirements for IT infrastructure.

Information security is all about common sense. If there's something that
looks too complicated, probably it is going to be a part of a problem, not
the solution.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Gabriel/TFI" <GabrielTFI@discussions.microsoft.com> wrote in message
news:CF160538-4786-4B26-8B61-084957E9CB7F@microsoft.com...
> Svyatoslav, thanks for your comments.
>
> Secure network architecture and authentication, expecially when secure
> external access is needed, is a big head-ache for me, due to my limited
> knowledge of this matter and to many conflicting literature I find on the
> Internet.
> Very confusing.
>
> I even gave a look at IBM's vision of Enterprise Security Architecture.
> http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf
> Although firewall zone is said to be obsolete by many sides, as you stated
> too, IBM concept of network architecture still relies on firewall zones.
>
> My will to have separate ADs for internal and external users come from my
> concerns about:
> 1) the security boundary in AD is the forest
> 2) regulatory standards such as Sarbox or best-practice standards such as
> CoBIT, do all of these allow external users to be profiled in the
> corporate
> directory?
>
> As you can understand I am confused and lost! :-(
>
> Thanks for your support.
>
> Regards,
> Gabriele
>
>
>
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> That is a reasonable architecture by Microsoft. As more radical in my own
>> views, I'd prefer using single domain. There are enough means to
>> segregate
>> different types of users within the domain. On the other hand, separate
>> domains give different account policies, admin authority and replication
>> boundry, which is more useful in big organisations.
>>
>> Yet there's one thing that's not justified: putting the external user in
>> DMZ
>> and using a firewall to separate it from internal space. You have
>> provided
>> reasons for that - and there are some more. Thinking of different domains
>> and identity management is the right thing to do thinking in terms of
>> firewall zones is now obsolete.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
 
You must log in or register to reply here.

Similar threads

M
Windows Server for FTP and CAL
Replies
0
Views
7
Minhyeok Son
M
D
  • Article
Taking steps that drive resiliency and security for Windows customers
Replies
0
Views
49
David Weston, Vice President Enterprise and OS
D
J
  • Article
How Copilots are helping customers and partners drive pragmatic innovation to achieve business results that matter
Replies
0
Views
18
Judson Althoff
J
A
How to set up a password expiration policy in an hybrid environment for a set of users
Replies
0
Views
14
AEBY Julien
A
H
Now in preview: Hotpatch for Windows Server 2025
Replies
0
Views
34
Hari_Pulapaka
H
Back
Top Bottom