More Secured

[Guest]

Hi All,

Can someone please tell me what is more secured FTP or NETBIOS.
What I am trying to is I have a webserver in DMZ. I want my internal users
to be able connect to the server in a most secured way possible.
I have 2 options
1. Give a static IP address to the end user and setup a firewall rule to all
fron source and destination using netbios
2.Give a static IP address to the end user and setup a firewall rule to all
fron source and destination using ftp connection.
3. I am open for better idea.
Which is the best and secured way to do it.(security 1st piriority. ease is
2nd priority)
Please help.

Thanks

 

[Steven L Umbach]

If you can give the users anonymous access then use FTP, otherwise their
passwords will go over the network in plain text to the ftp server. NBT
would not allow passwords to be in clear text but then you would have to
enable file and print sharing on the web server which is not a good idea to
do if it can be avoided. If your computers are all Windows 2000/2003/XP Pro
you could create an ipsec policy for connections between the server and the
internal users using kerberos for computer authentication if in a domain
[dmz computers normally are not] or pre shared key or certificates if not.
Pre shared key authentication should not be used if at all possible and it
is not hard to set up a Certificate Authority on the network to issue
certificates for computer or ipsec. The ipsec policy could be configured on
the web server to require ipsec encryption via ESP for all connections on
that adapter, for a particular protocol, or from the lan subnet and the
clients could be configured with a client/respond policy. Domain controllers
must be exempt from any ipsec policy that would require communications with
domain members which can be done with a rule for the ipsec policy that has
filters with the IP addresses of the domain controllers and a permit filter
action. Ipsec would protect users passwords to a ftp connection and allow
the firewall to be configured with just a few rules. The links below may
help. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
-- ipsec step by step.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;233256

 

[Roger Abell]

Your question really cannot be addressed, as we would have to
assume the use. More secured, or safer, or less vulnerable, is not
just a from here to there issue but an enabled to do X issue.
We can assume from what you said that you are speaking of
having the webserver on two, disjoint networks, hence the
traffic would not be visible in any form on the outer network,
but you gave use no clues of usage.
Example.
Is your question for file upload/write? or only fetch/read?
I assume upload/write.
Unless you invest in secure FTP products/cert then use of
FTP _may_ present user credential theft vulnerability on
the internal network - how much do you trust those in a
position internally to do this?
Also, how are you doing backup of the machine? Is it
to a remote backup server? If so, many of those require
that you have file shares already happening. In that case
one really should look at the change of exposure, not just
at what is more exposed.
What is wrong with use of an http based upload/publishing
instead of the two you have mentioned?

 

[Guest]

Good Points Roger, I am talking about access to our web developer who are
within same network(internal users). We are very security conscious and want
to make sure no body other then the developer can access the server. Yes
backup are done remotely (we are working to do it locally)
This developer will need read/write access but only internaly. our manager
does not want any netbios open for the server sitting in DMZ. Any futher
suggestion will be great.

Thanks
Ann

 

[Roger Abell]

Have you folks considered a "pre-production" webserver ?

This is one to which the web developer can publish, likely
with a master of the current public website(s), and also with
the "next version" under development.

At some point the web dev goes through a sign-off, usually
with a code freeze and the quality check, at which point the
changes are released for staging out to the DMZ production
website (not by the dev).