Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Upload files

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    177

    Upload files

    Hi, we have here a web application that allow you to upload files. This application runs on a web server that is connected to a DMZ net with public addresses. Using a firewall rule this web server has mapped a drive to an internal server which is storing the documents. The uploads are made to a virtual directory that is pointing to the mapped drive. Actually, the firewall rule is allowing the NBT traffic between the webserver and the "internal" file server... I don't think that is right allow this kind of traffic between the DMZ and the internal net, but i don't know the right way... Can you help me?

    Thank you in advance!

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Any traffic that can be initiated from the DMZ to the trusted network isn't good.

    Maybe a better solution would be to have the files uploaded to a local folder on the DMZ server and have a scheduled job check from the trusted network to the DMZ server to see if any files are there. If they are it could kick off an FTP job, (for example), to pull and delete all files from the DMZ server. Then at least your task is started from within the trusted rather then from the DMZ.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Originally posted here by Tiger Shark

    Maybe a better solution would be to have the files uploaded to a local folder on the DMZ server and have a scheduled job check from the trusted network to the DMZ server to see if any files are there. If they are it could kick off an FTP job, (for example), to pull and delete all files from the DMZ server. Then at least your task is started from within the trusted rather then from the DMZ.
    We were thinking about it, but it has to be in "real time", because when a user is uploading something wants that it is avaible immediately, just like now...

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Available to whom, from where and how?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    This application is supposed to allow to certain users to upload files which have to be avaible (the files) to the rest of the users. As I said is an a web applicattion, just like this forum, where i can post a file and you can download it.

    This web server has a public address an is accessible from Internet and corporate network. The file server that store the files is accessible only from corporate network and its content is published through web server as I described in the first post.

    Am I more clear now?

    Thnak you!

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Close....

    Are the corporate users on the internal network the only ones that should be able to see the files or should they be accessible to the corporate users from the public network too?

    Let me see if I can describe it to you......

    You have a web server publishing content that is available from the public network and the corporate network. Like AO you want users to be able to upload files from anywhere and those files should be available _only_ to the users on the corporate network.

    Is that close?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Not exactly... Where the users are has to be transparent. Users in both networks (corporate and public) have to be able to publish AND download files, wherever they are.... But only few of them publish and major part of them download. Probably it will be more easy if my english were better...

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok, must these documents remain secure?

    Should the whole web site be only for the use of the corporate users whether they are inside the trusted network or on the public network. If this is the case then set some authentication on the site so they have to log in and move the file storage out into the DMZ.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    The site has been working for quite a long time ago. We have authentication and its working fine.

    The reason to keep the files in a server which is in the corporate nettwork is the security. In case someone compromises the web server he/she should'nt have acces to the files.

    The files are in this server to provide NBT acces from inside the network also, I mean that the users who are in the corporate network can access to the files using the web application OR a shared folder in the server.

    Do you really think that is secure move the storage server to the DMZ?

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Do you really think that is secure move the storage server to the DMZ?
    Yes and no..... (Sorry, not helpful I know... but wait).

    It's sort of dependent upon the value in the documents and the value of whatever is stored on the trusted network.

    Potentially the documents are more secure on the trusted network but in having them on the trusted network you also have to open a potential hole from the DMZ to the trusted network. If the DMZ server is compromised then the documents become "public" if they are housed on the DMZ server. However, the potential is high that with the documents housed on the trusted network and there is a hole from the DMZ to the trusted then the DMZ server could still be compromised but then not only the documents may be exposed but also the entire trusted network. You need to understand that the trusted network is exposed at this point and that the risk of "total exposure" is higher.

    Seems to me you are utterly stuck in the security/usability loop. You can't secure it without the users finding it more difficult to use and if you let them use it then you can't properly secure it....

    It _really_ bothers me to think that you would allow NBT access both directions through from the DMZ.... Unless you have it thoroughly locked down then you may as well not have a DMZ. Since the NBT travels both ways anyone on the DMZ server will be able to see so much of your internal network that finishing the compromise of your entire network wouldn't take someone too long.

    If these documents are the absolute key to your organization then the compromise of the entire network is no more damaging than the compromise of the documents alone. However if there are things of more value on the trusted network then, logically, the documents are the ones that should be "sacrificial" not the entire network.

    Since they are clearly of value then I think you need to think about an alternative, (even if it is more difficult to use), method of allowing your internal users access to the documents while still leaving them out in the DMZ or a method of getting them from the DMZ into the trusted network wothout the gaping security hole you are currently presenting an attacker. The second solution may involve a delay but that should still be preferaable to a compromise.

    Any thoughts?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •