This is Part 13 on Securing Your WHS & Network, this part identifies the risks and vulnerabilities that are associated with using FTP Internet protocol. FTP permits internet users to upload or download files to or from a FTP server. The Windows Home Server can be configured to function as a FTP server. Several alternatives methods are presented and can be considered prior to considering the installation of a FTP server.
FTP or file transfer protocol is used to exchange files from one computer to another. The protocol requires a server that is running the FTP service to listen for requests from FTP clients on Internet port 21. The actual transfer of files uses Internet port 20. Access to files via FTP often requires user authentication. However, the user name, password, and files that are transferred have no security because the protocol does not support encryption. It is highly possible to gain access to the user name and password by analyzing the data traffic between the FTP server and client computer.
Windows Home Server does not directly support FTP. Windows Server 2003 supports a FTP server as a component of the Microsoft Internet Information Services or IIS. Since Windows Home Server is based on Windows Server 2003, many of the FTP Add-In programs install IIS as a method to use the FTP service on the home server.
The result is that a functional FTP service is available. Two major vulnerabilities exist as a result.
The administrator must be aware of these vulnerabilities and invoke the necessary safeguards to manage these threats. Files that are available for FTP must be secured according to Windows Home Server's security model, and anonymous user connections cannot be permitted. Still, a possibility exists that a person using an FTP client may be able to access files that should be restricted.
WHS has a built-in file exchange capability that uses authentication and a Class 3 security certificate level of encryption. This capability is explained in Part 10. Part 11 identifies methods to allow limited access to family and friends.
The way WHS has implemented remote file access results in a significantly safer method to exchange files as compared to FTP. We recommend using this alternative when file exchange is required.
Parts 10 and 11 identified the threats that are associated with permitting users to upload files to the WHS. Files could be infected by viruses or malicious software programs. Usually the WHS does not have anti-virus software installed. Infected files could affect network performance or control the computer to distribute the malicious program throughout the Internet. We strongly recommend that a firewall router that is capable of deep packet inspection and virus detection be used.
Files from Internet users can be attached to email messages and addressed to the administrator. This alternative should be considered if anti-virus software is not installed on the WHS or if the router does not support virus detection.
The advantage is that the administrator has full control of the files that are added to the WHS. The anti-virus program on the administrator's computer can identify any malicious programs or viruses that may be embedded in the file. The added effort for the administrator to manage files added to the WHS may be considered to be a disadvantage. We recommend this alternative if the frequency and number of files is low.
There may be situations when a dedicated FTP server is deemed to be necessary. There are several FTP server solutions that are Operating System independent or Linux based. Many of these solutions are available at no cost; however, some server software features may be limited.
We recommend that the FTP server be placed in the DMZ or demilitarized zone. Also, do not permit anonymous or unauthenticated users to upload files to the FTP server. Hackers have quickly discovered that FTP servers that permit anonymous access are a very efficient method to spread their malicious programs and files that contain viruses. It is possible that their spybot program can be launched and use the FTP server to distribute the files or to collect personal information. The following is an example of highly suspicious files that reside on a public news server.
The administrator should periodically review the files uploaded to the server to identify any files that can be a threat. Log files should be reviewed to analyze usage patterns and to detect unauthorized use. If possible, external access to the FTP server should be restricted by using a secured VPN connection only.
The router must be configured so that the FTP server can respond to Internet user file transfers and to ensure that the FTP server and other network resources are properly protected from attacks and abuse. A secured environment to insulate the FTP server from the rest of the network must be created. This environment is usually called a DMZ. The FTP server must be defined as a network resource. Finally, a rule for the FTP service is defined. The following displays the configuration of a SonicWALL TZ-180 router.
The network zone for a DMZ is preconfigured in the router by default. To establish a route to the DMZ, a network interface is necessary. To configure the DMZ, click Network, then click the Interfaces option, and click the Add PortShield Interface... button. In our example we entered Public Servers for the interface name, 192.168.150.1 as the IP address, and 255.255.255.0 as the subnet mask. Select DMZ as the zone and Static as the IP assignment. Click the OK button to save the interface settings.
The computer that is used as the FTP server must be defined as an address object. Click Network, then the Address Objects option, scroll to the bottom of the Address Objects table, and click the Add... button. In our example, we entered FTP Server for the name and 192.168.150.30 for the IP address. Select the DMZ option for zone, and Host for the type. Click the OK button to save the configuration.
Note that the FTP server has an IP address in a different subnet 192.168.150 as the subnet that is assigned to the LAN 192.168.145. This is done on purpose to restrict the Internet traffic to the servers in the DMZ.
A static internal IP address is configured for the FTP server. Click Network, then click the DHCP Server option, and click the Add Static button. In our example, we entered FTP Server for the entry name, 102.168.150.30 as the IP address, 00-14-22-49-bd-7b as the Ethernet address. We selected DMZ Zone interface option and 192.168.150.1 option for the gateway. Click the OK button to save the static IP configuration for the FTP server.
The FTP service uses port 21 to listen for FTP requests. To allow computers to connect to the FTP server via the Internet, an inbound rule must be defined in the router for the FTP service. This rule permits the router to forward FTP traffic to the FTP server for it to respond. The five major components to the rule are as follows.
To create the rule, first click the Firewall and then the Access Control option, then click on the configuration icon at the intersection of WAN and LAN.
Next, click the Add... button and select the choices for service, source, destination, users, and schedule as follows. Enter a comment and click the OK button to save the FTP rule.
Home Server Land does not recommend installing FTP Add-In programs and using the WHS as a FTP server. Implementing a solution that is based on any of the three alternatives should be considered prior to using your WHS as a FTP server. However; there may be situations where the WHS administrator deems it appropriate to install an Add-In product for FTP.
The FTP service that is used by the Add-In should not permit anonymous user connections. The following illustrates that anonymous connections are not permitted.
We at Home Server Land make the following recommendations to enhance the security of computer and your privacy as it applies to using FTP.
This blog identified threats that are associated with FTP. If a FTP server is deemed necessary, consider the increased threats that are associated with the use of FTP. The security plan should be updated to identify threats specific to your WHS and network and address methods to resolve the threats. We have developed the FTP Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 13 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated with managing a FTP server. Although the WHS can be configured as a FTP server, there exists a considerable number of threats that the WHS is not designed to address. We suggested several alternatives that can be used to discourage the need for using the WHS as a FTP server. The WHS remote file access method should be used as the most secure method to transfer files.
In Part 14, we will identify threats associated with hosting email. We identify the administrator's role at it relates to email administration. We explain how to configure the router to maintain the highest level of securing the WHS and the network.
In the meantime, we look forward to your questions and discussion in response to this blog.
Part 16 will address the threats and security compromises that are associated with Windows Home Server Add-In products. I would like to ask for your help with this part. If you would want a particular Add-In included, I would appreciate your suggestions. If you have had any experiences with an Add-In, I would appreciate them. Just enter your ideas in the box below.
The continuation of this series is great but I would suggest a better master index TOC.
We actually have one www.homeserverland.com/.../securing-your-whs-network.aspx
It is a little difficult to find. I will see if we can get a link to display.