Best way to secure FTP Server for authenticated users only !

[zaib]

Assalam Alaekum, Dear LP Members,

I need a suggestion.

Network ip setup is.

Users LAN = 10.10.0.0/8

SQUID PROXY+GW = 192.168.1.1
MT WAN IP = 192.168.1.2 , GW=192.168.1.1 [Squid]
MT LAN IP = 10.10.0.1
DMASoftlab RADIUS = 10.10.0.2


(When user connects via vpn dialer in order to use internet service, he gets 172.16.0.0/16 ip series & then all user/MT data NAT/forwarded to Squid)

FTP Server ips = 10.10.0.5 (WIN2003, Main http WEB site for sharing Media)
FTP Server ips = 10.10.0.6 (WIN2003, FTP1 for VIDEOS,MP3 etc)
FTP Server ips = 10.10.0.7 (WIN2003, FTP2 for VIDEOS,MP3 etc)

The setup shown in the attached picture also have 3 FTP servers to serve around 1000-1500 users (5 TB sharing media)
What is the best way to secure FTP Server? means only authenticated users should be able to access the FTP server.

What can be done so that only vpn connected users should be able to connect to FTP server.

One idea was to add another LAN card in MT with 172.16.0.0 series or 10.10.0.x and put all FTP servers behind Mikrotik (in DMZ environment), but this would create a lot of of load on Mikrotik (5TB sharing access), Any better solution?


Regards,
ZAIB

[mudasir]

Salam Zaib bhai,

Normally at this level using local ips for VPN is not a very good idea...and if using so then securing FTP site can be a bit headache.

At this level normally live ips are used for VPN users for many different purposes. Also if live ips are used then you can simple install a simple firewall at FTP server and only allow live ips not local ips, and by doing this you can secure your server. but this will create another issue for you related to bandwidth from FTP server.

[zaib]

Salam Zaib bhai,

Normally at this level using local ips for VPN is not a very good idea...and if using so then securing FTP site can be a bit headache.At this level normally live ips are used for VPN users for many different purposes. Also if live ips are used then you can simple install a simple firewall at FTP server and only allow live ips not local ips, and by doing this you can secure your server. but this will create another issue for you related to bandwidth from FTP server.

Dear Mudasir,

You are absolutely right, this was the first thing that cam into my mind when designing the network , usually at this level, using local ips are not a good choice. Using Live ip's saves you from many hurdles like Web Logging, Sharing Security etc etc.But as the 'Operator' is not willing to use live ip's at a moment, So I guess I have to stick with the 'FTP behind MT DMz' option.

The operator demand is to setup FTP on Windows Server. I guess I have to do some googling if IIS FTP authentication can be done via FREERADIUS. Any Idea on this ?


I have to search if there is a way that IIS can authenticate with FREERADIUS ?? any idea

[zaib]

I moved on to Linux base sharing server. Using Apache with FREE-RADIUS as authentication method.

Maybe this will help some one . . .

http://aacable.wordpress.com/2011/09/29 ... -optional/