SFTP: How to keep data out of the DMZ

Question

We are investigating solutions to the following problem:

We have external (Internet) users who need access to sensitive information. We could offer it to them via SFTP which would offer a secure transport method.

However, we don't want to maintain the data on server as it would then reside in the DMZ.

Is there an SFTP server that has "copy on access" such that if the box in the DMZ were to be compromised, no actual data resided on that box?

I am envisioning an SFTP Proxy or SFTP passthrough. Does such a product exist currently?

You want a server that can asses sensitive data, unless it's comprimised, at which point it should no longer be able to access the data? How are you envisioning accessing the data (SMB, NFS, etc)? Are you looking for SFTP or FTPS; or open to either? — Chris S, Sep 21 '10 at 16:17
SFTP: I'm envisioning a public SFTP server that stores no data locally. When a user lists the files he has access to, the listing would be generated from a listing of an internal server. When a user selects to retrieve a file, the SFTP would stream the data from an internal server. At the OS level of the SFTP server there would be no "directory" to list and no files to view. — ChronoFish, Sep 21 '10 at 16:53

score 2 · Answer 1 · answered Sep 21 '10 at 22:09

2

Sounds like using HTTPS rather than SFTP would be the way to go. Run an HTTP proxy on a DMZ server and keep the data on an internal web server. If a user compromises the DMZ server and gets a shell they won't have access to the data. They will find out about the proxy but if you use basic auth they won't be able to access the data.

answered Sep 21 '10 at 22:09

Mark Wagner

18,019
2
32
47

1

An SFTP proxy would achieve the same level of security. Feel free to choose the underlying protocol that best suits your users. – Ladadadada Nov 02 '10 at 14:06

score 2 · Accepted Answer · answered Jan 04 '11 at 15:11

2

Globalscape EFT server with the DMZ gateway does exactly what you are asking for

http://globalscape.com/eft/

answered Jan 04 '11 at 15:11

Elvar

325
2
7

thank you for answering the question that was asked.... Sorry it took me 2 years to select your answer – ChronoFish Apr 27 '13 at 23:59

Warner · Answer 3 · 2010-09-21T16:26:41.793

If you want to transfer restricted data to the Internet, the solution is not necessarily to give them access to the restricted network segment via the Internet. In fact, I would strongly discourage it as you describe it. What you ask is actually quite complicated to implement in a responsible manner.

For illustration, you have two network segments. A DMZ and a private network. Databases live in the private and Web servers live in the DMZ. For security purposes, you fully restrict access to and from the private network using a firewall. If the DMZ is compromised and the authentication data is stored on the server, the cracker will be able to access the restricted data.

This is where encryption requirements and key management techniques come in to place, which are exampled within the PCI DSS. If you do not have an advanced encryption architecture, you will still risk the data in case of compromise even if it is not stored in the DMZ.

You could potentially implement a ETL and batch out the data. Often, this solution dictates a need to have the data encrypted using strong encryption and then transferring via your preferred protocol. Once the data is encrypted, the methods used to transfer it can be substantially more flexible.

Your exact situation is going to dictate how much effort is made to establish a production worthy solution. If you a dealing with a one-off request, you might be best off manually satisfying it via a tool such as GnuPG. Otherwise, you might need to build, find or buy an application. An approach that is becoming more common is using a Web application to satisfy the security requirements, while still allowing the data to be accessible to those with less technical knowledge.

yup - it's hard which is why we were looking for an off the shelf product. Thanks for the answer. — ChronoFish, Apr 28 '13 at 00:01

score 1 · Answer 4 · answered Sep 21 '10 at 22:16

BTW it is easy enough to make a SFTP proxy if you don't need any features beyond port forwarding. You could use netfilter http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter , fwtk http://sourceforge.net/projects/openfwtk/ , or even SSH port forwarding.

score 1 · Answer 5 · answered Nov 10 '10 at 17:45

1

Jscape has an SFTP reverse proxy that should do what you want. See http://www.jscape.com/reverseproxy/index.html.

answered Nov 10 '10 at 17:45

Kenster

2,152
16
16

SFTP: How to keep data out of the DMZ

5 Answers5