0

I need to set in place a new ASP.NET MVC solution where authenticated users can download files (originally located on the internal network). For security reasons, accessing internal network from the DMZ is not recommended so I think of a way to 'copy' these files from the internal network to the DMZ once a day as described by the diagram below.

enter image description here

A. Files and folders are managed by someone connected with a computer inside the internal network.

B. Once a day files and folders are copied into the DMZ. These files are never copied back to the internal network.

C. Authorized users connect through internet to an ASP.NET MVC application. This application display lists of filenames filtered by folder names. Users can click filenames to download it.

Is this a good approach? Please note that files in question are not critical and can live inside the DMZ.

  • If this is a good approach, what is the best way to copy files and folders from the INTERNAL NETWORK to the DMZ?

  • If not, any suggestions?

Bronzato
  • 155
  • 2
  • 4
  • 7

1 Answers1

1

In the broad strokes, yes, what you want to do is "push" the files from the internal network to the DMZ (a session initiated from a computer on the internal network), rather than "pull" the files to the DMZ from the internal network (a session initiated from a computer on the DMZ network). This is the way the default rules on a lot of [hardware] firewalls are configured - traffic is permitted from more secure networks to less secure networks, but not the other way around, in general:

Internal -> DMZ -> external

You probably don't even have to limit the file transfers to once a day, so long as the DMZ is not allowed to initiate sessions into the internal network, there's no appreciable security threat from allowing continuous/real-time file "synchronization" from internal to DMZ. Your only real restriction would be not using a true synchronization or replication technology which requires communication from both sides (so something like DFS-R would probably not be a good choice). Even something as simple as a robocopy /MIR job running on the internal server sounds like it would work for your purposes.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • very instructive answer for me, thanks for this. I'll first analyse the suggested solution. Please note your `MIR job` target link is the same as `robocopy` target link (maybe a mistake from you). – Bronzato Jan 20 '15 at 14:49
  • @Bronzato That's just a link to the ss64.org page on robocopy. It lists all the options (including the /MIR option) and gives some examples. So, just a link to the robocopy documentation, not intended to be a link to a guide on robocopy /MIR, specifically... if such a specific guide even exists. – HopelessN00b Jan 20 '15 at 14:53