4 Replies Latest reply on Feb 15, 2012 11:29 AM by readysetgo

    Need help creating rules for SFTP inside DMZ

      I'm trying to setup an SFTP server inside our DMZ and am running into a problem.

       

       

      I've setup a rule that should allow inbound access from the public internet to an SFTP server inside our DMZ. However, whenever I try to connect to that SFTP server, rather than connecting to the SFTP server I want it to connect to, it SFTPs into one of our Sidewinder firewalls.

       

       

      This presents two problems:

       

      1) Troubleshooting this issue lead me to realize that when you try to SFTP into ANY of our public IPs, it instead SFTPs into one of our Sidewinder firewalls. This is a big security problem and needs to be fixed. How can I disable SFTP access to our firewalls from outside our network but still allow SFTP access from within the network?

       

      2) How do I configure a rule to allow SFTP access to a SFTP server inside our DMZ? Resolving issue #1 may fix this, not sure.

       

       

      The rule I have setup that is supposed to pass SFTP traffic to our server in the DMZ is below...perhaps I've set it up incorrectly?

       

      General:

      • Action: Allow
      • Service: sftp (SSH Proxy)
      • Audit: Standard (recommended)

       

      Effective Times:

      • Time period: <Any>

       

      Source:

      • Burb: external
      • Endpoint: <Any>
      • NAT: localhost (Host)

       

      Destination:

      • Burb: external
      • Endpoint: External <site listed here>
      • Redirect DMZ <site listed here>
      • Redirect port: <Blank>

       

      TrustedSource:

      • NOT enabled

       

      Inspection:

      • Not used
      • IPS Signature group: <None>

       

      Authentication:

      • Authenticator: <None>

       

      Message was edited by: readysetgo on 2/15/12 8:24:36 AM CST
        • 1. Re: Need help creating rules for SFTP inside DMZ

          I was able to get issue #1 resolved by disabling the rule " External Secure Shell Server" listed under Firewalls > Sidewinder > Policy > Rules > Administration

           

           

          However, issue #2 still exists so I think there is a problem with the rule I've setup. I'll continue to work on this and update the ticket with the resolution if I'm able to figure it out on my own.

          • 2. Re: Need help creating rules for SFTP inside DMZ

            Issue #2 has now been resolved as well.

             

            The problem was actually with the Inspection, as it should have been set to "defaul (ssh)" and the level set to the one in the middle.

             

             

            Everything is now working.

             

             

             

            Hopefully somebody else with a similar problem with find this helpful to them.     

            • 3. Re: Need help creating rules for SFTP inside DMZ
              PhilM

              You haven't mentioned which Firewall version you are running so my reply is going to be a little generic.

               

              You were correct in the fact that the external SSH server rule was getting in the way of your attempts to connect to the SFTP server. However, while you've now fixed it so that the SFTP service is working you won't be able to SSH to the Firewall any more. So, in essence, you've broken one thing in order to make the other thing work.


              The reason why it got in the way in the first place is because the SSH server process, by defaults, binds to the target interface in such a what that it listens on all available IP addresses. To overcome this problem you can use the file editor to open the /etc/ssh/sshd_config file. Near the top of the file you'll find a section which looks like this:-

               

              Port 22

              Protocol 2

              ListenAddress ::

               

              If you change it so that it refers to a specific external IP address on the firewall:-

               

              Port 22

              Protocol 2

              ListenAddress <external_IP>

              #ListenAddress ::

               

              you will then be able use the SSH proxy service in tandem with the SSH server by bringing the SFTP connection in via an alias IP address on the Firewall.

               

              Though you haven't mentioned it, you also have the ability (using an SSH Application Defense entry) to control the SFTP connections through the Firewall so that you can stop external users from doing something like deleting files or directories on the SFTP server. Though I haven't looked at it in great depth you may also find that the correct use of the SSH application defense may fix problem #2. Certainly looking at your access rule definition, I can't see anything fundamentally wrong with it.

               

              -Phil.

              • 4. Re: Need help creating rules for SFTP inside DMZ

                Thanks Phil, this is some great information. I'm going to look into what you've said and see about getting things setup so that everything will work.

                 

                 

                I appreciate your assistance in this issue.