How can I copy files SECURELY from the Internal network to the DMZ

[salibas007]

alright people, I REALY need some advice on this one.. Here is the scenario.

We have external partners that are connecting to a web site sitting in the DMZ. There is a local authentication that happens on the web site (using some sort of database for validation). Once the user is authenticated, we would like to present him with the possibility of running a script that will connect to a file server on the internal network, get a bunch of files and send them to the client WITHOUT having a copy of the files sit on the web server. ( I guess the script would copy the files and paste them at the client's side ???

My qyestions are as follows:

1) What process can send to the client the files without 1st copying them to the web server ? copy / paste ?? (FTP is not really a viable option)

2) What ports do I need to open between the web server (DMZ) and the file server (internal network) on my PIX to allow a file copy from a server in a more secure to a less secure interface?? I assume I need TCP 137, 138 & 139 ?? Anything else ??

Thanks for all your answers....

Sam

 

[GuySmiley]

Depending upon the OS of your web server, you could use the secure copy program (scp) if you're running Unix or Linux. Otherwise, you could install and run cygwin on NT and then use the scp utility packaged with that. It's better than cracking open FTP or telnet and you can create and use scp-specific accounts for transferring the files.

 

[salibas007]

1st of all, thank you for your answer, I think it's putting me on the right path. Doe the OS, I am running Windows 2000 with IIS 5.

I don't understand exactly your answer though... CYGWIN will provide me with an SCP application which can be used to copy files from my internal file server to the client's local PC ???? if that's the case, how will the files be copied ?? using what ports ??? netbios ??? a specific port ???

thanks so much

 

[GuySmiley]

First, you should install and familiarize yourself with Cygwin:

http://www.cygwin.com

It's a Win32 unix emulator that runs posix-compliant applications and utilities for linux and unix. It can be *very* handy when used properly.

As for scp, it uses an SSH connection to transfer files securely. Here is the man page:

SCP(1) System General Commands Manual SCP(1)

NAME
scp - secure copy (remote file copy program)

SYNOPSIS
scp [-pqrvBC46] [-F ssh_config] [-S program] [-P port] [-c cipher]
[-i identity_file] [-o ssh_option] [[user@]host1:]file1 [...]
[[user@]host2:]file2

DESCRIPTION
scp copies files between hosts on a network. It uses ssh(1) for data
transfer, and uses the same authentication and provides the same security
as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if
they are needed for authentication.

Any file name may contain a host and user specification to indicate that
the file is to be copied to/from that host. Copies between two remote
hosts are permitted.

The options are as follows:

-c cipher
Selects the cipher to use for encrypting the data transfer. This
option is directly passed to ssh(1).

-i identity_file
Selects the file from which the identity (private key) for RSA
authentication is read. This option is directly passed to
ssh(1).

-p Preserves modification times, access times, and modes from the
original file.

-r Recursively copy entire directories.

-v Verbose mode. Causes scp and ssh(1) to print debugging messages
about their progress. This is helpful in debugging connection,
authentication, and configuration problems.

-B Selects batch mode (prevents asking for passwords or
passphrases).

-q Disables the progress meter.

-C Compression enable. Passes the -C flag to ssh(1) to enable com-
pression.

-F ssh_config
Specifies an alternative per-user configuration file for ssh.
This option is directly passed to ssh(1).

-P port
Specifies the port to connect to on the remote host. Note that
this option is written with a capital `P', because -p is already
reserved for preserving the times and modes of the file in
rcp(1).

-S program
Name of program to use for the encrypted connection. The program
must understand ssh(1) options.

-o ssh_option
Can be used to pass options to ssh in the format used in
ssh_config(5). This is useful for specifying options for which
there is no separate scp command-line flag. For example, forcing
the use of protocol version 1 is specified using scp
-oProtocol=1.

-4 Forces scp to use IPv4 addresses only.

-6 Forces scp to use IPv6 addresses only.

DIAGNOSTICS
scp exits with 0 on success or >0 if an error occurred.

AUTHORS
Timo Rinne <tri@iki.fi> and Tatu Ylonen <ylo@cs.hut.fi>

HISTORY
scp is based on the rcp(1) program in BSD source code from the Regents of
the University of California.

SEE ALSO
rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
ssh_config(5), sshd(8)

BSD September 25, 1999 BSD
(END)

 

[salibas007]

so does that mean that with SCP running on my web server, I'd allow an SSH connection through the FW, (from the Web server to the file server), and that it will copy the data over SSL ?? no netbios ???