1.  Home
  2. MIDRANGE-L
  3. February 2004

RE: trading partner security

If the partner owns all the addresses in the range you are opening, perhaps
it is not as big a security issue.  Although even if they do, you are
allowing anyone from that company to at least connect to your AS400 and TRY
to FTP.

I am not really clear on why it is a security risk for them to provide you
with an IP that they will be coming from.  They should not need to allow any
traffic from you in to them as long as they are initiating the FTP.  They
would start the session and your firewall would let them enter and pull data
back to them, all within the session they started.  There would be no need
for a firewall rule to allow you to connect to them.

As someone else mentioned an intermediate server may be an option, but even
that needs to be 'open' to the outside and I am not so sure I'd want a
Windows sever being my FTP server, unless you put it in a DMZ type area of
your LAN where people can get in to it, but if it is compromised, they
cannot get further back in to your LAN.  Many firewalls have this type of
feature to allow LAN traffic to talk to the DMZ zone (for you to put your
file out to the server), but DMZ machines are not allowed to talk back in to
the LAN.  Linux server would also be a possibility and much easier to lock
down and less vulnerable for sure.  But if I were using an intermediate
server, I'd try my best to set it up as I suggested, away from your LAN.

Brian

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Jim Franz
Sent: Wednesday, February 18, 2004 11:20 AM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: trading partner security


A trading partner wants to use ftp to get a daily file off our ifs, but
is adamently refusing to specify a single ip they are coming from,
saying that is a security risk to them, and has given us 3
ranges totalling over 700 addresses. I don't have a problem
but our firewall person is freaked and refuses. I assume they
have a herd of routers and servers in their farm.
note: partner is defense related. 400 has decent ftp exit control.
should i worry?
jim
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.