Hello
The scenario is that we have an IIS 7.5 Windows 2008 R2 box ("IIS Box"), and on that box we want to configure a single FTP site.
The FTP site will use the Basic Security option (no Anonymous access)
The IIS Box sits behind a wholly-independent managed firewall appliance from a leading vendor. We trust the managed firewall and its configuration, and as such, Windows Firewall is completely disabled on the IIS Box. The managed firewall is configured to NAT 1-1 from private to public IP addresses.
Ideally, I would have liked to have configured a policy on the managed firewall to allow all traffic through based on a specific source IP address, since the FTP clients to access the FTP site are well-known to us and we are not giving access to very many clients. Unfortunately this is not an option because the clients who are requesting access do not have static IP addresses.
We also believe that establishing a Site-to-Site VPN and running the FTP within that, is not an option.
What we are considering having to do, therefore, is to configure the managed firewall to allow FTP protocol through, regardless of the source IP address associated with the connection. i.e. Everyone can establish the connection, and we rely upon the Basic FTP security mechanism built in to IIS to protect us.
I do not think this is ideal but it should be only a short term arrangement and we will ensure that the Physical Directory that can be accessed through the service leaves a reasonably narrow scope in terms of potential attack / abuse
The question I have before I proceed with this, concerns the need for Passive FTP Data Channel ports.
Clearly, to make this work, I will have to specify within the IIS settings, which ports to use. Let's say for example that I go for ports 10000-11000.
Q1. My understanding is that I need to configure the managed firewall to permit INBOUND connections to the IIS box targeting ports 10000-11000, 20, and 21. Is that right?
Q2. If I do, I then have a situation where my firewall is going to allow all connections through on those ports, and since this firewall is NOT application-aware, it won't care whether they are being used for FTP or anything else. It will simply let ALL connections through. At this point, what are the ramifications in terms of how IIS will respond? For example, is IIS FTP smart enough to realise that it should only permit connections that it has already arranged over the Control link (20/21)?
Q3. If I specify in IIS admin that I want to use 10000-11000 for FTP - is IIS clever enough to PREVENT those ports being used by any other apps on the same IIS box? My concern here is, given that the managed firewall will definitely be letting ANYTHING through, what potentially happens if some other app or code starts listening on port 10500?
I understand that whatever dynamic port range is configured on the server would generally be used for Outbound connections any way (source ports) but Still - I just would like any thoughts on the security ramifications of the configuration I am proposing. I don't feel Entirely comfortable yet, that I am not opening up an point of vulnerability.
I am really looking for technical thoughts on the networking side of this, rather than (for example) general advice about "make sure you have Windows Updates installed" etc.
thanks