OS X Server safely facing WAN and LAN

Networkosx-serverSecuritywifi

Our OS X Server serves our company DNS, web and mail with an external IP address to the Internet.
It currently does not have a local address on the LAN and thus cannot be used e.g. for software update caches for OS X and IOS devices on the network.

If I were to also attach the server to the LAN by one of its other ports would I be compromising its security or the security of the LAN?

I am more concerned about opening up a security hole from the WAN into the LAN than vice versa as I can control which users have access to which services on the Server.

OS X Server has its adaptive firewall enabled and the router via which it connects to the WAN has only those ports open that we need for the services it serves.

Best Answer

Nothing much will change in regards to WAN exposure, as long as you're not configuring the server to proxy or route any traffic. Services intended for the LAN only should be configured to only run on the appropriate interface, regardless of whether there's a firewall in place.

There is an increased risk if one of the externally facing services is compromised, potentially allowing access to resources on the LAN. If you want to be really careful you can set up the firewall on the Mac to not allow traffic out the LAN interface unless it originated on the Mac...

Related Solutions

OS X Server FTP server

I suggest you use what comes with OSX, namely sftp/scp, included with every OSX since the age of dawn.

Enable SSH in the sharing (Remote Login), configure what users have access and then try to use sftp from the Terminal (if you are familiar with it). Try

man sftp

to see the help.

DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport.

You have the benefits of "ftp-like" plus everything is encrypted.

If you still want to go ahead and use ftp, I suggest you take a look at ftpd conf file, located in /etc/ftpd.conf and /etc/ftpusers

In any case, take a look at the man page for ftpd.conf and ftpusers:

man ftpd.conf
man ftpusers

…to see other options you can add there (because the default one will be most likely empty or with little things in it).

There's no pretty program to configure FTP on OSX (there is on the Server version as far as I can remember).

Please note that FTP is not a very secure protocol by default and hence it should be running inside a chroot. (hint: man ftpchroot).

Setting up TimeCapsule with existing Router(with DHCP disabled)

Disable NAT and DHCP on the router. Plug the Time Capsule's WAN port into the router's LAN port. Better yet, see if the router has a "bridge" mode. The Time Capsule usually would run in 'distribute a range' mode, which IIRC means DHCP and NAT. 'Share a public' would be DHCP only. And bridge is a simple pass-through mode (much like we've just tried to put your Belkin into).

Best Answer

Related Solutions

OS X Server FTP server

Setting up TimeCapsule with existing Router(with DHCP disabled)

Related Question