Transfer data from DMZ SFTP to internal servers

Suppose there is an external facing SFTP server in a DMZ holding data from various parties. The data needs to be transferred and consumed by application services living on internal LAN segments. Process needs to be streamlined as it will occur throughout the business day. I have 3 primary ideas in mind - would like to get some opinions and thoughts on them.

1 - Map the SFTP data stores directly to the internal LAN segment servers where the data will be consumed. This method trades security for convenience; but would be considered very poor design? On the surface it looks terrible - but in actual practice I would imagine this type of access (not speaking strictly of SFTP but any traffic) is permitted quite frequently.

Firewall: DMZ ---> Internal App Server

2 - Reverse the traffic flow of 1 and have the internal LAN segment servers initiate the connection to retrieve the data from the SFTP server. The protocol would either be SFTP or perhaps CIFS. This method might require some additional workflows to be built.

Firewall: Internal App Server ---> DMZ

3 - The 3rd option is to have the internal LAN server retrieve the the data over the internet via SFTP protocol. In this case there is no DMZ to internal LAN traffic - but it generates more traffic/load by hair pinning in and out. And just as in option 2 there will likely need some new workflow established.

Internal App Server ---> Firewall ---> Internet ---> Firewall --> SFTP

Leave Your Comment