Can an external client access an FTP server?

[rein]

The current network setup is like this:
Company A has a network setup consisting of Cisco devices only. It has an FTP server where all files are stored and accessed. Company B has a different setup from A (no networking devices, only a wifi modem), and is in need of certain files from A.

According to this Understanding How FTP Works, you can upload and download files after installing a client software and providing an address, username and password. But is this only applicable to clients within Comapany A or is it also applicable for clients of Company B too?

Also, how does an FTP server work with VPN in this situation?

Any help would be very much appreciated, thank you.

 

[Daedalus0101101]

First, FTP can always be accomplished without VPN. It depends on the knowledge of the Network Wizards that are at Company A. The Easiest and most simple way is to give the users at Company B the public IP address of the FTP at Company A. That is the easiest, but the least secure. If you are wanting to get vital or sensitive company information, I do not recommend this method. The way I have it running at my company is that we use SFTP or FTP over SSH. FTP is essentially not encrypted or secure, so you first create a secure connection from Company B to Company A, then use FTP to get the file or files that you need. The Network Wizard at Company A will most likely want to use a custom port for connection ( especially if they only have 1 public IP address). I generally use port numbers over 20,000. Port Forwarding makes it so that when the firewall (guessing Cisco ASA since you said its a Cisco house) receives an incoming connection request, it can forward it to the FTP server.


Example: If the FTP server is 192.168.1.100 and is running on port 22 and your public IP address is 63.85.136.45 ( made this number up) and the Network Admin sets the custom port for 22500, then the client at Company B would set their software to connect to 63.85.136.45: 22500. The ASA (or whichever firewall) would redirect that incoming traffic to the FTP server at 192.168.1.100:22. I also recommend still keeping a login/password that way no random ZeroCool would be able to connect and download the files at will. Depending on Company A, they can get pretty strict with the security on who, how, from where, and what time people at Company B can connect to the FTP server at Company A.

Without doing it properly, giving someone VPN access can be a huge security risk. Once someone is tethered up to the network, they could have unrestricted access to machines. All of this wouldn't really set off any alarms either since the user was given VPN access to bypass the firewall. If the people at Company A want a few people at Company B to be able to get the files off the server, its far more secure to punch one small hole in the firewall to let them in to get the files rather than removing that security barrier and give them potential access to the entire Company Network. I am always leary of who gets VPN access at my company.