3 steps to improve file transfer security by using proxies and gateways

Our last few posts have discussed understanding proxy servers, the benefits of reverse proxy servers and the benefits of file transfer DMZs. Today, we’re going to put everything together by discussing how to improve file transfer security through proxies and gateways. First, let’s get some definitions out of the way:

  • Proxy servers represent clients or servers to their counterparts in a data exchange.
  • Gateways route network traffic.

The above definitions are not absolute. Many gateway products combine gateway hardware and network security software in firewall offerings, and it’s not uncommon for gateway variants like JSCAPE by Redwood’s MFT Gateway to also offer proxy server functionality.

With the above out of the way, let’s focus on how to use these tools to improve your file transfer security. 

1. Define your file transfer security policies

Proxies and gateways give flexibility to add layers of file transfer security in a number of areas, including:

  • Traffic scanning and routing: Gateways and proxies can be configured to respond automatically to potential threats before those threats reach your internal network, or to only initiate connections from known IP addresses.  
  • Authentication: You can require additional authentication steps or factors on your proxy server, which can reduce the likelihood of a full credential breach.
  • Encryption: Proxy servers can establish connection encryption before requests reach your internal network to add an additional layer of security.  
  • Server or client IP obfuscation: Proxies give you the ability to only show the IP of the proxy server when transmitting data to a server or client. 
  • Demilitarized zones (DMZs): Setting up your gateway outside your internal network firewall lets you establish a DMZ where you can perform security evaluations in a safer environment that will not affect core operations.

With the above in mind, you’ll want to define your file transfer security policies to meet your organization’s requirements and hardware and software capabilities. For example:

  • Do you operate in a high-threat environment (financial services, healthcare, software, etc.)? You’ll want to consider reducing visibility into your network infrastructure and IP addresses via a reverse proxy server, and may benefit from implementing additional authentication and encryption layers on that server. 
  • Is regulatory compliance and data security a priority? If so, placing a gateway outside of your network firewall to create a DMZ where you can implement additional layers of logging, authentication and data-loss protection checks on a proxy server could be a good solution. 

2. Architect your network

Once you’ve defined the security policies you’re looking to meet, it’s time to configure your network to support them. When you do, you’ll want to consider the following:

  • Do you want to implement a DMZ?
  • How will you configure your firewall(s)?
  • What are your critical systems?
  • Do you need to protect internal client information?

You’ll have an infinite number of options to configure your network, but the most common are single- and dual-firewall implementations of a DMZ:

  • Single firewall: External traffic runs first through your external firewall to your gateway/router, which diverts traffic to your DMZ. Cleared traffic returns to your gateway and is then routed to your internal network.  
  • Dual firewall: A more secure, robust option employs two firewalls to reduce your points of failure. In this implementation, external traffic runs through an initial firewall and is then routed to a DMZ. DMZ-approved traffic then runs to another firewall before being granted access to your network. 

If reducing your attack surface is important, you may want to consider proxy servers for your internal users as well, which would allow you to hide the IP addresses of your devices, file transfer servers and more. 

We recommend keeping your file transfer server itself behind your internal network firewall, to reduce the potential attack surface that could be opened up if it was directly accepting external network connections. If you take this approach, you’ll likely want to use a reverse proxy server to connect to your internal file transfer server as well. 

3. Test your vulnerabilities

Once you’ve set up your network, it’s time to test the configuration. Penetration testing is always recommended, and you’ll want to test for scenarios such as:

  • File transfer servers that accept traffic from unverified IP addresses
  • File transfers that are allowed to transmit externally without a final check through a DLP tool
  • Network meta-data exposed during your transfers (such as server IP addresses, server configurations, etc.)
  • External port scanning success
  • Any protocol or certificate/key configuration issues that might cause a gap in security

We hope the above has been helpful in understanding how to improve file transfer using proxies and gateways. If you have any questions, please contact our support team