How to set up SFTP automation for FTP/DMZ transfer

Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to lock it down.

We are using SFTP through a single firewall for exchange of various files with third parties. To improve security,...

I have now segmented the FTP server from the internal network and added a second firewall. What can I use that will, in real time, transfer files from a server on a DMZ to the internal FTP server without providing access to third parties?

I am assuming you are looking for some form of SFTP automation when it comes to sending files between the server in the DMZ and a local server. There are a couple of ways to facilitate this FTP/DMZ transfer. The easiest would be to leverage public key authentication.

Assuming your DMZ server is the target to push and pull files from the internal system, generate a key pair using ssh-keygen on your internal system. Do not specify a password when created. Move the public copy of this key pair ( and append it to the end of the authorized_keys file on the server. Once that is done, you should be able to automate the SCP or SFTP transfer of the file without it prompting you for the password.

The system is able to support this is because you have the corresponding private key on the internal server whose public key is authorized on the DMZ server. In this technique, it is crucial to keep the private key safe. Also, ensure only the internal host is authorized to make the file transfer request to the host on the DMZ and not vice versa.

This was last published in August 2011

Dig Deeper on Enterprise network security