SFTP Server Security Best Practice (Video)
Separation of SFTP Server in DMZ and Storage in Private Subnet
Important: At the time this post is published, Syncplify Server! v7 and Syncplify R2FS! v1 have not yet been officially released. Both products are in the final stages of development, and we expect their release very soon.
As we continue to focus on practical security for real-world deployments, one common question we hear from customers and fellow developers is: “Where should you actually store your SFTP data, and how?” While it might seem convenient to keep everything in the DMZ (on the SFTP Server itself) this approach carries significant risks. And to safely move the storage to a private subnet, traditional direct protocols like SMB/CIFS or NFS are not secure enough.
To address this, we’ve published a new video that demonstrates a network architecture we strongly recommend: run your SFTP server in the DMZ, but keep the actual storage in a separate private subnet, protected by an internal firewall with no inbound ports. This setup is simple, effective, and aligns with both security best practices and regulatory requirements.
The video provides a quick overview of why this separation is important and how it can help protect your data (when correctly implemented) even if your SFTP server is ever compromised. We also walk through a practical example using Syncplify Server! v7 and R2FS! v1 in a typical DMZ/private subnet configuration.
Key points covered:
Why the DMZ should only host the SFTP server endpoint
How to avoid opening inbound ports on the internal firewall that protects your storage layer
How to configure Syncplify Server! and R2FS! to achieve the highest level of back-end storage security
Whether you’re designing a new deployment or reviewing an existing one, we recommend watching the video and considering this architecture for your own environments.
As always, feedback and questions are welcome. Feel free to reach out in the comments or contact our team directly.
The Syncplify Development Team