Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: FTP Proxy

From: Fernando Gont <fernando () gont com ar>
Date: Tue, 03 Feb 2004 02:17:43 -0300
At 10:33 30/01/2004 -0800, David Gillett wrote:


  Again, if I have a stateful firewall with FTP awareness, properly
configured, I don't care whether the clients are active or passive.


I agree with that.


[....]

The vast majority of users
haven't a clue what's legitimately on their box, let alone what bits
of malware/spyware/etc have surreptitiously installed themselves.  You
*have* to do egress filtering for your local network to be a good citizen
of the Internet.
  And allowing PASV mode means you can't do that with a simple packet
filter.  If I disallow PASV mode, I can at least limit the inbound data
connections to servers sourcing from port 20, which is admittedly a hole,
but will suffice against most script kiddies, etc.  It's (IMHO) a much
smaller hole than allowing arbitrary internally-originated streams out.
I'd probably disagree with this statement. You'd keep the script-kiddies out, but would let the clever guys in! 



  If I'm going to offer a publicly-accessible FTP server, I really want
to put it behind a stateful firewall with FTP awareness, so I don't care
whether clients are active or passive.  My firewall will see the PORT
commands and do the Right Thing.  If I can't properly firewall it, my
choices are to either block PASV access, or hope the server software
allows us to configure some restrictions on the data ports and duke it
out with the server admin to enact them.
If you're going to host the FTP *server*, then if it's going to be publicly-accessible, you'll have to support both passive and active transfers. 



But if you can't do that, PASV mode is not *automatically* the best
compromise available.
  My hot button isn't really about PASV per se, but about the too-frequent
knee-jerk suggestion that it is the answer to every FTP network security
question.
Wasn't it Einstein that said "Complex problems usually have simple, wrong answers"? :-) 


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: