Security Basics mailing list archives

RE: FTP Proxy

From: Fernando Gont <fernando () gont com ar>
Date: Thu, 29 Jan 2004 21:11:32 -0300

At 11:19 29/01/2004 -0800, David Gillett wrote:

> If the client is configured to do passive transfers, the
> client will use the connection requests for both the control
> and data connections.  That means, you won't need to allow
> incoming connection requests to hosts inside your network.
> I think it's the best option.
  Which is "best" depends on whether you're looking from the
client side or the server side, and what kind of border security
you have at each end.
  If you have stateful firewalls with FTP fixup, they can listen
to the FTP control conversation and permit the requested data
connections as needed -- and this is true regardless of which
direction wants to open the data connection.


This requieres more processing in the firewall, though.

Because the PORT command must be "patched" in the stream, it may be thecase that the firewall not only needs to recalculate TCP's checksum, butmay have to "recalculate" the sequence numbers, too. (The "patched" PORTcommand might be longer or shorter than the original one).

  If you rely on packet filters, either the client side or the
server side has to allow arbitrary data connections to be opened.
The only closure of this hole you can implement is that if the
server opens the data connection ("active" mode), the source port
number will be 20.  [In "Hacking Exposed", there's passing reference
to doing a pen-test against a network that would permit any
connection sourced from port 20; this is why it was configured that
way.]

Sorry, I didn't understand that part where you said "this is why it wasconfigured that way".

  It isn't that passive mode is "better" than or "more secure" than
(boy, have I heard that one claimed a lot of times!) active mode; it's
that if you're not using stateful firewalls that know about FTP,
passive mode dumps all the risk on the server instead of the clients.

It's probably more easy to configure the FTP server to use some specifiedport range (and thus allow incoming connections on only those ports) thanconfigure *all* the clients that want to access your FTP site in a similar way.

BTW, the FTP server was external to his organization, so... why should*him* take the risk?


Best Regards,


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------

Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off anycourse! All of our class sizes are guaranteed to be 10 students or less.We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,and many other technical hands on courses.Visit us at http://www.infosecinstitute.com/securityfocus to get $720 offany course!----------------------------------------------------------------------------

Current thread:

FTP Proxy pablo gietz (Jan 26)
- Re: FTP Proxy Narendra Prabhu (Jan 27)
- Re: FTP Prox Andrey Ponomarev (Jan 27)
- Re: FTP Proxy Fernando Gont (Jan 28)
  - Re: FTP Proxy pablo gietz (Jan 28)
    - Re: FTP Proxy Fernando Gont (Jan 29)
    - RE: FTP Proxy David Gillett (Jan 29)
    - RE: FTP Proxy Fernando Gont (Jan 30)
    - RE: FTP Proxy David Gillett (Jan 30)
    - RE: FTP Proxy Fernando Gont (Jan 30)
    - RE: FTP Proxy David Gillett (Jan 30)
    - Re: FTP Proxy pablo gietz (Jan 30)
    - Re: FTP Proxy Fernando Gont (Jan 30)