Security Basics mailing list archives

RE: FTP Proxy

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 29 Jan 2004 11:19:29 -0800

If the client is configured to do active transfers, then the 
client will issue the connection request to the FTP server 
(for the control connection), while it'll be the FTP server 
the one that will issue the connection request for the data 
connection.  That means that if you want to do active 
transfers, you must allow incoming connections requests to 
your network (which you probably don't want to do).

If the client is configured to do passive transfers, the 
client will use the connection requests for both the control 
and data connections.  That means, you won't need to allow 
incoming connection requests to hosts inside your network.
I think it's the best option.


  Which is "best" depends on whether you're looking from the 
client side or the server side, and what kind of border security
you have at each end.
  If you have stateful firewalls with FTP fixup, they can listen
to the FTP control conversation and permit the requested data 
connections as needed -- and this is true regardless of which
direction wants to open the data connection.
  If you rely on packet filters, either the client side or the
server side has to allow arbitrary data connections to be opened.
The only closure of this hole you can implement is that if the
server opens the data connection ("active" mode), the source port
number will be 20.  [In "Hacking Exposed", there's passing reference 
to doing a pen-test against a network that would permit any
connection sourced from port 20; this is why it was configured that
way.]

  It isn't that passive mode is "better" than or "more secure" than
(boy, have I heard that one claimed a lot of times!) active mode; it's
that if you're not using stateful firewalls that know about FTP, 
passive mode dumps all the risk on the server instead of the clients.

David Gillett

-----Original Message-----
From: Fernando Gont [mailto:fernando () gont com ar]
Sent: Wednesday, January 28, 2004 4:15 PM
To: pablo gietz
Cc: security-basics () securityfocus com
Subject: Re: FTP Proxy


At 10:27 28/01/2004 -0300, pablo gietz wrote:

We need to connect to a outside FTP server on the Internet

with FTP client

(not browser).
We use Squid proxy for http.
The problem seems to be simple but because the security

design is quite

complicated this is the schema:
FTP Client --> Dept Firewall -->Internal Router--> Squid chache--> 
External Firewall --> Remote FPT server (Internet)
SO wath can i do ? Nat? FTP proxy? I need to solve this


You can either configure both firewalls to let you use FTP, 
or use NAT for it.
Configure the FTP client so that it does passive transfers 
rather than 
active transfers.

If the client is configured to do active transfers, then the 
client will 
issue the connection request to the FTP server (for the control 
connection), while it'll be the FTP server the one that will 
issue the 
connection request for the data connection.
That means that if you want to do active transfers, you must 
allow incoming 
connections requests to your network (which you probably 
don't want to do).

If the client is configured to do passive transfers, the the 
client will 
use the connection requests for both the control and data 
connections. That 
means, you won't need to allow incoming connection requests 
to hosts inside 
your network.
I think it's the best option.

Note that the FTP protocol itself has no cache support built in the 
protocol (as HTTP *has*). So I'd solve the problem with 
either a NAT or by 
configuring the firewall accordingly. An FTP proxy will 
probably only add 
unnecesary overhead.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



--------------------------------------------------------------
-------------
Ethical Hacking at InfoSec Institute. Mention this ad and get 
$720 off any 
course! All of our class sizes are guaranteed to be 10 
students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, 
Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to 
get $720 off 
any course!  
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

Current thread:

FTP Proxy pablo gietz (Jan 26)
- Re: FTP Proxy Narendra Prabhu (Jan 27)
- Re: FTP Prox Andrey Ponomarev (Jan 27)
- Re: FTP Proxy Fernando Gont (Jan 28)
  - Re: FTP Proxy pablo gietz (Jan 28)
    - Re: FTP Proxy Fernando Gont (Jan 29)
    - RE: FTP Proxy David Gillett (Jan 29)
    - RE: FTP Proxy Fernando Gont (Jan 30)
    - RE: FTP Proxy David Gillett (Jan 30)
    - RE: FTP Proxy Fernando Gont (Jan 30)
    - RE: FTP Proxy David Gillett (Jan 30)
    - Re: FTP Proxy pablo gietz (Jan 30)
    - Re: FTP Proxy Fernando Gont (Jan 30)