Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
How the FTP protocol Challenges Firewall Security article
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How the FTP protocol Challenges Firewall Security a... - 29.Dec.2002 1:24:00 AM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stefaan,
Great find!
Thanks!
Tom
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 1.Mar.2003 9:14:00 AM
|
|
|
dgr6966
Posts: 2
Joined: 1.Mar.2003
Status: offline
|
Hi
I run EZ Antivirus on all of my machines with signature file updates scheduled to run automatically. The updates use a combination of HTTP and FTP protocols. The updates work fine on my firewall clients but I'm having trouble getting the update to work on the ISA Server itself. I have tried creating a packet filter for FTP access but just opening port 21 for outbound access isn't sufficient (http://www.isaserver.org/tutorials/How_to_Allow_Internet_Access_on_ISA_Server_Machine.html). It would appear that I need to set up a packet filter to allow inbound access but this seems rather risky from a security point of view. How is it that the firewall clients can do this securely but it isn't possible on the ISA server? And why shouldn't I install the firewall client on the ISA server?
Thanks
David
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 2.Mar.2003 11:38:00 PM
|
|
|
Tweak36
Posts: 39
Joined: 3.Mar.2002
From: Ontario, Canada
Status: offline
|
Hello Stefaan,
What a fantastic article on FTP with ISA Server 2000. Thank you for putting forth the effort to write this very helpful piece. I definately have a stronger understanding of this protocol and it's place in a network using ISA server .
JPenrose
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Mar.2003 6:40:00 AM
|
|
|
denske35
Posts: 3
Joined: 12.Mar.2003
Status: offline
|
I am having difficulty getting the FTPS (explicit) traffic to pass thru for my cuteFTP client. I have read Stefaan's article, however, the connection hangs at Exchanging the encryption key. Is the exact procedure to
1. disable the FTP IP packet filter
2. create a protocol definition for FTP using TCP, 21, outbound
3. install the firewall client?
Can someone tell me what am I missing here?
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 14.Mar.2003 10:31:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi denske35,
this are the important steps:
1) make sure the firewall client is installed on the internal workstation.
2) disable the FTP application filter on ISA server.
3) create a custom FTPS protocol definition as shown in my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html section 4.3. Firewall client, but use as primary connection TCP port 21 Outbound.
HTH,
Stefaan
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 18.Mar.2003 5:33:00 PM
|
|
|
stefano
Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
|
Firstly let me say that this site is wonderfull keep up the good work and i have never had to write in because all the answer to my question have already been answered.
Problem:
I have been trying for a almost 2 weeks now to get a Web/FTP server behind the isa firewall to work.
Step 1
So far i have been able to web publish urls for people to view the web sites on the server so everything works fine there.
Step 2
This is the problem bit. I have tried to allow the developers in the company ftp access to the web server behind the firewall. I keep getting the dreaded
"Windows cannot access this folder. Make sure you type the file name correctly and that you have permission to access the folder" Details the FTP session was terminated"
Everytime i do not get any other errors at all.
Now i have given user rights to these folderS in the domain but i am still not having any luck.
I have used the server published rules and this message still comes up. I have read all the relevant atricles on the subject of setting up FTP access on this web site and there are a few. I read Hadyn-wangs Install and configure FTP server behind ISA with unstandard port. Your article. Thomas Use web pub to pub co-located Web and FTP servers also.
Could you please help me out with some advice. If you need to know anymore info to help you clarify or pin point the problem please ask.
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 18.Mar.2003 11:23:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi stefano,
a couple of questions:
- Is the FTP server running on the standard FTP port?
- Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server.
- Have you configured the FTP server as a SecureNAT client?
- Is the FTP application filter enabled on ISA server?
- Did you test the FTP access from an external host? Which FTP client are you using: IE or the standard commandline client?
- ...
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 19.Mar.2003 1:20:00 PM
|
|
|
stefano
Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
|
Q. Is the FTP server running on the standard FTP port?
A.Yes port 21
Q.Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server.
A.No i have a couple of Web published websites and i understand the limits of publishing FTP site using the web publishing rule and how the ftp access in done through redirecting Http request as FTP requests. I also tried this and i got the previous error i mentioned
Q.Have you configured the FTP server as a SecureNAT client?
A. I am not too sure do you mean have i got firewall client running on the FTP server ?
Q.Is the FTP application filter enabled on ISA server?
A. I have checked the Policy Elements/Protocol Definitions and all 3 FTP application filters are enabled. I have also created custom IP packet filters "FTP Server Control" inbound, local port 21, remote port All ports.
Also FTP server control data connection Outbound, fixed local port 20 remote port All ports.
Q.Did you test the FTP access from an external host?
A. I have just done this now we have a external dedicated server so i TS into it and guess what IT WORKED !
BUT how come i cannot send a request from internal pc through the internet to get into the FTP server ?
Q.Which FTP client are you using: IE or the standard commandline client?
A. I have been using IE6 but we also use SmartFTP and from the internal source it does not work.
Conclusion so far i am happy that i can get in from an external source the bad thing now is i don't know i whay i can't just ftp into the ftp server like i can http into the websites. Could you advice me further please. Thanks
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 19.Mar.2003 9:28:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi stefano,
if you run the FTP server on the standard port number, than you should *not* install the firewall client on the FTP server and just configure the FTP server as a SecureNAT client. That means that his default gateway should point to the ISA server internal interface.
Also, there is only one FTP application filter and it is under the node Extension -> Application Filters. Moreover, as a general rule you should *never* create packet filters yourself except in some very specific situations. The protocol, site&content and publishing rules will create the needed packet filters dynamically for you.
Keep in mind that you can *not* loop through the ISA external interface. This means that internal clients should always connect to the internal servers directly, not to the published instance. For more info, check out http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html .
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 20.Mar.2003 1:14:00 PM
|
|
|
stefano
Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
|
Hi Stefaan
Thanks for replying so quickly it is much appreciated.
Ok I think i know what you mean by secureNAT now. If you mean does my server point to the gateway (proxy/firewall isa server) internal address the answer is yes. The test ftp sever is actually my own client machine that i am practicting with before i connected it to the real websever.
Taking your advice on the second point i will now disable the custom packet filters that i created in the first place.
I see what you are saying about the internal to extranal loopback situtation also.
But i still can't get previously web published website to appear using the ftp notation. i.e. www.website.com works fine points to the right internal server which looks for a host file name when the request is redirected to it. So i created another destination set ftp.website.com and pointed it to the same internal webserver and placed the host file name on the webserver to pick any ftp request but this does not work.
What is it i have to do to resolve this issue. I thought it would be straight forward because the web publishing was pretty straight forward after i played about with it for a while.
Please advice
Thanks
Steven
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 21.Mar.2003 4:29:00 PM
|
|
|
stefano
Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
|
Hi Stefaan
I have already look at this article and i have already tried to get in from an external source without much luck. I will give it a go again one more time but i have was not having much luck thats why i thought i would get some expert advice in the first place.
Thanks for your help anyway.
Steven
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 22.Mar.2003 9:45:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Steven,
in one of your previous posts you say that when you tested from an external host it was working. Maybe I've missed something, but what was working: the FTP server publishing rule or the FTP web publishing rule?
Keep in mind that if you want to access the FTP server through the web publishing rule you can *not* use the FTP protocol on the client side. You must access the web published FTP server through the HTTP protocol (http://ftp.domain.com).
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 6.Jul.2003 3:56:00 AM
|
|
|
Darren Thompson
Posts: 146
Joined: 21.May2002
From: Perth, Western Australia
Status: offline
|
quote:
What do you want to achieve? You are talking about securely transferring files to *public* terminals such as an internet cafe/airport/hotel. That doesn't make much sense to me!
True, true - there is the fact that the individual file would become possibly available to nasty people at the 'public terminal', but sometimes you gotta do what you gotta do to get data to people, but we are willing to risk that, what we don't want to risk (or minimise as much as possible whilst still allowing access) is access to all the other data which still resides on the (hopefully) "secure file server".
We need to be able to receive and publish files for specific users.
Thanks
Darren
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
RE: How the FTP protocol Challenges Firewall Security a... - ![[Confused]](/image/smiles/confused.gif)
