Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: How the FTP protocol Challenges Firewall Security article
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How the FTP protocol Challenges Firewall Security a... - 6.Jul.2003 11:48:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Darren,
even then I would not setup a secure FTP. Have you already investigated the use of Terminal Services or Citrix Metaframe? The thin client concept provides you with true mobility for your workforce - to anywhere, on any device, over any connection - because the real data never leaves the office. Just use strong user authentication, preferable a hardware token for reason of mobility and you are up and running.
Some add-on products to consider:
- Aspelle Everywhere: an ISA add-on. Checkout http://www.aspelle.com .
- Aventail: appliance system. Checkout http://www.aventail.com .
- Citrix NFuse and Secure Gateway: add-ons to the Citrix Metaframe. Check out http://www.citrix.com .
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 7.Jul.2003 5:47:00 AM
|
|
|
Darren Thompson
Posts: 146
Joined: 21.May2002
From: Perth, Western Australia
Status: offline
|
Hi Stefaan,
Thanks for the info, I have opted for anonymous FTP for uploading files to our server using IIS, with write only. And SSL/HTTPS with basic authentication for downloading files. Both the HTTPS and FTP virtual directories point to the same location, IIS running on the ISA machine using server publishing rules for the local FTP server, and a web publishing rule for the HTTPS download.
I wanted to stay with low cost/native stuff as much as possibel (cost being the primary driving force here - as always!)
I think the above scenario should be OK for our needs (Security vs Simplicity) Hows it sound to you ?
Thanks for you help and feedback
Darren
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 7.Jul.2003 9:43:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Darren,
if you can't go with a thin client concept then the use of HTTPS is your best choice. That's no problem for downloading files, but for uploading you might look for a little tool such as http://www.aspupload.com/index.html . This kind of tools make it possible to upload files through HTTP/HTTPS.
HTH,
Stefaan
[ July 07, 2003, 09:43 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Aug.2003 5:26:00 AM
|
|
|
dpeters
Posts: 64
Joined: 7.Jun.2002
Status: offline
|
Hi Spouseele,
I have a question about your article on FTP. In it you say
"Although Network Address Translation is an interesting technique to mitigate the shortage of public routable IP addresses, it creates also a whole new range of problems. The reason for that is that a lot of protocols are not designed with NAT/PAT in mind. Take as an example the FTP protocol. The IP-addresses and port numbers used for the Data connection are dynamically negotiated. Simple NAT/PAT devices who only look to the IP addresses and port numbers (layer 3 and 4 information), do not analyse the application layer where the actual negotiating process occures (PORT and PASV commands). So, without added special support, simple NAT/PAT devices will very likely break those complex protocols, including the FTP protocol."
but shouldn't PASV FTP pass through NAT ok without any problems because it's the client initiating the connection ? I would think the NAT device would just tranlate the packets the same as any other client initiated packets. It shouldn't need to know in advance about the data connection.
Also, in the Microsoft Technet article about modifying the registry to let ISA support PASV FTP I have two questions:
1) I assume this means that changing the passive vs active ftp settings in IE has no effect when going through ISA.
2) Do you have to keep changing the setting and restarting the service every time a client wants to make an active ftp connection and then a different client needs to make a passive ftp connection ? This would seem unworkable in a normal situation where some programs need active access and some need passive.
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Aug.2003 4:14:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi dpeters,
yes, PASV mode is somewhat more firewall friendly for simple firewalls at the client side. However, it doesn't solve the problem if NAT/PAT is done at the server side! ![[Big Grin]](/image/smiles/biggrin.gif)
If the FTP request is handled by the Web Proxy service on ISA, then the registry setting mentioned in KB300641 determines the FTP mode. Note that this is a global setting.
Also, keep in mind that if the internal FTP client is configured to work through the Web Proxy service, the internal FTP client talks HTTP to the ISA server and the ISA server talks FTP to the FTP server. So, from the point of view of the FTP server, the FTP client is the ISA Web Proxy service, not the internal FTP client. Therefore the internal FTP client can *not* control the FTP mode because there is simply no HTTP method available to do that.
However, if the FTP request is handled by the Firewall service on ISA, then it is the internal FTP client who determines the FTP mode because the internal FTP client uses directly the FTP protocol.
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 26.Sep.2003 10:13:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Hello,
Maybe it was more appropriate to ask my question in this thread, I asked it in Publishing message board.
I read the article this thread is dedicated to, and still cannot get the FTP site running on the ISA machine to work. Maybe you guys could explain my situation?
Thank you in advance.
Link to thread:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=6;t=002004
Andre.
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Oct.2003 6:31:00 AM
|
|
|
Money Penney
Posts: 130
Joined: 18.Sep.2002
From: Melbourne
Status: offline
|
Excellent article, FTP was one protocol I had never really bothered to get my head around properly and now I at least have a good basic understanding which has helped me fix various problems, or at least pointed me in the right direction.
Interested in comments on this situtation:
I look after a few MS SBS 2000 boxes and need to have packet filters enabled for outbound Port 21 and Inbound Port 20 to allow things like Symantec Antivirus to be able to download virus updates.
Normally this could be a potentially security hole in the system, however all of these networks are also behind a NAT router with only specified Ports open for inbound access (port 20 is not one of them!).
Is this any safer? Port 20 is not open on the router, and so the only way connections get through is if they are part of an existing session (the outbound FTP). To me this would seem much safer as it is impossible to just come in on port 20. Is my logic sound, or are there tricks that would get around this somehow that I should be aware of?
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Oct.2003 8:45:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Money,
I would *never* allow an FTP client on ISA itself. It's a too dangerous configuration, especially if active mode FTP is used. The reason is that when you create manually IP packet filters, they are static. So, the allowed UDP/TCP ports are always open.
The proper solution is to either do the downloads from an internal hosts and distribute them from there, or insist on HTTP download with web proxy support from ISA. In the latter case, the download client should be configured as a Web Proxy client by using 'ISA_internal_IP:8080' as proxy settings.
HTH,
Stefaan
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 30.Oct.2003 1:17:00 AM
|
|
|
Money Penney
Posts: 130
Joined: 18.Sep.2002
From: Melbourne
Status: offline
|
OK I have been searching for a command line Passive FTP client that will run nicely on the server without any extras or spyware.
It needs to accept standard FTP commands from a batch file the same as the existing client, or is simple enough to batch...
... not having much luck.
Any suggestions, anyone???
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Cool]](/image/smiles/cool.gif)
![[Smile]](/image/smiles/smile.gif)
