• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How the FTP protocol Challenges Firewall Security article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> How the FTP protocol Challenges Firewall Security article Page: [1] 2 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
How the FTP protocol Challenges Firewall Security article - 11.Nov.2002 10:44:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
This thread is for the How the FTP protocol Challenges Firewall Security article.

Thanks,
Stefaan
Post #: 1
RE: How the FTP protocol Challenges Firewall Security a... - 28.Dec.2002 9:49:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi all,

just to let you know I've updated the article with some new information about FTP through the Web Proxy service: HOW TO: Enable Passive CERN FTP Connections Through Internet Security and Acceleration Server 2000.

HTH,
Stefaan

(in reply to spouseele)
Post #: 2
RE: How the FTP protocol Challenges Firewall Security a... - 29.Dec.2002 1:24:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Great find!

Thanks!
Tom

(in reply to spouseele)
Post #: 3
RE: How the FTP protocol Challenges Firewall Security a... - 1.Mar.2003 9:14:00 AM   
dgr6966

 

Posts: 2
Joined: 1.Mar.2003
Status: offline
Hi

I run EZ Antivirus on all of my machines with signature file updates scheduled to run automatically. The updates use a combination of HTTP and FTP protocols. The updates work fine on my firewall clients but I'm having trouble getting the update to work on the ISA Server itself. I have tried creating a packet filter for FTP access but just opening port 21 for outbound access isn't sufficient (http://www.isaserver.org/tutorials/How_to_Allow_Internet_Access_on_ISA_Server_Machine.html). It would appear that I need to set up a packet filter to allow inbound access but this seems rather risky from a security point of view. How is it that the firewall clients can do this securely but it isn't possible on the ISA server? And why shouldn't I install the firewall client on the ISA server?

Thanks

David

(in reply to spouseele)
Post #: 4
RE: How the FTP protocol Challenges Firewall Security a... - 1.Mar.2003 2:36:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi David,

thanks for reading my article! [Smile]

You are right! Allowing FTP from ISA itself is not a good idea from a point of view of security. My strategy to download updates is to download the updates from an internal host and then distribute them from there. In that case you don't need to allow FTP from/to ISA itself. Moreover, you have only to download them once! [Big Grin]

The only exception I would allow is if you can configure the update program to use FTP through the web proxy service on ISA. You can then use localhost:8080 or ISA_internalIP:8080 as proxy server.

HTH,
Stefaan

[ March 01, 2003, 05:11 PM: Message edited by: spouseele ]

(in reply to spouseele)
Post #: 5
RE: How the FTP protocol Challenges Firewall Security a... - 2.Mar.2003 11:38:00 PM   
Tweak36

 

Posts: 39
Joined: 3.Mar.2002
From: Ontario, Canada
Status: offline
Hello Stefaan,

What a fantastic article on FTP with ISA Server 2000. Thank you for putting forth the effort to write this very helpful piece. I definately have a stronger understanding of this protocol and it's place in a network using ISA server .

JPenrose

(in reply to spouseele)
Post #: 6
RE: How the FTP protocol Challenges Firewall Security a... - 3.Mar.2003 3:38:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi JPenrose,

many thanks for the kind words about my article! [Smile]

Stefaan

(in reply to spouseele)
Post #: 7
RE: How the FTP protocol Challenges Firewall Security a... - 12.Mar.2003 6:40:00 AM   
denske35

 

Posts: 3
Joined: 12.Mar.2003
Status: offline
I am having difficulty getting the FTPS (explicit) traffic to pass thru for my cuteFTP client. I have read Stefaan's article, however, the connection hangs at Exchanging the encryption key. Is the exact procedure to
1. disable the FTP IP packet filter
2. create a protocol definition for FTP using TCP, 21, outbound
3. install the firewall client?

Can someone tell me what am I missing here?

(in reply to spouseele)
Post #: 8
RE: How the FTP protocol Challenges Firewall Security a... - 14.Mar.2003 10:31:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi denske35,

this are the important steps:

1) make sure the firewall client is installed on the internal workstation.

2) disable the FTP application filter on ISA server.

3) create a custom FTPS protocol definition as shown in my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html section 4.3. Firewall client, but use as primary connection TCP port 21 Outbound.

HTH,
Stefaan

(in reply to spouseele)
Post #: 9
RE: How the FTP protocol Challenges Firewall Security a... - 18.Mar.2003 5:33:00 PM   
stefano

 

Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
Firstly let me say that this site is wonderfull keep up the good work and i have never had to write in because all the answer to my question have already been answered.

Problem:
I have been trying for a almost 2 weeks now to get a Web/FTP server behind the isa firewall to work.
Step 1
So far i have been able to web publish urls for people to view the web sites on the server so everything works fine there.
Step 2
This is the problem bit. I have tried to allow the developers in the company ftp access to the web server behind the firewall. I keep getting the dreaded
"Windows cannot access this folder. Make sure you type the file name correctly and that you have permission to access the folder" Details the FTP session was terminated"

Everytime i do not get any other errors at all.
Now i have given user rights to these folderS in the domain but i am still not having any luck.

I have used the server published rules and this message still comes up. I have read all the relevant atricles on the subject of setting up FTP access on this web site and there are a few. I read Hadyn-wangs Install and configure FTP server behind ISA with unstandard port. Your article. Thomas Use web pub to pub co-located Web and FTP servers also.

Could you please help me out with some advice. If you need to know anymore info to help you clarify or pin point the problem please ask.

(in reply to spouseele)
Post #: 10
RE: How the FTP protocol Challenges Firewall Security a... - 18.Mar.2003 11:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi stefano,

a couple of questions:
- Is the FTP server running on the standard FTP port?
- Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server.
- Have you configured the FTP server as a SecureNAT client?
- Is the FTP application filter enabled on ISA server?
- Did you test the FTP access from an external host? Which FTP client are you using: IE or the standard commandline client?
- ...

HTH,
Stefaan

(in reply to spouseele)
Post #: 11
RE: How the FTP protocol Challenges Firewall Security a... - 19.Mar.2003 1:20:00 PM   
stefano

 

Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
Q. Is the FTP server running on the standard FTP port?
A.Yes port 21
Q.Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server.
A.No i have a couple of Web published websites and i understand the limits of publishing FTP site using the web publishing rule and how the ftp access in done through redirecting Http request as FTP requests. I also tried this and i got the previous error i mentioned
Q.Have you configured the FTP server as a SecureNAT client?
A. I am not too sure do you mean have i got firewall client running on the FTP server ?
Q.Is the FTP application filter enabled on ISA server?
A. I have checked the Policy Elements/Protocol Definitions and all 3 FTP application filters are enabled. I have also created custom IP packet filters "FTP Server Control" inbound, local port 21, remote port All ports.
Also FTP server control data connection Outbound, fixed local port 20 remote port All ports.
Q.Did you test the FTP access from an external host?
A. I have just done this now we have a external dedicated server so i TS into it and guess what IT WORKED !
BUT how come i cannot send a request from internal pc through the internet to get into the FTP server ?
Q.Which FTP client are you using: IE or the standard commandline client?
A. I have been using IE6 but we also use SmartFTP and from the internal source it does not work.
Conclusion so far i am happy that i can get in from an external source the bad thing now is i don't know i whay i can't just ftp into the ftp server like i can http into the websites. Could you advice me further please. Thanks

(in reply to spouseele)
Post #: 12
RE: How the FTP protocol Challenges Firewall Security a... - 19.Mar.2003 9:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi stefano,

if you run the FTP server on the standard port number, than you should *not* install the firewall client on the FTP server and just configure the FTP server as a SecureNAT client. That means that his default gateway should point to the ISA server internal interface.

Also, there is only one FTP application filter and it is under the node Extension -> Application Filters. Moreover, as a general rule you should *never* create packet filters yourself except in some very specific situations. The protocol, site&content and publishing rules will create the needed packet filters dynamically for you.

Keep in mind that you can *not* loop through the ISA external interface. This means that internal clients should always connect to the internal servers directly, not to the published instance. For more info, check out http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html .

HTH,
Stefaan

(in reply to spouseele)
Post #: 13
RE: How the FTP protocol Challenges Firewall Security a... - 20.Mar.2003 1:14:00 PM   
stefano

 

Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
Hi Stefaan

Thanks for replying so quickly it is much appreciated.

Ok I think i know what you mean by secureNAT now. If you mean does my server point to the gateway (proxy/firewall isa server) internal address the answer is yes. The test ftp sever is actually my own client machine that i am practicting with before i connected it to the real websever.

Taking your advice on the second point i will now disable the custom packet filters that i created in the first place.

I see what you are saying about the internal to extranal loopback situtation also.

But i still can't get previously web published website to appear using the ftp notation. i.e. www.website.com works fine points to the right internal server which looks for a host file name when the request is redirected to it. So i created another destination set ftp.website.com and pointed it to the same internal webserver and placed the host file name on the webserver to pick any ftp request but this does not work.
What is it i have to do to resolve this issue. I thought it would be straight forward because the web publishing was pretty straight forward after i played about with it for a while.

Please advice

Thanks

Steven

(in reply to spouseele)
Post #: 14
RE: How the FTP protocol Challenges Firewall Security a... - 20.Mar.2003 10:17:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Steven,

check out http://www.isaserver.org/tutorials/Using_Web_Publishing_Rules_to_Publish_Colocated_Web_and_FTP_Servers.html . Keep in mind you *must* test from an external client!

HTH,
Stefaan

(in reply to spouseele)
Post #: 15
RE: How the FTP protocol Challenges Firewall Security a... - 21.Mar.2003 4:29:00 PM   
stefano

 

Posts: 4
Joined: 18.Mar.2003
From: Glasgow
Status: offline
Hi Stefaan
I have already look at this article and i have already tried to get in from an external source without much luck. I will give it a go again one more time but i have was not having much luck thats why i thought i would get some expert advice in the first place.
Thanks for your help anyway.

Steven

(in reply to spouseele)
Post #: 16
RE: How the FTP protocol Challenges Firewall Security a... - 22.Mar.2003 9:45:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Steven,

in one of your previous posts you say that when you tested from an external host it was working. Maybe I've missed something, but what was working: the FTP server publishing rule or the FTP web publishing rule?

Keep in mind that if you want to access the FTP server through the web publishing rule you can *not* use the FTP protocol on the client side. You must access the web published FTP server through the HTTP protocol (http://ftp.domain.com).

HTH,
Stefaan

(in reply to spouseele)
Post #: 17
RE: How the FTP protocol Challenges Firewall Security a... - 5.Jul.2003 2:46:00 AM   
Darren Thompson

 

Posts: 146
Joined: 21.May2002
From: Perth, Western Australia
Status: offline
Does any one know of ant resources on how to create a secure FTP server ? Behind ISA ?

Is there a better way to allow the secure transmission of data - keeping in mind that it may possibly be from a public terminal (such as an internet cafe/airport/hotel)

Perhaps webdav over ssl ?

These questions and more [Smile]

Thanks

Darren

(in reply to spouseele)
Post #: 18
RE: How the FTP protocol Challenges Firewall Security a... - 5.Jul.2003 8:13:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Darren,

personally I find secure FTP (FTP over SSL) a very ugly protocol because it is not firewall friendly. [Big Grin]

What do you want to achieve? You are talking about securely transferring files to *public* terminals such as an internet cafe/airport/hotel. That doesn't make much sense to me! [Confused]

HTH,
Stefaan

(in reply to spouseele)
Post #: 19
RE: How the FTP protocol Challenges Firewall Security a... - 6.Jul.2003 3:56:00 AM   
Darren Thompson

 

Posts: 146
Joined: 21.May2002
From: Perth, Western Australia
Status: offline
quote:
What do you want to achieve? You are talking about securely transferring files to *public* terminals such as an internet cafe/airport/hotel. That doesn't make much sense to me!
True, true - there is the fact that the individual file would become possibly available to nasty people at the 'public terminal', but sometimes you gotta do what you gotta do to get data to people, but we are willing to risk that, what we don't want to risk (or minimise as much as possible whilst still allowing access) is access to all the other data which still resides on the (hopefully) "secure file server".

We need to be able to receive and publish files for specific users.

Thanks

Darren

(in reply to spouseele)
Post #: 20

Page:   [1] 2 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> How the FTP protocol Challenges Firewall Security article Page: [1] 2 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts