The Request-Command Deny Command - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 22
Applying Application Layer Protocol Inspection
If the strict option is enabled, each ftp command and response sequence is tracked for the following
anomalous activity:
•
•
•
•
•
•
•
•
•
The request-command deny Command
The request-command deny command lets you control which FTP commands the FWSM allows for
FTP traffic through the FWSM. This command is available in FTP map configuration mode; therefore,
to make use of it, you must create an FTP map and use that map when you enable FTP inspection, per
"Configuring FTP Inspection" section on page
Table 22-3
command.
.
Table 22-3
request-command deny Option
appe
cdup
dele
get
help
mkd
put
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Truncated command—Number of commas in the PORT and PASV reply command is checked to see
if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP
connection is closed.
Incorrect command—Checks the ftp command to see if it ends with <CR><LF> characters, as
required by the RFC. If it does not, the connection is closed.
Size of RETR and STOR commands—These are checked against a fixed constant. If the size is
greater, then an error message is logged and the connection is closed.
Command spoofing—The PORT command should always be sent from the client. The TCP
connection is denied if a PORT command is sent from the server.
Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP
connection is denied if a PASV reply command is sent from the client. This prevents the security
hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."
TCP stream editing—The FWSM closes the connection if it detects TCP stream editing.
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024.
As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the
negotiated port falls in this range, then the TCP connection is freed.
Command pipelining—The number of characters present after the port numbers in the PORT and
PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP
connection is closed.
The FWSM replaces the FTP server response to the SYST command with a series of Xs to prevent
the server from revealing its system type to FTP clients. To override this default behavior, use the
no mask-syst-reply command in FTP map configuration mode.
lists the FTP commands that you can disallow by using the request-command deny
FTP Map request-command deny Options
22-32.
Purpose
Disallows the command that appends to a file.
Disallows the command that changes to the parent directory of the
current working directory.
Disallows the command that deletes a file on the server.
Disallows the client command for retrieving a file from the server.
Disallows the command that provides help information.
Disallows the command that makes a directory on the server.
Disallows the client command for sending a file to the server.
FTP Inspection
22-31
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
