The Ftp Alg - D-Link NetDefend DFL-210 User Manual

6.2.3. The FTP ALG

For example, the entry *.some_domain.com will block all pages whose URLs end with
some_domain.com.
If we want to now explicitly allow one particular page then this can be done with an entry in the
whitelist of the form my_page.my_company.com and the blacklist will not prevent this page from
being reachable since the whitelist has precedence.
Deploying an HTTP ALG
As mentioned in the introduction, the HTTP ALG object is brought into use by first associating it
with a service object and then associating that service object with an IP rule in the IP rule set. A
number of predefined HTTP services could be used with the ALG. For example, the http service
might be selected for this purpose. As long as the associated service is associated with an IP rule
then the ALG will be applied to traffic targeted by that IP rule.
The https service (which is also included in the http-all service) cannot be used with an HTTP
ALG since HTTPS traffic is encrypted.
6.2.3. The FTP ALG
File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a
server. The client initiates the connection by connecting to the FTP server. Normally the client
needs to authenticate itself by providing a predefined login and password. After granting access, the
server will provide the client with a file/directory listing from which it can download/upload files
(depending on access rights). The FTP ALG is used to manage FTP connections through the
NetDefend Firewall.
FTP Connections
FTP uses two communication channels, one for control commands and one for the actual files being
transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the
control channel) to port 21 (by default) on the FTP server. What happens after this point depends on
the FTP mode being used.
Connection Modes
FTP operates in two modes: active and passive. These determine the role of the server when opening
data channels between client and server.
In active mode, the FTP client sends a command to the FTP server indicating what IP address and
port the server should connect to. The FTP server establishes the data channel back to the FTP client
using the received address information.
In passive mode, the data channel is opened by the FTP client to the FTP server, just like the
command channel. This is the often recommended default mode for FTP clients though some advice
may recommend the opposite.
FTP Security Issues
Both active and passive modes of FTP operation present problems for NetDefend Firewalls.
Consider a scenario where an FTP client on the internal network connects through the firewall to an
FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP
client to port 21 on the FTP server.
When active mode is used, NetDefendOS doesn't know that the FTP server will establish a new
connection back to the FTP client. Therefore, the incoming connection for the data channel will be
dropped. As the port number used for the data channel is dynamic, the only way to solve this is to
211
Chapter 6. Security Mechanisms