D-Link NetDefend DFL-210 User Manual page 201
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
6.2.3. The FTP ALG
When active mode is used, NetDefendOS doesn't know that the FTP server will establish a new
connection back to the FTP client. Therefore, the incoming connection for the data channel will be
dropped. As the port number used for the data channel is dynamic, the only way to solve this is to
allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a
good solution.
When passive mode is used, the firewall does not need to allow connections from the FTP server.
On the other hand, NetDefendOS still does not know what port the FTP client tries to use for the
data channel. This means that it has to allow traffic from all ports on the FTP client to all ports on
the FTP server. Although this is not as insecure as in the active mode case, it still presents a
potential security threat. Furthermore, not all FTP clients are capable of using passive mode.
The Solution
The FTP ALG solves this problem by fully reassembling the TCP stream of the command channel
and examining its contents. Thus, the firewall knows what port to be opened for the data channel.
Moreover, the FTP ALG also provides functionality to filter out certain control commands and
provide a basic buffer overrun protection.
The most important feature of the FTP ALG is its unique capability to perform on-the-fly
conversion between active and passive mode. The conversion can be described as follows:
•
The FTP client can be configured to use passive mode, which is the recommended mode for
clients.
•
The FTP server can be configured to use active mode, which is the safer mode for servers.
•
When an FTP session is established, the D-Link Firewall will automatically and transparently
receive the passive data channel from the FTP client and the active data channel from the server,
and tie them together.
This implementation results in both the FTP client and the FTP server working in their most secure
mode. The conversion also works the other way around, that is, with the FTP client using active
mode and the FTP server using passive mode.
Filetype Checking
The FTP ALG offers the same filetype verification for downloaded files that is found in the HTTP
ALG. This consists of two separate options:
•
MIME Type Verification
When enabled, NetDefendOS checks that a download's stated filetype matches the file's
contents. Mismatches result in the download being dropped.
•
Allow/Block Selected Types
If selected in blocking mode, specified filetypes are dropped when downloaded. If selected in
allow mode, only the specified filetypes are allowed as downloads. NetDefendOS also performs
a check to make sure the filetype matches the contents of the file. New filetypes can be added to
the predefined list of types.
The above two options for filetype checking are the same as those available in the HTTP ALG and
are more fully described in Section 6.2.2, "The HTTP ALG".
Anti-Virus Scanning
The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for
201
Chapter 6. Security Mechanisms
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
