Protecting An Ftp Server With Alg - D-Link NetDefend DFL-210 User Manual

6.2.3. File Transfer Protocol
In active mode, the FTP client sends a command to the FTP server indicating what IP address and
port the server should connect to. The FTP server establishes the data channel back to the FTP client
using the received address information.
In passive mode, the data channel is opened by the FTP client to the FTP server, just like the com-
mand channel. This is the often recommended default mode for FTP clients though some advice
may recommend the opposite.
FTP Security Issues
Both modes of FTP operation present problems for firewalls. Consider a scenario where an FTP cli-
ent on the internal network connects through the firewall to an FTP server on the Internet. The IP
rule is then configured to allow network traffic from the FTP client to port 21 on the FTP server.
When active mode is used, NetDefendOS is not aware that the FTP server will establish a new con-
nection back to the FTP client. Therefore, the incoming connection for the data channel will be
dropped. As the port number used for the data channel is dynamic, the only way to solve this is to
allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a
good solution.
When passive mode is used, the firewall does not need to allow connections from the FTP server.
On the other hand, NetDefendOS still does not know what port the FTP client tries to use for the
data channel. This means that it has to allow traffic from all ports on the FTP client to all ports on
the FTP server. Although this is not as insecure as in the active mode case, it still presents a poten-
tial security threat. Furthermore, not all FTP clients are capable of using passive mode.
The Solution
The FTP ALG solves this problem by fully reassembling the TCP stream of the command channel
and examining its contents. Thus, the firewall knows what port to be opened for the data channel.
Moreover, the FTP ALG also provides functionality to filter out certain control commands and
provide a basic buffer overrun protection.
The most important feature of the FTP ALG is its unique capability to perform on-the-fly conver-
sion between active and passive mode. The conversion can be described as follows:
• The FTP client can be configured to use passive mode, which is the recommended mode for cli-
ents.
• The FTP server can be configured to use active mode, which is the safer mode for servers.
• When an FTP session is established, the D-Link Firewall will automatically and transparently
receive the passive data channel from the FTP client and the active data channel from the server,
and tie them together.
This implementation results in both the FTP client and the FTP server working in their most secure
mode. The conversion also works the other way around, that is, with the FTP client using active
mode and the FTP server using passive mode.
Example 6.2. Protecting an FTP Server with ALG
As shown, an FTP Server is connected to the D-Link Firewall on a DMZ with private IP addresses, shown below:
106
Chapter 6. Security Mechanisms