Security Basics mailing list archives
RE: FTP Proxy
From: Fernando Gont <fernando () gont com ar>
Date: Tue, 03 Feb 2004 02:17:43 -0300
At 10:33 30/01/2004 -0800, David Gillett wrote:
Again, if I have a stateful firewall with FTP awareness, properly configured, I don't care whether the clients are active or passive.
I agree with that. [....]
The vast majority of users haven't a clue what's legitimately on their box, let alone what bits of malware/spyware/etc have surreptitiously installed themselves. You *have* to do egress filtering for your local network to be a good citizen of the Internet. And allowing PASV mode means you can't do that with a simple packet filter. If I disallow PASV mode, I can at least limit the inbound data connections to servers sourcing from port 20, which is admittedly a hole, but will suffice against most script kiddies, etc. It's (IMHO) a much smaller hole than allowing arbitrary internally-originated streams out.
I'd probably disagree with this statement. You'd keep the script-kiddies out, but would let the clever guys in!
If I'm going to offer a publicly-accessible FTP server, I really want to put it behind a stateful firewall with FTP awareness, so I don't care whether clients are active or passive. My firewall will see the PORT commands and do the Right Thing. If I can't properly firewall it, my choices are to either block PASV access, or hope the server software allows us to configure some restrictions on the data ports and duke it out with the server admin to enact them.
If you're going to host the FTP *server*, then if it's going to be publicly-accessible, you'll have to support both passive and active transfers.
But if you can't do that, PASV mode is not *automatically* the best compromise available. My hot button isn't really about PASV per se, but about the too-frequent knee-jerk suggestion that it is the answer to every FTP network security question.
Wasn't it Einstein that said "Complex problems usually have simple, wrong answers"? :-)
-- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org ---------------------------------------------------------------------------Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: FTP Proxy Chintan J. Shah (Feb 02)
- <Possible follow-ups>
- Re: FTP Proxy Fernando Gont (Feb 03)
- Re: FTP Proxy Jai Shinde (Feb 03)
- RE: FTP Proxy Fernando Gont (Feb 03)