Re: PASSV (passive mode) FTP through routers/firewalls

[Leonard Miyata <leonard () geminisecure com>]

As far as the Client side is concerned, the vulnerability of high
port probing can be reduced through the use of a Proxy Application
(such as SQUID) running on a bastion host in the DMZ. SQUID supports
FTP GET from the common browsers (IE3, IE4 and Netscape Navigator 4.X)
The screend routers would be set so that the inside can only talk to
the bastion host, and only the bastion host can go out to the Internet.
As far as exposure is concerned, only the bastion host is visable and
exposed to probes.

Vulnerabilities to the SUN FTP Server I will leave to people with more
experience in the subject....

Personal Opinions Provided by
Leonard Miyata
aka leonard () geminisecure com
Gemini Computers Inc.

On Wed, 16 Jun 1999, Riley, Larry wrote:

> I have a question about allowing PASSV (passive mode) FTP through
> routers/firewalls.
>
> We have an client who needs to be able to retrieve files via FTP from our
> ftp server.  As of yet, they have been unable to do so, due to the fact that
> they only allow PASSV (passive mode) FTP through their router/firewall, and
> our server currently refuses permission for passive FTP.
>
> I found some information indicating that in order to enable passive FTP on
> our server, we would have to give world write permissions to the
> pseudo-device /dev/tcp.  This is apparently an artifact of Solaris
>
> Off the cuff, it strikes me that this permissioning might be a security
> concern.  Arguably it is a bit more secure from the customer's point of view
> for them to allow only PASSV mode.  Since they only have a router and not a
> stateful firewall, they would have to open TCP high ports, which would leave
> them vlunerable to TCP high port probing and denial of service attacks on
> their internal hosts.
>
> Does anyone have any words of wisdom whether we should enable passive mode
> in this situation?
>
> Thanks