Firewall Wizards mailing list archives
Active to Passive FTP translator?
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 25 Nov 2002 15:33:27 +0200
Hi, Following on from the recent discussions on hacks to stateful FTP firewalls resulting in unexpected/unauthorised ports being opened, I was wondering what the best architecture was to allow clients to connect to Active-only FTP servers. I think Paul was mentioning the disparity between client security (only allow Passive connections out) and server security (only allow Active responses from your FTP server back to the net), and I was wondering if there was a resonably happy medium. The scenario is as follows: FTP client on the internal network, being proxied before getting out to the Internet, talking to a strictly Active FTP server. Does one: a) put the proxy on the Internal network, b) put the proxy in the DMZ, a) has the downside that potentially malicious servers could fool the firewall (Firewall-1 in my case) into allowing the malicious FTP server to connect to arbitrary high ports on the proxy server, possibly translating into unrestricted access to the internal network. b) has the downside of a), but the benefit that the attacker would only have access to the DMZ, rather than the internal network. Nonetheless, if the proxy allows Active FTP from the internal network, an attacker on the proxy could potentially get back to the internal network by repeating his attack from the proxy server this time. I also thought of an option c): c) invent/discover an FTP proxy that translates client PASV requests into server Active requests. This has all the benefits of b), plus it does not allow an attack on the proxy to repeat through to the internal network. Does such a beast exist? Are there any fundamental problems with the approach that I'm not seeing? As I see it, the proxy would simply wait for the server to make an incoming connection, the client to make an incoming connection, and tie the two together. That should also work for uploads, I think? Comments? Rogan -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu> -- Deloitte & Touche Security Services Group Tel: +27(11)806-6216 Fax: +27(11)806-5202 Cell: +27(82)784-9498 -- NOTE: This e-mail message and its attachments are subject to the disclaimers as published at: http://www.deloitte.co.za/disc.htm#emaildisc _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Active to Passive FTP translator? Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 25)
- Re: Active to Passive FTP translator? Magosányi Árpád (Nov 25)
- <Possible follow-ups>
- RE: Active to Passive FTP translator? Scott, Richard (Nov 26)
- Re: Active to Passive FTP translator? David Pick (Nov 26)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 26)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 27)