Firewall Wizards mailing list archives

Active to Passive FTP translator?

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 25 Nov 2002 15:33:27 +0200

Hi,

Following on from the recent discussions on hacks to stateful FTP firewalls
resulting in unexpected/unauthorised ports being opened, I was wondering
what the best architecture was to allow clients to connect to Active-only
FTP servers.

I think Paul was mentioning the disparity between client security (only
allow Passive connections out) and server security (only allow Active
responses from your FTP server back to the net), and I was wondering if
there was a resonably happy medium.

The scenario is as follows:

FTP client on the internal network, being proxied before getting out to the
Internet, talking to a strictly Active FTP server.

Does one:

a) put the proxy on the Internal network, 

b) put the proxy in the DMZ,


a) has the downside that potentially malicious servers could fool the
firewall (Firewall-1 in my case) into allowing the malicious FTP server to
connect to arbitrary high ports on the proxy server, possibly translating
into unrestricted access to the internal network.

b) has the downside of a), but the benefit that the attacker would only have
access to the DMZ, rather than the internal network. Nonetheless, if the
proxy allows Active FTP from the internal network, an attacker on the proxy
could potentially get back to the internal network by repeating his attack
from the proxy server this time.


I also thought of an option c):


c) invent/discover an FTP proxy that translates client PASV requests into
server Active requests.

This has all the benefits of b), plus it does not allow an attack on the
proxy to repeat through to the internal network. Does such a beast exist?
Are there any fundamental problems with the approach that I'm not seeing? As
I see it, the proxy would simply wait for the server to make an incoming
connection, the client to make an incoming connection, and tie the two
together. That should also work for uploads, I think?

Comments?

Rogan
-- 
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe () alum mit edu>
--
Deloitte & Touche Security Services Group
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE: This e-mail message and its attachments are subject to the disclaimers
      as published at: http://www.deloitte.co.za/disc.htm#emaildisc

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Active to Passive FTP translator? Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 25)
- Re: Active to Passive FTP translator? Magosányi Árpád (Nov 25)
- <Possible follow-ups>
- RE: Active to Passive FTP translator? Scott, Richard (Nov 26)
  - Re: Active to Passive FTP translator? David Pick (Nov 26)
  - Re: Active to Passive FTP translator? Mikael Olsson (Nov 26)
    - Re: Active to Passive FTP translator? Mikael Olsson (Nov 27)