« previous next »
Pages: [1]   Go Down

Author Topic: TNC-0083 FTP rules in CyberArmor  (Read 3385 times)

0 Members and 1 Guest are viewing this topic.

Offline ernest

  • Full Member
  • ***
  • Posts: 226
TNC-0083 FTP rules in CyberArmor
« on: November 18, 2008, 08:28:47 PM »
Use of this document and web site are governed by the Terms and Conditions of Use for InfoExpress's web site.

DATE:   November 18th, 2008
UPDATED:   ---
REVIEWED:   ---

APPLICABILITY: CyberArmor v1.1 and up 

SUMMARY

At times questions arrise regarding CyberArmor's handling of active and passive FTP traffic. This technote explains the types of FTP rules supported in CyberArmor and what support CyberArmor provides for FTP traffic.

DESCRIPTION

FTP sessions are different from most other TCP traffic as generally there are two TCP connections involved. One is the control connection used to authenticate the client to the server, send commands, etc. This control connection remains open as long as data is being transferred. The second is the data connection used for transmitting the file data, directory listing, etc.

In active FTP the client opens the control connection from an available port above 1024 to port 21 on the server. To transfer data the server then opens the data connection from it's port 20 to an available port above 1024 on the client. The client tells the server which port it has allocated by sending a PORT command.

In passive FTP the client opens the control connection from an available port above 1024 to port 21 on the server (same as in active FTP). To transfer data the client first sends the PASV command to the server. The server then starts listening on an available port and sends this port via a 227 command to the client (similar to port but in opposite direction). The client then connects to this port and the data is transferred.

CyberArmor supports three FTP rules:
Allow FTP
Allow ActiveFTP
Allow PassiveFTP
The first allows both active and passive FTP and is equivalent to having Allow Active FTP followed by Allow PassiveFTP.
With these rules CyberArmor keeps track of PORT and/or 227 commands in the control connection and dynamically adds rules to allow the appropriate data connection.

It should also be noted that Allow FTP rules should not be mixed or replaced with rules such as Allow TCP REM 20-21. If such a rule is ahead of the Allow FTP rule, it allows the control connection and thus robs the FTP rule of it's visibility of the PORT and/or 227 commands and prevents the appropriate data connection from being permitted.


Use of this document and web site are governed by the Terms and Conditions of Use for InfoExpress's web site.
Logged
Pages: [1]   Go Up
« previous next »