The PIX Security Appliance supports application inspection for a
large number of protocols, including FTP. FTP applications require special
handling by the PIX application inspection function. FTP applications embed
data channel port information in the control channel traffic. The FTP
inspection function monitors the control channel, identifies the data port
assignment, and permits data exchange on the data port for the duration of the
specific session. In the example in Figure
, the FTP client
is shown in opening a control channel between itself and the FTP server. When
data is to be exchanged, the FTP client alerts the FTP server through the
control channel that it expects the data to be delivered back from FTP server
port another a different port. If FTP inspection is not enabled, the return
data from FTP server port is blocked by the PIX. With FTP inspection enabled,
however, the PIX inspects the FTP control channel to recognize that the data
channel will be established to the new FTP client port and temporarily creates
an opening for the data channel traffic for the life of the session. By
default, the PIX inspects port 21 connections for FTP traffic. The FTP
application inspection inspects the FTP sessions and performs the following
four tasks:
- Prepares dynamic secondary data connections
- Tracks ftp command-response sequence
- Generates an audit trail
- NATs embedded IP addresses
If the inspect ftp strict option is enabled, each
ftp command and response sequence is tracked for anomalous
activity, as shown in Figure
.
Administrators can further enhance inspection on FTP traffic to improve
security and to control the service going through the PIX by filtering FTP
Request commands.
Active Mode FTP Inspection
Active mode FTP
uses two channels for communications. When a client starts an FTP connection,
it opens a TCP channel from one of its high-order ports to port 21 on the
server. This is referred to as the command channel. When the client requests
data from the server, it tells the server to send the data to a given
high-order port. The server acknowledges the request and initiates a connection
from its own port 20 to the high-order port that the client requested. This is
referred to as the data channel.
Because the server initiates the
connection to the requested port on the client, it was difficult in the past to
have firewalls allow this data channel to the client without permanently
opening port 20 connections from outside servers to inside clients for outbound
FTP connections. This created a potential vulnerability by exposing clients on
the inside of the firewall. Protocol inspections have resolved this
problem.
For FTP traffic, the PIX Security Appliance behaves in the
manner shown in Figure
.
Passive Mode FTP Inspection
Passive mode FTP (PFTP) also uses two
channels for communications. The command channel works the same as in a active
mode FTP connection, but the data channel setup works differently. When the
client requests data from the server, it asks the server if it accepts PFTP
connections. If the server accepts PFTP connections, it sends the client a
high-order port number to use for the data channel. The client then initiates
the data connection from its own high-order port to the port that the server
sent.
Because the client initiates both the command and data connections,
early firewalls could easily support outbound connections without exposing
inside clients to attack. Inbound connections, however, proved more of a
challenge. The FTP inspection protocol resolved this issue.
For PFTP
traffic, the PIX Security Appliance behaves in the manner shown in Figure
.