Configure Advanced Protocol Inspection
FTP inspection

The PIX Security Appliance supports application inspection for a large number of protocols, including FTP. FTP applications require special handling by the PIX application inspection function. FTP applications embed data channel port information in the control channel traffic. The FTP inspection function monitors the control channel, identifies the data port assignment, and permits data exchange on the data port for the duration of the specific session. In the example in Figure , the FTP client is shown in opening a control channel between itself and the FTP server. When data is to be exchanged, the FTP client alerts the FTP server through the control channel that it expects the data to be delivered back from FTP server port another a different port. If FTP inspection is not enabled, the return data from FTP server port is blocked by the PIX. With FTP inspection enabled, however, the PIX inspects the FTP control channel to recognize that the data channel will be established to the new FTP client port and temporarily creates an opening for the data channel traffic for the life of the session. By default, the PIX inspects port 21 connections for FTP traffic. The FTP application inspection inspects the FTP sessions and performs the following four tasks:

  • Prepares dynamic secondary data connections
  • Tracks ftp command-response sequence
  • Generates an audit trail
  • NATs embedded IP addresses

If the inspect ftp strict option is enabled, each ftp command and response sequence is tracked for anomalous activity, as shown in Figure .

Administrators can further enhance inspection on FTP traffic to improve security and to control the service going through the PIX by filtering FTP Request commands.

Active Mode FTP Inspection
Active mode FTP uses two channels for communications. When a client starts an FTP connection, it opens a TCP channel from one of its high-order ports to port 21 on the server. This is referred to as the command channel. When the client requests data from the server, it tells the server to send the data to a given high-order port. The server acknowledges the request and initiates a connection from its own port 20 to the high-order port that the client requested. This is referred to as the data channel.

Because the server initiates the connection to the requested port on the client, it was difficult in the past to have firewalls allow this data channel to the client without permanently opening port 20 connections from outside servers to inside clients for outbound FTP connections. This created a potential vulnerability by exposing clients on the inside of the firewall. Protocol inspections have resolved this problem.

For FTP traffic, the PIX Security Appliance behaves in the manner shown in Figure .

Passive Mode FTP Inspection
Passive mode FTP (PFTP) also uses two channels for communications. The command channel works the same as in a active mode FTP connection, but the data channel setup works differently. When the client requests data from the server, it asks the server if it accepts PFTP connections. If the server accepts PFTP connections, it sends the client a high-order port number to use for the data channel. The client then initiates the data connection from its own high-order port to the port that the server sent.

Because the client initiates both the command and data connections, early firewalls could easily support outbound connections without exposing inside clients to attack. Inbound connections, however, proved more of a challenge. The FTP inspection protocol resolved this issue.

For PFTP traffic, the PIX Security Appliance behaves in the manner shown in Figure .