The existing FTP inspection allows traffic by default and restricts
traffic that fails security checks. FTP deep packet inspection will enable the
administrator to block specific FTP request commands through the PIX Security
Appliance, such as renaming a file. When a FTP request command is filtered, the
connection is closed. The administrator can define which FTP commands should be
blocked with the ftp-map command. The FTP commands that can
be blocked are shown in Figure
.
FTP
Deep Packet Inspection Configuration
Use the following four steps to
filter FTP commands.
Step 1 Define which FTP commands to
filter in the ftp-map command.
Step 2 Identify a traffic flow in the
class-map command.
Step 3
Configure a policy which associates the FTP commands to be filtered, in an
FTP map, with the traffic flow identified in a class map.
Step 4 Enable the policy on an interface, or on a global
basis.
Use the ftp-map command to define
which FTP commands should be blocked. After the administrator enters the
ftp-map command and a map name, the system enters the FTP
map configuration mode. The deny-request-cmd command
enables the administrator to list which FTP request commands should be blocked.
In the example in Figure
, the
inbound_ftp ftpmap was defined. The inbound_ftp ftp-map identifies the commands
to be filtered.
In the example in Figure
, the inbound_ftp
ftp-map identifies six FTP request commands to filter. The class map
inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic
between any host and host 192.168.1.11, the FTP server. In the inbound policy
map, the FTP command request restrictions defined in the ftp map inbound_ftp,
are associated with the inbound_ftp_traffic class of traffic. Lastly, the
inbound policy is enabled on the outside interface.