13-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
FTP Inspection
•
Tracks the FTP command-response sequence
•
Generates an audit trail
•
Translates the embedded IP address
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels
are negotiated through PORT or PASV commands. The channels are allocated in response to a file
upload, a file download, or a directory listing event.
Note
If you disable FTP inspection engines with the
no inspect ftp
command, outbound users can start
connections only in passive mode, and all inbound FTP is disabled.
Strict FTP
Strict FTP increases the security of protected networks by preventing web browsers from sending
embedded commands in FTP requests. To enable strict FTP, include the
strict
option with the
inspect
ftp
command.
When you use strict FTP, you can optionally specify an FTP inspection policy map to specify FTP
commands that are not permitted to pass through the ASA.
After you enable the
strict
option on an interface, FTP inspection enforces the following behavior:
•
An FTP command must be acknowledged before the ASA allows a new command.
•
The ASA drops connections that send embedded commands.
•
The 227 and PORT commands are checked to ensure they do not appear in an error string.
Caution
Using the
strict
option may cause the failure of FTP clients that are not strictly compliant with FTP
RFCs.
If the
strict
option is enabled, each FTP command and response sequence is tracked for the following
anomalous activity:
•
Truncated command—Number of commas in the PORT and PASV reply command is checked to see
if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP
connection is closed.
•
Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as
required by the RFC. If it does not, the connection is closed.
•
Size of RETR and STOR commands—These are checked against a fixed constant. If the size is
greater, then an error message is logged and the connection is closed.
•
Command spoofing—The PORT command should always be sent from the client. The TCP
connection is denied if a PORT command is sent from the server.
•
Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP
connection is denied if a PASV reply command is sent from the client. This prevents the security
hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
•
TCP stream editing—The ASA closes the connection if it detects TCP stream editing.
•
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024.
As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the
negotiated port falls in this range, then the TCP connection is freed.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......