Consider a scenario where an FTP client on the internal network connects through the firewall to an
FTP server on the Internet. The IP rule is then configured to allow network traffic from the FTP
client to port 21 on the FTP server.
When active mode is used, NetDefendOS does not know that the FTP server will establish a new
connection back to the FTP client. Therefore, the incoming connection for the data channel will be
dropped. As the port number used for the data channel is dynamic, the only way to solve this is to
allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a
good solution.
When passive mode is used, the firewall does not need to allow connections from the FTP server.
On the other hand, NetDefendOS still does not know what port the FTP client will try to use for the
data channel. This means that it has to allow traffic from all ports on the FTP client to all ports on
the FTP server. Although this is not as insecure as in the active mode case, it still presents a
potential security threat. Furthermore, not all FTP clients are capable of using passive mode.
The NetDefendOS ALG Solution
The NetDefendOS FTP ALG deals with these issues by fully reassembling the TCP stream of the
FTP command channel and examining its contents. By doing this, the NetDefendOS knows what
port to open for the data channel. Furthermore, the FTP ALG also provides functionality to filter out
certain control commands and provide buffer overrun protection.
Hybrid Mode
An important feature of the NetDefendOS FTP ALG is its automatic ability to perform on-the-fly
conversion between active and passive mode so that FTP connection modes can be combined.
Passive mode can be used on one side of the firewall while active mode can be used on the other.
This type of FTP ALG usage is sometimes referred to as hybrid mode.
The advantage of hybrid mode can be summarized as follows:
•
The FTP client can be configured to use passive mode, which is the recommended mode for
clients.
•
The FTP server can be configured to use active mode, which is the safer mode for servers.
•
When an FTP session is established, the NetDefend Firewall will automatically and
transparently receive the passive data channel from the FTP client and the active data channel
from the server, and correctly tie them together.
This implementation results in both the FTP client and the FTP server working in their most secure
mode. The conversion also works the other way around, that is, with the FTP client using active
mode and the FTP server using passive mode. The illustration below shows the typical hybrid mode
scenario.
6.2.3. The FTP ALG
Chapter 6. Security Mechanisms
250
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...