equivalent to a large number of possible URLs. The wildcard character "*" can be used to represent
any sequence of characters.
For example, the entry *.some_domain.com will block all pages whose URLs end with
some_domain.com.
If we want to now explicitly allow one particular page then this can be done with an entry in the
whitelist of the form my_page.my_company.com and the blacklist will not prevent this page from
being reachable since the whitelist has precedence.
Deploying an HTTP ALG
As mentioned in the introduction, the HTTP ALG object is brought into use by first associating it
with a service object and then associating that service object with an IP rule in the IP rule set. A
number of predefined HTTP services could be used with the ALG. For example, the http service
might be selected for this purpose. As long as the associated service is associated with an IP rule
then the ALG will be applied to traffic targeted by that IP rule.
The https service (which is also included in the http-all service) cannot be used with an HTTP
ALG since HTTPS traffic is encrypted.
6.2.3. The FTP ALG
File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a
server. The client initiates the connection by connecting to the FTP server. Normally the client
needs to authenticate itself by providing a predefined login and password. After granting access, the
server will provide the client with a file/directory listing from which it can download/upload files
(depending on access rights). The FTP ALG is used to manage FTP connections through the
NetDefend Firewall.
FTP Connections
FTP uses two communication channels, one for control commands and one for the actual files being
transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the
control channel) to port 21 (by default) on the FTP server. What happens after this point depends on
the FTP mode being used.
FTP Connection Modes
FTP operates in two modes: active and passive. These determine the role of the server when opening
data channels between client and server.
•
Active Mode
In active mode, the FTP client sends a command to the FTP server indicating what IP address
and port the server should connect to. The FTP server establishes the data channel back to the
FTP client using the received address information.
•
Passive Mode
In passive mode, the data channel is opened by the FTP client to the FTP server, just like the
command channel. This is the often recommended default mode for FTP clients though some
advice may recommend the opposite.
A Discussion of FTP Security Issues
Both active and passive modes of FTP operation present problems for NetDefend Firewalls.
6.2.3. The FTP ALG
Chapter 6. Security Mechanisms
249
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...