Establishing security
168 Avaya VPNmanager Configuration Guide Release 3.7
Active-FTP is beneficial to the FTP server administrator, but detrimental to the client side
adman. If the FTP server attempts to make connections to random high ports on the client,
these packets would almost certainly be blocked by a firewall on the client side. Passive-FTP is
beneficial to the client, but detrimental to the FTP server adman. Even if the client makes both
connections to the server, the one random high port would almost certainly be blocked by a
firewall on the server side. Typically, administrators running FTP servers will need to make their
servers accessible to the greatest number of clients, so they will almost certainly need to
support passive-FTP. Applications do not consistently use passive-FTP or active-FTP. Modern
FTP clients and Internet browsers support a variety of choices.
There are additional problems when the FTP client and FTP server are located on opposite
sides of a NAT gateway. Active-FTP clients attempting to gain access to FTP servers from
behind a NAT gateway will fail because the data connection received from the FTP server has
no address mapping. For example, FTP server attempts to connect to external address of NAT
gateway.
Security Gateways and FTPTwo different approaches are available for supporting FTP within the SG environment . One
allows the administrator to individually manage each control/data connection through the
firewall (FTP-Ctrl, Active-FTP, Passive-FTP services). The other, recommended, uses the
FTP-Proxy service.
The first approach allows the administrator to restrict the direction, inbound/outbound, and
types of allowed FTP traffic, but does have the potential to expose a large number of ports
behind the firewall to outside snooping. An example of a fairly safe configuration would be that
of allowing FTP clients on the private zone network to perform passive-FTP. For example, two
outbound firewall permit rules, one for FTP-Ctrl and the other for Passive-FTP. Both control and
data connection are initiated from within the protected network. An unsafe configuration would
be to allow unprotected, external, FTP servers to initiate Acti ve-FTP connections (one outbound
FTP-Ctrl firewall permit rule, and one inbound Active-FTP firewall permit rule); in this case
Active-FTP allows the full range of ports within the protected network to be accessed by the
outside network.
FTP-Proxy service can be incorporated into a firewall rule to concurrently support both passive/
active-FTP for protected FTP clients or FTP servers. Configuring an FTP-Proxy rule actually
creates one firewall rule to allow the initial FTP control connection and a second redirection rule
for the FTP control channel. Upon receiving FTP traffic, the proxy intercepts the control channel
exchanges and discovers the type of data connection to be established. It then dynamically
creates the appropriate firewall pinhole rule to restrict the protected network ports to which a
data connection can be established. The firewall pinholes are removed within a short period of
time after the data connection. Thus, FTP-Proxy significantly improves network security as
compared to the Passive-FTP (protected FTP server) or Active-FTP (protected FTP client)
service cases. It is important to remember that the FTP-Proxy service is applied to a specific
zone interface. If network address translation or filter rules are applied to other zone interfaces
on the SG that are the source or destination of the FTP traffic, these rules can i mp act t he abil ity
of the proxy to function.