Avaya 3.7 manual Security Gateways and FTP

Establishing security

Active-FTP is beneficial to the FTP server administrator, but detrimental to the client side adman. If the FTP server attempts to make connections to random high ports on the client, these packets would almost certainly be blocked by a firewall on the client side. Passive-FTP is beneficial to the client, but detrimental to the FTP server adman. Even if the client makes both connections to the server, the one random high port would almost certainly be blocked by a firewall on the server side. Typically, administrators running FTP servers will need to make their servers accessible to the greatest number of clients, so they will almost certainly need to support passive-FTP. Applications do not consistently use passive-FTP or active-FTP. Modern FTP clients and Internet browsers support a variety of choices.

There are additional problems when the FTP client and FTP server are located on opposite sides of a NAT gateway. Active-FTP clients attempting to gain access to FTP servers from behind a NAT gateway will fail because the data connection received from the FTP server has no address mapping. For example, FTP server attempts to connect to external address of NAT gateway.

Security Gateways and FTP

Two different approaches are available for supporting FTP within the SG environment. One allows the administrator to individually manage each control/data connection through the firewall (FTP-Ctrl, Active-FTP, Passive-FTP services). The other, recommended, uses the FTP-Proxy service.

The first approach allows the administrator to restrict the direction, inbound/outbound, and types of allowed FTP traffic, but does have the potential to expose a large number of ports behind the firewall to outside snooping. An example of a fairly safe configuration would be that of allowing FTP clients on the private zone network to perform passive-FTP. For example, two outbound firewall permit rules, one for FTP-Ctrl and the other for Passive-FTP. Both control and data connection are initiated from within the protected network. An unsafe configuration would be to allow unprotected, external, FTP servers to initiate Active-FTP connections (one outbound FTP-Ctrl firewall permit rule, and one inbound Active-FTP firewall permit rule); in this case Active-FTP allows the full range of ports within the protected network to be accessed by the outside network.

FTP-Proxy service can be incorporated into a firewall rule to concurrently support both passive/ active-FTP for protected FTP clients or FTP servers. Configuring an FTP-Proxy rule actually creates one firewall rule to allow the initial FTP control connection and a second redirection rule for the FTP control channel. Upon receiving FTP traffic, the proxy intercepts the control channel exchanges and discovers the type of data connection to be established. It then dynamically creates the appropriate firewall pinhole rule to restrict the protected network ports to which a data connection can be established. The firewall pinholes are removed within a short period of time after the data connection. Thus, FTP-Proxy significantly improves network security as compared to the Passive-FTP (protected FTP server) or Active-FTP (protected FTP client) service cases. It is important to remember that the FTP-Proxy service is applied to a specific zone interface. If network address translation or filter rules are applied to other zone interfaces on the SG that are the source or destination of the FTP traffic, these rules can impact the ability of the proxy to function.

168 Avaya VPNmanager Configuration Guide Release 3.7