Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Using Strict FTP

47-14

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter47 Configuring Inspection of Basic Internet Protocols

FTP Inspection

Note If you disable FTP inspection engines with the no inspect ftp command, outbound users can start

connections only in passive mode, and all inbound FTP is disabled.

Using Strict FTP

Using strict FTP increases the security of protected networks by preventing web browsers from sending

embedded commands in FTP requests. To enable strict FTP, click the Configure button next to FTP on

the Configuration > Firewall > Service Policy Rules > Edit Service Policy Rule > Rule Actions >

Protocol Inspection tab.

After you enable the strict option on an interface, FTP inspection enforces the following behavior:

•An FTP command must be acknowledged before the ASA allows a new command.

•The ASA drops connections that send embedded commands.

•The 227 and PORT commands are checked to ensure they do not appear in an error string.

Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP

RFCs.

If the strict option is enabled, each FTP command and response sequence is tracked for the following

anomalous activity:

•Truncated command—Number of commas in the PORT and PASV reply command is checked to see

if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP

connection is closed.

•Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as

required by the RFC. If it does not, the connection is closed.

��Size of RETR and STOR commands—These are checked against a fixed constant. If the size is

greater, then an error message is logged and the connection is closed.

•Command spoofing—The PORT command should always be sent from the client. The TCP

connection is denied if a PORT command is sent from the server.

•Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP

connection is denied if a PASV reply command is sent from the client. This prevents the security

hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”

•TCP stream editing—The ASA closes the connection if it detects TCP stream editing.

•Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024.

As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the

negotiated port falls in this range, then the TCP connection is freed.

•Command pipelining—The number of characters present after the port numbers in the PORT and

PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP

connection is closed.

•The ASA replaces the FTP server response to the SYST command with a series of Xs. to prevent the

server from revealing its system type to FTP clients. To override this default behavior, use the no

mask-syst-reply command in the FTP map.

Cisco Systems Using Strict FTP