File Transfer Protocol (FTP) Servers

The File Transfer Protocol (FTP) is an application layer protocol that provides file-sharing capabilities between hosts.

FTP was formally announced as part of the TCP/IP protocol suite in 1971. RFC 172 covers the design and implementation on FTP.

There are actually two ports associated with FTP: TCP 20 and 21. FTP creates a virtual connection over TCP port 21 for control information, and then it creates a separate TCP connection on port 20 for data transfers.

FTP is a very common application protocol that is used widely on the Internet to transfer files. Most public Web servers also provide some FTP functionality for public users to download files. For example, Cisco Systems has a corporate web site that is located at www.cisco.com. This serves the corporate web site. In addition, Cisco has an FTP server that can be accessed at ftp.cisco.com. This service is provided for downloading files from the Cisco web site. Registered users or users with support agreements can download IOS images and required software updates.

Many companies do not run their own Web servers in-house. They look to an ISP to provide Web space on a shared server or opt for a dedicated, colocated server. In doing this, they gain the benefit of the ISP's network and Internet connection. The ISP offers this as a service and usually provides fault-tolerant, secure access to the Internet services behind multitiered firewalls. In this situation, especially with shared Web space, most ISPs offer FTP services to their clients for uploading the required files to the Web server. Consequently, most web sites have an FTP service running that has direct access to the directory that contains the actual client web site HTML files.

FTP, by design, is a faster method of transferring files across the Internet than HTTP. Most sites offer either HTTP or FTP file download, but normally FTP download is the faster of the two.

Threats Posed to FTP Servers

The major concern with FTP is that the built-in authentication system uses a username and password pair that is transmitted in clear text to the FTP server. This causes obvious concerns when the remote FTP server is accessed across a public, untrusted network. If the FTP username and password are intercepted, the attacker has the same access to your files and directories as you have, leading to disastrous results.

As with any other server, FTP servers are susceptible to DoS attacks. These attacks can render the server unusable to the Internet public.

Solutions to the Threats to FTP Servers

FTP access for downloading files from a Web server is normally pretty safe and anonymous; access can be allowed for this purpose. The problems arise when you start to use FTP to upload files that make up the company web site or similar services. This access has to be protected against intrusion, because the files being uploaded make up the corporate web site and must be kept secure. A good idea in this instance is either to run the management FTP access on a different port or to use a different server completely for public FTP access.

A firewall should be placed between the FTP server and the public Internet. This firewall will protect against some network-based DoS attacks. It should be configured so that management FTP access is permitted from as few hosts as possible.

Configuration Recommendations for FTP Servers

Using the Cisco Secure PIX Firewall, the following commands allow public FTP traffic to the FTP server with an internal address of 192.168.0.10/24 and provide static translation to the public address of 194.73.134.10/24. This is based on Figure 11-3:

static (inside,outside) 194.73.134.10 192.168.0.10 netmask 255.255.255.255 0 0
conduit permit tcp host 194.73.134.10 eq ftp any

Although this configuration is sufficient for public FTP read access, it probably is not good enough for management FTP access—that is, FTP access to manage the configuration or files on the FTP server. This requires a change to the preceding configuration so that it is management FTP access only. There are two hosts at the Mydomain.com main office from which management FTP will be performed. The public addresses of these two hosts are 195.195.195.1 and 195.195.195.2. Observe the changes to the configuration:

static (inside, outside) 194.73.134.10 192.168.0.10 netmask 255.255.255.255 0 0
conduit permit tcp host 194.73.134.10 eq ftp host 195.195.195.1
conduit permit tcp host 194.73.134.10 eq ftp host 195.195.195.2

Note that now the hosts 195.195.195.1 and 195.195.195.2 are specifically allowed FTP access to the server 194.73.134.10. All public FTP access to this server will now be denied.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.255.178