Home page logo
/

nanog logo nanog mailing list archives

Re: Common operational misconceptions
From: Jimmy Hess <mysidia () gmail com>
Date: Sun, 19 Feb 2012 22:40:57 -0600

On Sun, Feb 19, 2012 at 10:09 PM, Andrew Jones <aj () jonesy com au> wrote:
On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
It seems to me that this will create all sorts of headaches for firewall
ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
example, the devices would need to inspect traffic on all ports and perform
[snip]

That doesn't work when the FTP control connection is encrypted using SSL.
Layer 4  Firewall devices should not be expecting to intercept FTP
traffic and make decisions based on the application layer contents of
the traffic.

I would suggest a requirement that FTP clients utilizing SRV records
to access FTP on an alternate port MUST utilize Firewall-Friendly FTP
as described by RFC1579.

Each FTP server can then be assigned its own port range, or the FTP
server can be configured to notify the Firewall device which ports to
forward using UpNP or a NAT traversal protocol such as STUN, and the
Firewall device can be configured  to forward the appropriate range of
ports  to the correct server.

--
-JH


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault